4 minute read 22 Sep 2021
EY how ciso as a service can make your it security more efficient

How CISO-as-a-Service can make your IT security more efficient?

By Philip Sandahl Johansen

Cybersecurity advisor, Technology Consulting, EY Godkendt Revisionspartnerselskab

Solution-oriented cyber consultant with focus on technical and organizational information security, supporting clients in both the private and public sector.

4 minute read 22 Sep 2021
Related topics Consulting Cybersecurity

With cyberattacks on the rise, CISO-as-a-Service offers flexible and competent solution for small and midsized companies.

In brief

  • The frequency and severity of cyberattacks and security breaches are increasing, as our society is becoming more and more digital. 
  • With EY CISO-as-a-Service, it becomes possible also for small and midsize companies to prioritize and execute IT security initiatives, without hiring a full-time resource.  
  • CISO-as-a-Service provides the right competencies when needed, as it allows for the client to tab into EY´s different cybersecurity experts, however always with the same coordination point.

As technologies continue to grow more complex in a digital work environment, how can small and midsized companies prioritize sufficient time and competencies on their IT security? Can the possibility of having a chief information security officer (CISO) on retainer be the effective way of safeguarding and managing IT security? 

CISO-as-a-Service (CISOaaS) involves outsourcing the IT security leadership responsibilities to a third-party provider. During the past  12 months, the demand for hiring a third-party provider to support implementing an IT security strategy has been growing significantly. With cyberattacks on the rise, it has now become more evident that IT security should be centered at the core of any business strategy. Therefore, CISOaaS might just be the needed solution for small and midsized companies, with a limited IT organization, competence or need. 

Why do businesses need CISOaaS as a transformative enabler? 

When the COVID-19 pandemic hit, we could talk about two types of organizations. Firstly there were those that already had a pragmatic and adoptable IT security work in place. Secondly there were those who had to adopt IT security as part of the new reality and get it to be a more central piece of their risk strategy. It is safe to say that in many cases, the level of IT security made the difference between the frontrunners and the rest during the pandemic. That being said, outsourced CISOs undertook a critical role in bridging sound business with IT security for those who didn’t have this.  

As all work environments are becoming increasingly digital, organizations willing to achieve sustainable long-term value need to align IT security with their growth initiatives instead of keeping them separate.  

Managing IT systems with internal resources can suffer from mis-prioritizing business needs, as it is wrongly believed that information security can incur more costs on something whose impact is not visible right away. This leads to another problem — wrongly prioritizing innovation and transformation to the disadvantage of safeguarding information security.  

The EY Global Information Security Survey revealed that only 36% of organizations incorporate IT security in the early stages of a new business initiative. Also, 77% of spending is focused on defensive information security and compliance rather than proactive measures and opportunities to support transformative growth. Instead, companies need to place information security within every transformation initiative and innovation within the IT security strategy. Investing in information security makes an organization resilient to disruptive change in the long run.  

However, leaving IT security only on the shoulders of the IT department or a more experienced employee can be limited to only focusing on the technical aspects of information security or only reacting to cyberattacks if they occur. Hence, the added value of an outsourced CISO resides not only in the proactive and holistic implementation of information security strategy, but also consequent development of a cyber-aware culture, thus helping avoid cyber incidents or minimizing their impact if they occur. Therefore, some of the aspects that an outsourced CISO brings new to the table are as follows: 

  • It will bring a holistic and proactive approach to implementing information security in your organization, ensuring short- and long-term benefits for strengthening in-house cyber awareness and skillset. 
  • Flexibility: you get tailored services for your exact needs (pay-as-you-consume). 
  • You can also leverage unbiased expert insights. 
  • Risk thinking and relevant competence: you will get the ability to think ahead and identify both risks and opportunities in new technological trends, such as surveillance, digital payments, cloud technology, etc.  
  • Experience: the outsourced CISO is most likely to have had a diverse experience in this role with different organizations and can thus implement an inter-disciplinary and holistic approach.

EY CISOaaS as a co-creator of cyber resilience and innovation 

EY CISOaaS expand upon the traditional approach to the Chief Information Security Officer. We firmly believe that IT security should align with the business vision to enable innovation and transformation in a disruptive world. At EY, our new-age CISO service offering is defined by seven main characteristics:  

  1. Security by design: ensure that information security is activated throughout all organizational levels and is aligned with the risk strategy and the business mission, right from the planning stage of any new business initiative.  
  2. Resource optimization: information security is aligned with financial goals and strategies to achieve higher returns in the face of change.  
  3. Leading-edge security: develop incident response plan on top of preventive measures to adapt to the new risk landscape, adopting zero trust architecture to critical data.  
  4. Next-generation threats: monitor new technological trends, such as cloud technology, surveillance, digital payments, new regulatory requirements and adapt security systems, including Identity Access Management given new risks.  
  5. Human-centered transformation: bridge IT, business and people to mitigate insider risk and strengthen the incident response.  
  6. Skillset development: conduct education and awareness programs, as well as regular monitoring, testing and reporting of day-to-day security staff behavior to ensure the correct execution of the security plan. 
  7. Long-term vision: ensure knowledge sharing after the end of partnership to ensure a seamless management transition from temporary to a permanent CISO.


To be a business leader in a disruptive world means to constantly adapt to the ever-changing risk landscape. However, it is not enough to only withstand cyber threats but to thrive in uncertainty.  

EY CISOaaS expand upon the traditional approach to the Chief Information Security Officer and makes it possible for also small and midsize companies to prioritize and execute on security.

About this article

By Philip Sandahl Johansen

Cybersecurity advisor, Technology Consulting, EY Godkendt Revisionspartnerselskab

Solution-oriented cyber consultant with focus on technical and organizational information security, supporting clients in both the private and public sector.