They go by many names: virtual CISO (vCISO), fractional CISO, and CISO-as-a-service (CISOaaS).

At the end of the day, though, all these acronyms refer to the same thing: A worker or team—usually a contractor, but sometimes an internal officer, like a CIO—performing a CISO’s role on what’s typically a part-time basis.

It’s potentially a budget-friendly option for organizations looking to up their cybersecurity game while avoiding the cost of a full-time executive. Estimates of the average CISO salary vary, but tend to be in the hundreds of thousands of dollars.

A vCISO can save money, but there’s the potential risk of insufficient services that fail to meet an organization’s needs. To help understand the pros and cons, IT Brew interviewed experts on when to hire a vCISO, how to pick the right one, and what to avoid.

When to get one

Ben de la Salle, the director of UK-based CISOaaS firm ICA Consultancy, told IT Brew via email that organizations that provide online services, control personal data, or rely a great deal on intellectual property “should engage some level of security advice that goes above and beyond technical controls.”

Read the rest here.—TM

A single sign-on (SSO) implementation wouldn’t be something that Lenny Zeltser necessarily recommends for a CISO just starting the job, even though that’s just what he did when he began as Axonius’s chief information security officer about five years ago.

The implementation of SSO, what Gartner defines as the ability to “to authenticate once, and be subsequently and automatically authenticated when accessing various target systems,” has plenty of chances to exhaust an IT staff—for one, finding all the applications in your company.

To ease challenges, Zeltser recommends implementing SSO in phases—a strategy that can lead to early wins. One first step, he says, is seeing which tools already provide SSO options.

“There’s probably several apps that can provide single sign-on. You just need to configure it and integrate it with your single sign-on provider when you do it for just even a handful of apps. Now everybody loves you. Why? Because now employees have fewer passwords to remember,” Zeltser told IT Brew.

Read more here.—BH

Sitting on troves of sensitive data? It’s not enough to just protect against external attackers—insider threats, configuration mistakes, human error, and data-scraping apps can all result in that information ending up where it shouldn’t.

Data loss prevention (DLP) refers to the tools and processes that organizations use to ensure information stays within its intended guardrails at potential egress points. That could mean ensuring that sensitive or protected data is only accessible to authorized parties, or isn’t inadvertently mixed into other data sets—or it could mean preventing a user from copying proprietary information onto a USB drive, or sending it to an external party via email.

DLP software is important for compliance with regulations concerning personal, health, and financial data, as well as shielding intellectual property. It also helps IT and compliance staff gain insight into how data circulates through organizations. To operate properly, DLP tools need to be able to classify, monitor, and control data, as well as cover all the places it could be stored or transmitted. Today, that doesn’t just mean endpoints and networks, but SaaS and the cloud.

For example, DLP software might intervene and prohibit a user from copying strings of protected data from one file to an unauthorized destination. To do so, DLP software must be able to hook into operating systems, network monitoring tools, and other software. While some vendors rely on distributed computation to handle the associated workloads, others offer cloud-based tools.

Keep reading here.—TM