Chief Information Security Officers are a relatively rare breed. Information security is, after all, a relatively recent addition or subset to IT, and while most large organizations now do profess to having a CISO, CSO or head of information security, many still don\u2019t. Indeed, it\u2019s often the case that a company appoints its first CISO in the aftermath of a data breach - like Target did in 2014 or Sony in 2011.However, landing yourself a CISO, and a good one at that, isn\u2019t straightforward.It\u2019s well documented that the InfoSec landscape has a huge skills gap, with Cisco, training body ISC2 and other authorities putting the shortage around 1.5 to 2 million personnel, and ISACA speaking of a \u201cmissing generation\u201d of security staff.This shortage \u00a0- though disputed by some, including the Department of Homeland Security, is most keenly felt with network analysts and - increasingly - data scientists, but it also impacts firms at CISO level too.For starters, there are limited pickings; the best CISOs are pricey, picked off by competitors or constantly chased by commission-hungry recruiters, while the bad ones bounce from job to job with no shortage of \u2018glad to get rid of you\u2019 recommendations.All of this leaves a landscape that is perhaps more bereft of top CISO talent that the media pays attention to. Indeed, according to Cisco's 2015 Annual Security Report, while 91 percent of companies have an executive who is directly responsible for security, only 29 percent of them have a CISO. Unsurprisingly, businesses with a CISO in place recorded the highest levels of confidence in their security stance.So, what do you do if you don\u2019t have a CISO? Well, this is where virtual CISOs can come in. These experienced security staff, usually operating remotely, are affordable, available and highly-skilled - meaning they can hit the ground running.\u201cA virtual CISO is an outsourced board advisory function, much like a non-executive director,\u201d says Tim Holman, president of ISSA-UK and CEO of 2Sec, which offers virtual CISO services to clients. \u201cYou can pretty much get a virtual "anything" nowadays, from a Virtual Personal Assistant through to Virtual Financial Director. The term virtual tends to mean a resource that is not physically present, or employed by your company directly.\u201d\u201cThe cyber-security skills shortage has helped the Virtual CISO industry to grow, where a skilled advisory expert can help a number of companies all at once. However, they are often called in at the last minute where companies are driven by legal or regulatory demand. Or a security breach.\u201dJane Frankland, a serial cyber-security entrepreneur and CISO adviser, adds that a virtual CISO \u201cis someone who\u2019s spent years in the industry, has a wealth of experience having dealt with a wide variety of scenarios, and consults on the management of an organization\u2019s information security.\u201cThey\u2019re usually engaged to design the organization\u2019s security strategy, and some may manage the implementation. Many also present to the board, key stakeholders and regulators. They work part-time from a few hours a month, and typically remotely.\u201dBrian Honan is CEO at BH Consulting, whose own vCISO service provides clients \u201cwith access to our experienced cyber-security consultants to provide ongoing advisory services on how the client should be implementing their cyber-security framework to protect their data and systems.\u201cTypically, this would involve us agreeing to a program of action whereby key initiatives are identified and we then manage the implementation. We also are available to the senior management team...to provide ongoing advice and guidance on how the business should be managing the threats to its systems and managing its cyber-risks.\u201dThe benefits go beyond costVirtual CISOs do actually make some sense. How? Well, consider this for starters; full-time CISOs can earn $100,000 and beyond, making a part-time, when-you-need-it CISO considerably cheaper (around 30 percent of the annual costs, if industry guesstimates are to be believed).You can set up a retainer for a certain number of hours, or hire someone on a project-by-project basis. You can even buy a chunk of support hours and use them when you need them. In short, it\u2019s a way of getting the best security talent when you need them, and at a fraction of the cost.They can dive into your most pressing issues straight away, from liaising with security and compliance teams on standards, guidelines and security policies to conducting vendor risk assessments and ensuring compliance with the likes of PCI and HIPAA. The vCISO is also able to train internal security staff, drive security awareness within the firm and create a strategic security road map for their organization.There are other, less visible benefits. For example, the vCISO has no loyalty to the company so they have no particular desire to sugar-coat bad news, they don\u2019t necessarily fear for their job safety (which can impact performance), and the \u2018virtual\u2019 nature means there is less collusion between IT and management, and no need to play office politics.