5 questions to ask when evaluating a virtual CISO

What are your milestones and your motivations to achieve them?

The decision to outsource security usually only comes after it is clear that an on-campus solution is not feasible or cost effective. Suppose the virtual CISO will need to redesign your security operations center (SOC). Ask for a project plan, along with milestones and incentives to ensure it is progressing and not becoming a secondary priority.

How will you assume risk and liability?

Being a CISO is easy if the worst thing that can happen is you get fired. Contractors need to have more skin in the game. Virtual CISOs are usually hired as part of a risk mitigation plan. Without some transfer of risk to the outsourcer, your interests will not be aligned, so make sure the virtual CISO is truly invested.

Click on the banner below for exclusive content on cybersecurity in higher education.

What will the IT team still be responsible for?

A virtual CISO should be upfront and realistic about the tasks that will always fall on campus team members, such as periodic risk assessments, risk appetite exercises, and information asset categorization. Without a real partnership in these areas, you will be inundated with alerts. Beware of the virtual CISO who promises to handle absolutely everything.

What are the first steps to follow during a serious cyber incident?

There is no right answer here, but the Virtual CISO should be aware of the many moving parts in a higher education environment and how a textbook incident response can be tailored to accommodate them. If the CISO doesn’t mention the Federal Educational Rights and Privacy Act, for example, it’s time to look elsewhere.

LEARN MORE: How to ensure FERPA compliance at colleges and universities.

How will SaaS products fit into your security plans?

Properly integrating Software-as-a-Service security alerts into an on-campus SOC is always a moving target in the security industry. Find out if your potential virtual CISO has a technically sound answer on how to receive and process this information. Look for someone who understands the difficulty and has a realistic approach to solving it.