• United States




Hired guns: The rise of the virtual CISO

Aug 05, 20164 mins
CareersIT LeadershipSecurity

When is the right time to rent yourself a CISO?

The enterprise is facing a dangerous combination of mounting cybersecurity threats of increasing subtlety—and a widening gap in the skills required to identify and combat them. Having someone who knows how to lead the charge in identifying and analyzing threats, creating strategic security plans and ensuring compliance requires the right level of expertise.

The Information Systems Security Association spoke of a “missing generation” in information security, pointing to an estimated 300,000 to 1 million vacant cybersecurity jobs. To further complicate the labor shortfall, security professionals at enterprises understand they are in demand, and it is understood that employees will be receiving offers from other companies. According to a Ponemon study, senior security executives on average leave after 30 months on the job.

Almost three-fourths of respondents in a 2014 Ponemon report said their organizations do not have enough IT security staff. The fact is enterprises are looking to fill security positions. According to Burning Glass, a labor analytics firm, cybersecurity job postings grew 74 percent from 2007 to 2013. Filling those positions, however, is another story.

Finding the right person to drive enterprise security

According to Cisco’s 2015 Annual Security Report, 91 percent of companies have an executive who is directly responsible for security, but only 29 percent of them have a . Businesses with a CISO in place recorded the highest levels of confidence in their security stance, both in terms of optimization and clarity.

Many organizations are asking other executives to step into the gap, and they often lack the expertise required to outline a solid information security policy and drive it forward. Would you want a podiatrist filling in for a neurosurgeon?

For small- to mid-sized businesses, it may be difficult to justify the expense of a full-time CISO. Recruitment can also be a challenge. How do you find the right fit for your business within your budget when you lack the internal experience to properly evaluate a candidate?

Enter the virtual CISO

For smaller businesses, it simply doesn’t make sense to invest in a full-time CISO when you can hire a virtual one and get the specialty skills you need to draw up a strategic overview and deliver the big picture. With a virtual CISO, there’s no need to worry about benefits or monthly overhead.

Say you’re a larger enterprise. You’re suffering from attrition and need someone to step in on an interim basis. You want some supervision and advice for a relatively green InfoSec manager or you want to ensure that you only pay for what you actually need. Renting a CISO could be the answer.

Making the business case for a virtual CISO

There’s no set universal standard for hiring a virtual CISO. You can set up a retainer for a certain number of hours, you can hire someone on a project basis, and/or you can even buy a chunk of support hours and use them when you need them. It’s a way of getting the cream of security talent without buying the whole cow.

Contracting a virtual CISO can be far more cost effective than hiring a full-timer. They can fill in where you need it the most, helping your CIO pull together your security policies, guidelines and standards. That could entail anything from coming to grips with HIPAA or PCI compliance to staying on top of vendor risk assessments.

A qualified virtual CISO is going to be fully up to speed on the latest best practices, they have experience dealing with a wide variety of scenarios, and they are well-positioned to train your internal security staff.

The normal annual contract rate for virtual CISOs is 35 percent to 40 percent of what it costs to pay the normal industry salary for a full-time information security team to perform the same services, according to Bank Info Security.

Preventive security vs. post-incident cleanup

Many companies are being forced to spend an ever-increasing proportion of their budget on cleaning up after incidents. A virtual CISO can be invaluable as a firefighter, but don’t wait until a breach occurs; prevention is always better than cure.

Whether you’re looking to get a snapshot of your security posture, you need to fill a temporary gap, or you need a leader to roll out a companywide information security policy, the virtual CISO is a compelling value proposition. Until the new generation of security graduates matures, the virtual CISO may be your best shot at tempering security risks.

The opinions expressed in this Blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated companies.


Michelle Drolet is a seasoned security expert with 26 years of experience providing organizations with IT security technology services. Prior to founding Towerwall (formerly Conqwest) in 1993, she founded CDG Technologies, growing the IT consulting business from two to 17 employees in its first year. She then sold it to a public company and remained on board. Discouraged by the direction the parent company was taking, she decided to buy back her company. She re-launched the Framingham-based company as Towerwall. Her clients include Biogen Idec, Middlesex Savings Bank, PerkinElmer, Raytheon, Smith & Wesson, Covenant Healthcare and many mid-size organizations.

A community activist, she has received citations from State Senators Karen Spilka and David Magnani for her community service. Twice she has received a Cyber Citizenship award for community support and participation. She's also involved with the School-to-Career program, an intern and externship program, the Women’s Independent Network, Young Women and Minorities in Science and Technology, and Athena, a girl’s mentorship program.

Michelle is the founder of the Information Security Summit at Mass Bay Community College. Her numerous articles have appeared in Network World, Cloud Computing, Worcester Business Journal, SC Magazine, InfoSecurity,, Web Security Journal and others.

The opinions expressed in this blog are those of Michelle Drolet and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.