\u201cA skilled Virtual CISO can bring a wealth of multi-sector experience to your company, and help you take a practical approach to security and build a long-term plan to mitigate risk,\u201d says Holman.\u201cThey can help with a variety of challenges,\u201d says Frankland. \u201cOften these include communicating the issues to the leadership team, the regulators, and other business stakeholders; designing the security strategy; advising on technologies, processes and best practices; recruiting suppliers and new team members; training; and dealing with incidents.\u201d\u201cSpeed is the currency of new business and a virtual CISO can help an organization mitigate their risks, increase their security expertise, and enable business fast.\u201dNik Wells is head of IT security and compliance at financial services firm Elevate and he agrees with Holman and Frankland that vCISOs have their place, especially for small-to-midsize enterprises (SME).\u201cMost SMEs may not have the budget to employ a full-time security professional at that level and need short-term guidance to help them deal with tactical issues and strategic plans for the mid to long term. With the impending [European] GDPR requirements, SMEs will need assistance with meeting these regulations.\u201dFrankland and Honan disagree on the speed of adoption, however, with Frankland suggesting SME adoption is slow, and Honan claiming otherwise.\u201cWe are seeing a sharp uptake in these services as many organizations, both at the SME and at the enterprise levels, struggle to find suitably qualified and experienced staff to cover this role,\u201d said Honan.\u201cWe either provide our service to augment the existing management team within a company, or to cover a role while the company recruits a permanent person for the role.But are there disadvantages?This is not to say virtual CISOs are a silver bullet. After all, if that were the case perhaps we would talk about on-premise CISOs with a little less familiarity.We shouldn\u2019t forget that vCISOs are first and foremost the same CISOs who make mistakes, nor too that these hired guns have little loyalty or affiliation to the brand they are working for. They are still relatively expensive and finding the right one is as difficult as recruiting a full-time CISO. A dependency on them can leave you \u201clocked-in\u201d.There is also a larger issue at hand here, as expertly pointed out by one CISO on LinkedIn on the subject of vCISOs.\u201c...The CISO structure is failing at big companies. It is failing because few firms see security as a strategic level problem,\u201d said Frederick Carlson, CISO at Bureau of Economic Analysis, US Department of Commerce.\u201cIs this idea to duplicate the same failed structure, but push it out to an outsourced model for small firms?\u201d he asked.He is not alone in thinking vCISOs are a mixed bag. Darren Argyle, recently appointed group CISO at Australian airline Qantas, added in an email to CSO Online: \u201cYou miss the accountability with virtual CISOs,\u201d he said. \u201cYou can't write into the charter a virtual person or service is accountable.\u201dHolman agrees: \u201cA Virtual CISO does not maintain any accountability should things go wrong. This still falls into the shoes of the board. They are rarely given any budget, and should not be seen as offering anything but advice.\u201cMuch like a solicitor or tax specialist, it's up to the company as to whether or not to take such advice. If your company is taking security seriously, a Virtual CISO will definitely help set you in the right direction, but shouldn't be seen as a 100% outsourced security risk mitigation function.\u201d\u201cCompanies and their boards need to remember that ultimately they are responsible for their own security,\u201d agrees Honan. \u201cA CISO, whether\u2026.full-time or virtual, cannot shoulder that responsibility alone. If there is not a culture of security within the organization, or the willingness to introduce one, then the CISO role could be doomed to failure.\u201d\u201cVirtual CISOs don\u2019t help with the implementation,\u201d adds Frankland. \u201cCISOs advise, coordinate and manage. They\u2019re accountable. If an organization wants someone to write their policies, assess and monitor their systems, applications and infrastructure, install software (firewalls, antivirus, password managers, encryption etc.), then this service won\u2019t be adequate.\u201dSo while Virtual CISOs do bring numerous benefits, especially for SMEs, they are no panacea to solving your security problems.\u00a0Add your real comments to Facebook.