According to ISACA’s State of Cyber Security 2017, 65% of organizations have a chief information security officer (CISO). Also in that study, only 50% of organizations have an increasing security budget. For many small and mid-sized organizations, budgets are already tight, and hiring a full-time CISO may seem like a luxury. So how does an organization that either does not have or is cutting back on security budgets make sure that it has executive leadership that is focused on information security? One way is to hire a virtual CISO (vCISO), also known as an on-demand CISO.
What is a Virtual CISO?
So what is a virtual CISO? They are no different than a full-time chief information security officer except they are not onsite full time. A CISO is generally a senior-level executive who is responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected.
What are Virtual CISO Services and Offerings?
Like a standard CISO, the Virtual CISO services and offerings are very similar. Some responsibilities include:
- Managing the Information Security team
- Planning, writing, reviewing and approving policies, procedures, and standards
- Supporting or leading the Incident Response team
- Providing the vision and direction of the information security program
- Building and supporting regulatory compliance
- Defining and managing the organization’s risk
What are the Pros for Using a Virtual CISO?
Hiring a virtual CISO has many upsides, the most common being the cost effectiveness. I have listed five pros below, there are probably many more, but these were the high level pros I have seen and heard of over and over.
- Cost Effective: Finding a qualified CISO to bring into your organization can be expensive and salaries are usually fairly high. For many organizations, the need for a full time CISO may be cost prohibitive (hiring, benefits, compensation, etc.), but hiring a virtual CISO can make fiscal sense as you only pay for the time they are working with your organization.
- Adaptive: As organizations grow, change is pretty much a guarantee. Some people are great at startups and others are great at established organizations, many times one person is not good at both. Consider bringing in a virtual CISO that has the expertise with your tools, marketplace, and organization style, and as the organization changes, so can the CISO. Virtual CISOs can also be put on retainer, so they are only used when they are needed.
- Expertise: Virtual CISOs come with a wealth of knowledge (or should). They have a lot of experience with business and security. Having an established track record and expertise with the tool set and marketplace allows the virtual CISO to hit the ground running the moment they are signed up.
- Independent: This can be a double edged sword (you will see I comment on something similar to this below in the cons) but having a virtual CISO that is independent means they are free of politics and conflicting agendas.
- Established Relations and Connections: Many virtual CISOs have a built-in network and have many connections with vendors and industry professionals. Being able to leverage this network can make growth more streamlined and cost effective.
What are the Cons for Using a Virtual CISO
While bringing in a virtual CISO can be very helpful, it is also good to understand the downsides. Below are four cons that I have heard organizations struggle with when it comes to hiring a virtual CISO and in some cases, the organization ended up deciding to do a direct hire.
- Timeliness of Responses: Since the virtual CISO is not just supporting your organization but supporting many, it can be difficult sometimes to get urgent questions answered in a timely manner. To overcome this, it is recommended to discuss or document an SLA with the candidate prior to bringing them onboard. If it is known upfront that you require a response in four hours, then it is easier to manage expectations.
- Lack of Loyalty: Sure the virtual CISO technically works for you, but they are not invested heavily in your organization. They do not interact with the staff on a daily basis, they do not know everyone by name, nor do they live and breathe the organization like many internal employees do.
- Lack of Risk Ownership: Look very carefully at the contract and discuss risk ownership openly and candidly prior to hiring a firm or individual. Make sure that they accept some of the organizational risk as they will, in many cases, be managing it. If your organization gets breached because of a mistake or poor strategy from the virtual CISO, make sure that they don’t just walk away unscathed.
- Expensive in Your Time of Need: Having a virtual CISO can be very cost effective especially if you only need them periodically throughout the year or during compliance audits, but if the organization grows rapidly or experiences a major breach, the hours the virtual CISO starts putting in can be really high, and in turn, may end up costing more than if you just hired a CISO directly.
Where to Find a Virtual CISO?
Many companies provide virtual CISO services as you can tell when you search for “virtual CISO services,” but it is usually recommended you ask around to see if your colleagues or peers can recommend one service over another. But before you begin your search, you need to define what your expectations are and what you actually need.
Make sure you identify what you need, how much support you expect, and what budget you have available. For many small and mid-sized organizations, the need for a CISO is driven by regulatory compliance. If you have a client that is asking for a specific report, for example a SOC 1, SOC 2, or HITRUST report, it is recommend you reach out to an external IT auditor like Linford & Company so that we can help you determine if the report is needed, as well as help you define what it will take to get your organization ready for an assessment. This can include helping you understand if a virtual CISO is needed and help define the scope and expectations for their services.
As your company grows so does its compliance and security commitments. Having a virtual CISO that you can call when needed can be incredibly helpful and save you a lot of headaches trying to navigate the ever changing regulatory world or keeping up-to-date with the fast pace of emerging security threats. Additionally, having a virtual CISO can make the compliance process much easier to get through and are in many ways essential (or required) to help an organization pass examinations such as SOC 1, SOC 2, HIPAA, HITRUST, and FedRAMP.
Linford & Co., LLP, founded in 2008, is comprised of professional and certified auditors with specialized expertise in SOC 1, SOC 2, HIPAA, HITRUST, FedRAMP and royalty/licensing audits. Our auditors hold CPA, CISA, CISSP, GSEC licenses and certifications. Learn more about our company and our leadership team.