According to ISACA’s State of Cyber Security 2019, 72% of organizations have a chief information security officer (CISO). Also, in that study, only 55% of organizations have an increasing security budget. For many small and mid-sized organizations, budgets are already tight, and hiring a full-time CISO may seem like a luxury.
So how does an organization that either does not have or is cutting back on security budgets make sure that it has executive leadership that is focused on information security? One way is to hire a virtual CISO (vCISO), also known as an on-demand CISO.
What is a Virtual CISO?
A vCISO is no different than a full-time chief information security officer except a vCISO is an outsourced security advisor and not onsite full time. A CISO is generally a senior-level executive who is responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected.
Virtual CISO Services and Responsibilities
Like a standard CISO, the vCISO services and offerings are very similar. However, what a vCISO will be responsible for will vary and depend on the specific needs of the organization. Generally, some of a vCISO’s responsibilities will include, but are not limited to the following:
- Providing the vision, strategy, direction, and implementation of the information security and compliance governance program
- Convey security goals to the organization’s board of directors
- Determining the proper security framework(s) with which the company must comply
- Understanding industry trends and leading the team in architecting security solutions
- Help define security budgets and most appropriate and cost effective security solutions
- Providing guidance and support in achieving compliance requirements the company may have
- Managing the Information Security team
- Defining, Planning, writing, reviewing, and approving policies, procedures, standards, and processes
- Supporting or leading the Incident Response team
- Defining the acceptable level of risk and managing the organization’s risk
- Review current internal security controls
- Guide the annual security planning and training
Benefits of a virtual CISO
Hiring a virtual CISO has many advantages, the most common being the cost effectiveness. Listed below are five high level benefits:
- Cost Effective: Finding a qualified CISO to bring into your organization can be expensive and salaries are usually fairly high and associated benefits package. For many organizations, the need for a full time CISO may be cost prohibitive (hiring, benefits, compensation, etc.), but hiring a virtual CISO can make fiscal sense as you only pay for the time they are working with your organization.
- Adaptive: As organizations grow, change is pretty much guaranteed. Some people are great at startups and others are great at established organizations, many times one person is not good at both. Consider bringing in a virtual CISO that has the expertise with your tools, marketplace, and organization style, and as the organization changes, so can the CISO. Virtual CISOs can also be put on retainer, so they are only used when they are needed.
- Expertise: Virtual CISOs come with a wealth of knowledge (or should). They have a lot of experience with business and security. Having an established track record and expertise with the tool set and marketplace experience allows the virtual CISO to hit the ground running the moment they are signed up.
- Independent: This can be a double edged sword (you will see I comment on something similar to this below in the disadvantages) but having a virtual CISO that is independent means they are free of politics and conflicting agendas.
- Established Relations and Connections: Many virtual CISOs have a built-in network and have many connections with vendors and industry professionals. Being able to leverage this network can make growth more streamlined and cost effective.
Disadvantages of a Virtual CISO
While bringing in a virtual CISO can be very helpful, it is also good to understand the downsides. Below are four disadvantages that Linford has heard organizations struggle with when it comes to hiring a virtual CISO and in some cases, the organization ended up deciding to do a direct hire.
- Timeliness of Responses: Since the virtual CISO is not just supporting your organization but supporting many, it can be difficult sometimes to get urgent questions answered in a timely manner. To overcome this, it is recommended to discuss or document an SLA with the candidate prior to bringing them onboard. If it is known upfront that you require a response in four hours, then it is easier to manage expectations.
- Lack of Loyalty: Sure the virtual CISO technically works for you, but they are not invested heavily in your organization. They do not interact with the staff on a daily basis, they do not know everyone by name, nor do they live and breathe the organization like many internal employees do.
- Lack of Risk Ownership: Look very carefully at the contract and discuss risk ownership openly and candidly prior to hiring a firm or individual. Make sure that they accept some of the organizational risk as they will, in many cases, be managing it. If your organization gets breached because of a mistake or poor strategy from the virtual CISO, make sure that they don’t just walk away unscathed.
- Expensive in Your Time of Need: Having a virtual CISO can be very cost effective especially if you only need them periodically throughout the year or during compliance audits, but if the organization grows rapidly or experiences a major breach, the hours the virtual CISO starts putting in can be really high, and in turn, may end up costing more than if you just hired a CISO directly.
Cost of a Virtual CISO
As noted above in the benefits to hiring a vCISO they are generally speaking much more cost effective than hiring a full-time CISO. However, the cost of the CISO can vary widely depending on the responsibly assigned and time the ondemand vCISO is consulted.
According to CSO Online, salary.com’s and glassdoor salaries, most recent data, CISO’s in the United States command six-figure salary ranges, and in contrast vCISOs are estimated to cost much less, at between 30-40% of the full-time CISO averages.
Where to Find a Virtual CISO?
Many security consulting companies provide virtual CISO services as you can tell when you google “virtual CISO services,” but it is usually recommended you ask around to see if your colleagues or peers can recommend one service provider over another. Also, before you begin your search, you need to define what your expectations are and what you actually need. Make sure you also identify how much support you expect, and what budget you have available.
For many small and mid-sized organizations, the need for a CISO is driven by regulatory compliance. If you have a client that is asking for a specific report, for example a SOC 1, SOC 2, or HITRUST report, it is recommend you reach out to an external IT audit firm like Linford & Company so that you can have help in determining if the report is needed, as well as help you define what it will take to get your organization ready for an assessment. This can include helping you understand if a virtual CISO is needed and help define the scope and expectations for their services.
As your company grows so does its compliance and security commitments. Having a virtual CISO that you can call when needed can be incredibly helpful and save you a lot of headaches trying to navigate the ever changing regulatory world or keeping up-to-date with the fast pace of emerging security threats. Additionally, having a virtual CISO can make the compliance process much easier to get through and are in many ways essential (or required) to help an organization pass examinations such as SOC 1, SOC 2, HIPAA, HITRUST, and FedRAMP.
Olivia Refile (CISSP, CISA, CRISC, GSEC, ISO lead Auditor) specializes in SOC examinations for Linford & Co., LLP. She completed her Bachelors of Business Administration, with a concentration in Management Information Systems from Temple University’s Fox School of Business in 2010. Olivia started her career in IT Risk Management in 2010 specializing in internal, external audits as well as IT security risk assessments. Following her time in risk management Olivia moved solely into external IT Audit and is currently dedicated to performing SOC 1 and SOC 2 examinations.