What is a virtual CISO?

November 9, 2020  |  Nick Cavalancia

This blog was written by a third party author.

Organization’s today host a wide range of information that, due to its external value to competitors, nation-states, or cybercriminals, needs to be properly protected.  The role of a Chief Information Security Officer (CISO) is to establish and maintain the organizational strategy and execution to protect its sensitive and valuable information assets and surrounding technologies.

But many organizations, while having data that needs protecting, choose to utilize a virtual CISO (vCISO) to address the needs of the CISO role rather than hire one internally.

What is virtual Chief Information Security Officer?

The vCISO is a security practitioner who uses the culmination of their years of cybersecurity and industry experience to help organizations with developing and managing the implementation of the organization’s information security program. At a high level, vCISOs help to architect the organization’s security strategy, with some helping to also manage its’ implementation. Internal Security staff may still exist, either reporting to or working with the vCISO and their team to execute an impactful security program.  Additionally, the vCISO is usually expected to be able to present the organization’s state of information security to an organization’s board, executive team, auditors, or regulators.

vCISOs can provide value to organizations by helping with a number of aspects of the overall information security program, including:

  • Information security planning and management activities
  • Organizational and management structure
  • Initiatives affecting information practices
  • Security risk management activities
  • Evaluation of third parties with access to organizational data
  • Coordination of audits by regulators or customers

Why are vCISOs becoming more popular? 

The idea of a virtual CISO has grown in demand with organizations for a number of reasons:

  1. CISOs are in demand – Cybersecurity has moved to the forefront of organizational concern.  With the rise in cyberattacks, data breaches, sophistication in attacks, and the focus locked in on an organization’s information, organizations wanting to put a comprehensive set of controls and technologies in place need a CISO. A vCISO allows organization to quickly fill a vCISO role, without needing to go through the hiring process.
  2. CISOs are expensive – According to salary.com, the average CISO costs over $200,000 a year. While nearly every organization needs a CISO, not every one of them can afford one. A vCISO allows organizations to avoid the expense of employing one in-house full-time, only paying for the services and time used.
  3. vCISOs can be more experienced – A vCISO has implemented information security programs for many clients in a diverse set of industries and sizes, giving them a broad range of expertise that can be applied to your organization.
  4. vCISOs can be anywhere – Rather than needing to hire someone locally (which limits your options) or need to help pay for a candidate to move, the vCISO works as a consultant, working from just about anywhere, giving the organization exposure to more potential candidates.
  5. vCISOs are a consumption-based option – While not every vCISO works the same, this is a contractor who will perform the tasks based on an agreed upon scope of work. So, you’re paying for the services you want from them.

Use Cases for a vCISO

The choice of a vCISO versus a full-time CISO may still be unclear. So, allow me to provide a list of a few possible use cases for when a vCISO may be a great choice:

  • Bridging and Hiring a New Full-Time CISO – The departure of a business’s existing CISO may be untimely with regard to current security initiatives.  A seasoned vCISO can come in, provide value in reviewing the current cybersecurity strategy and help recruit, select and transition to a full-time CISO.
  • Developing a Mature Cybersecurity program for a Smaller Organization – When a full-time CISO is too costly for an SMB, a vCISO works part time to provide enterprise-caliber expertise to craft a security program and the organization would, otherwise, not be capable of developing.
  • Creating a Compliance Program – Organizations with or without a current CISO many not have the expertise on a specific compliance mandate and how it translates to creating policy and process to secure protected information. A vCISO that specializes in a given compliance regulation can assist to develop a strategy and execution plan that meets the specific mandates – think PCI DSS experts helping retail businesses or a HIPAA savant supporting a healthcare org.
  • Re-aligning Cyber Spend – Whatever the organization was doing 6 months ago to protect against cyber risk is likely not as effective today.  A vCISO can help organizations of every size by taking a look at the current budget, how it’s spent, and help identify ways to more effectively and efficiently spend it to create a more secure stance.

Who should consider hiring a virtual CISO? 

Let’s walk through a few reasons that may provide some guidance as to whether a vCISO is a good fit:

  • The Org Has Sensitive Information – this is pretty much every organization today, regardless of size, industry, etc. The question at hand is whether the organization is serious enough about protecting that data (and the organization) to hire an expert to help develop and put in place a program that keeps valuable data safe and secure?
  • The Org Has a Limited Budget – Those organizations that are limited in budget should be considering a vCISO.  The cost of a vCISO is estimated to be between 30-40% of a full-time CISO.
  • The Org Has Specific Information Security Needs – it’s possible that the intent isn’t to fully utilize a CISO, but instead to address a few specific tasks. This include defining needed security policies, helping to classify data, addressing procedures and policies to meet compliance objectives, performing a risk assessment, and more. When the focus isn’t to fully develop and implement an information security program, but instead some subset, a vCISO is the perfect choice.
  • The Org Requires Specific Skill Sets – Not every CISO has the same set of experiences, expertise, industry institutional knowledge, etc. This makes finding just the right CISO to fire full time difficult.  vCISOs – particularly when part of a larger consultancy organization – either have the experience themselves to address your specific needs or work as part of a larger consulting team that, combined, have the needed skills and experience.

CISO vs vCISO: Which one should you choose?

Let’s start with one foundational truth: if you have valuable and sensitive information within your environment, you need some form of information security program in place.  And that means you need someone at the helm driving the program forward and steering the vision, strategy, and implementation to meet the organization’s information security objectives. The question of whether to hire a CISO or a vCISO really comes down to the both the organization’s strategy (e.g., they want someone long-term who is solely focused on just your organization, so a CISO is the right choice), as well as any constraints (such as a lack of budget).

If you’re not sure which is the right choice, I’d suggest starting with a vCISO to get the ground work started and see if there is support internally from the executive team or the board for putting a proper information security program in place, and then, if needed, work towards hiring a full-time CISO to complete the work.

Share this with others

Tags: