The Virtual Chief Information Security Officer, or vCISO, has gained in popularity the past two years with small and midsized businesses (SMBs). Why? Because a vCISO provides business value in many circumstances.

In order to realize why, we first must understand what a Chief Information Security Officer (CISO) is. A CISO is the senior executive for information security in an organization, regardless of title. I like to emphasize the “regardless of title” part by making lighthearted fun at the “Chief” portion. Most CISOs (or equivalents) don’t report to the CEO or the Board of Directors. Therefore, they are a chief of nothing. While there is a push to get CISOs to the table, so to speak, truth is maybe 16% or so have equivalence to the rest of the C-Suite. The rest are CINOs (Chiefs In Name Only).

Still, that does not diminish their importance to the organization. A CISO has the responsibility of ensuring the businesses’ information assets are as secured as possible. Scratch that. A CISO is responsible for communicating the information security risks to those who truly are responsible for the security of the organization, from the business unit leader to, ultimately, the CEO. The CISO does not own the risk. Ever.

Now that we’ve established that fact, let’s look at vCISOs. A vCISO is a consultant. Let me state that again. A vCISO is a consultant. They are not an officer of the company. They, even more than their corporate CISO counterparts, do not own information security risk. Sometimes, not too often, SMBs look to vCISOs to shift information security risk responsibility. That never works.

But what, then is the value of a vCISO to SMBs? Well, if it’s a true vCISO, much.

What do you mean by a true vCISO, Greg?

So glad you asked, unseen blog person. Often, the “vCISO Services” offered by Managed Security Service Providers (MSSPs) are not personnel who have served as full-time CISOs. That’s important, because the true value a vCISO brings to an SMB is exactly that experience. SMBs need to tap into the minds of those CISOs who have served in and understand the role.

My recent talk at the National Cyber Summit on the Rise of the Virtual CISO dives deeper into this and other issues. It is not a sales presentation, but rather a pragmatic view as to what a qualified virtual CISO can offer a small business. The presentation is available at

And now the (sort of) sales angle. I left corporate America intentionally (meaning my job was safe, I could have stayed there for fifteen more years to retirement) to “give back.” I, and many of my colleagues, have decades of experience that SMBs need. My organization connects the two. Check out a very short video at to learn more. If we can help, please email or call me directly at or call (615) 472-9274.