What is a virtual CISO? When and how to hire one

A virtual CISO (vCISO) can bring both strategic and operational leadership on security to companies that can't afford a full-time person in the role.

multiple-exposure image showing virtual connections and software inside and outside a human profile

Chief information security officers (CISOs) are highly sought after, to the point where good ones are expensive and hard to come by. So this is a challenge when more and more organizations, reeling in the wake of CISO-less breaches like Target and the UK’s TalkTalk, recognize the value in having one in place.

Could an on-demand virtual CISO (vCISO) be the answer to your prayers? A vCISO is an outsourced security practitioner or provider who offers their time and insight to an organization on an ongoing basis, usually part-time and remotely.

Entrepreneur Jane Frankland, a CISO advisor and author of InSecurity: Why a Failure to Attract and Retain Women in Cybersecurity is Making Us All Less Safe, summarized this best when speaking to CSO last year, saying a virtual CISO “is someone who has spent years in the industry, has a wealth of experience having dealt with a wide variety of scenarios, and consults on the management of an organization’s information security. They’re usually engaged to design the organization’s security strategy, and some may manage the implementation. Many also present to the board, key stakeholders and regulators.”

Do you need a vCISO?

So far, so good, but cynics will likely point to that big question: Why would you need a vCISO when you could simply hire a real one on a permanent contract? The answer is varied and not necessarily the same for everyone. For starters, well-rated, full-time CISOs can be hard to come by, often stay in their job for two years or less, and critically, especially for smaller businesses, can command six-figure salaries.

In contrast, vCISOs are estimated to cost between 30 percent and 40 percent of a full-time CISO and are available on-demand. The benefits go well beyond cost. Virtual CISOs usually require no training, can hit the ground running, and don’t feel obliged to play nice with office politics. In this model, it’s purely about results, and vCISOs worth their salt will provide reasonable KPIs and reporting.

While different vCISOs offer different skillsets, many should be able to cover myriad tasks, from the tactical to strategic. They could help pull together security policies, guidelines and standards. That could entail anything from coming to grips with HIPAA or PCI compliance, to staying on top of vendor risk assessment. They could also help recruit, set security strategies, procure solutions, remediate incidents, and put foundations in place for ISO 27001 and 9001 compliance. They might also assist with bring-your-own-device (BYOD) policy and enforcement, coaching newly established CISOs, or even managing the board relationship while full-time CISOs “keep the lights on.”

Naturally, this lends itself well to start-ups and growing businesses. Frankland says that vCISOs are the best fit for larger small- to medium-sized businesses (SMBs), for supplementing the existing management team or simply as an interim solution.

vCISO Ben De La Salle agrees that SMBs are usually the biggest benefactors. “Startups and growing businesses are great candidates for the virtual resourcing model,” says De La Salle, who launched ICA Consultancy after leaving as CISO of investment business Old Mutual Wealth last October. “Many of these businesses will have highly capable people with regards to their core business. Where they will require support though, is around understanding their threat landscape, their regulatory requirements, and defining an appropriate strategy and roadmap.”

To continue reading this article register now

The 10 most powerful cybersecurity companies