What is a Virtual CISO?
A Virtual CISO (vCISO) is often mentioned in cybersecurity and compliance discussions, but what exactly is a virtual CISO?
An information security program is not complete without appropriate, experienced leadership. In the past, information security has often been a component of information technology. However, more organizations, including SMB, recognize that the information security role is larger than firewall management and represents a critical business function.
Larger organizations address this by employing a full-time CISO, often with a team of direct reports. However, SMBs don’t often have the resources to hire a full-time CISO, nor do they require one. The virtual CISO, or vCISO, emerged as a solution to this gap. A virtual CISO is a consultant who assists organizations in creating, managing, and improving their information security program.
An effective vCISO is an information security executive with years of experience as the full-time senior information security executive at a midsized or larger company. This provides the seasoned vCISO with the practical real-world experience to serve SMBs.
Not all virtual CISO providers are alike. The virtual CISO market has exploded over the past several years, and for good reason – it helps to solve a problem. Small and midsized businesses need the risk management experience of information security executives, but not necessarily full time. However, with this growth has come dilution.
Many Managed Security Service Providers (MSSPs) and other organizations offer virtual CISO services devoid of actual CISO and/or risk management experience. Instead, they provide an IT Security Director-type resource and/or attempt to automate much of the process. The client gets technical expertise but not true risk management experience to build a sustainable, effective information security risk management program.
When vetting virtual CISOs, it is critical to understand their experience, whether it be a single vCISO or a service. You truly get what you pay for.
Reasons to Engage a vCISO
SMBs typically engage a vCISO for one of two needs:
- Project-based with a defined scope and deliverables, such as a risk assessment or SOC2 audit support.
- Ongoing as a resource for continuous program support for a set (usually 15-40) hours per month.
Choosing a vCISO is as important as hiring any other business executive. Proper vetting is required, to include client reference checks. Be aware that some Managed Security Service Providers that offer vCISO services may in fact fill the requirement with one without the desired experience. Be sure to request the resume of the vCISO proposed for your needs.
A vCISO, by definition, works remotely, but may be available for onsite meetings such as in the support of an audit. Additionally, a vCISO usually works with several clients at a time and is often not available at a moment’s notice.
vCISO Characteristics and Limitations
vCISOs should not be leveraged as a resource for immediate incident response (boots on the ground) when an incident occurs. vCISOs support incident management prior with planning and process development and post-recovery (root cause analysis, process improvements). A vCISO does not perform forensics or install and configure information technology security equipment.
A virtual CISO may be an appropriate solution given budget constraints, but a highly-experienced virtual CISO (one with years of full-time experience as a CISO) will charge a commensurate fee. According to salary.com, the average salary and bonus for a CISO in the United States in 2023 was over $289,000 which equates to over $138 per hour. Adding in self-employment costs to include additional taxes, health insurance, tools and equipment, marketing/advertising, training, back office, and so on, it’s easy to see how an experienced virtual CISO service could, on an hourly basis, command $450 per hour or more.
Virtual CISO Engagement
Engaging a virtual CISO begins with a Request for Proposal (RFP). A properly constructed and effective RFP should convey what the small business needs. This should include immediate and long-term requirements.
Often there is a discovery call to determine the scope of the engagement. During this, the virtual CISO firm will ask questions about the RFP or, if there is no formal RFP, will attempt to gain details to properly scope a proposal.
Some firms offer services on an hourly basis while others engage a flat rate. Generally, the latter is preferable by both sides and is the industry norm, but prepaid engagements such as retainers may involve an hourly rate.
A typical virtual CISO engagement initial term is one year. The first three months usually involve learning the “as-is” of the environment. A flat rate normalizes expenses and reduces the overhead incurred by hourly billing. In other words, flat-rate is generally the more cost-effective billing method.
Honesty and transparency is necessary in all phases of the engagement. If a proposal is verbally agreed to, the virtual CISO firm will often engage in preparation work to meet client start needs while the contract process continues. It is considered at minimum very poor business practice to alter direction without cause during this process. Stay true to your word.
Another proper business practice is to honor the contract term unless there is a reason to terminate for cause. Finding another provider at a lower cost a few months into the engagement is wrong. A virtual CISO firm has already front-loaded much in the engagement. Again, unless there’s a reason to terminate for cause, stay true to your word.
Your virtual CISO is your business partner. As previously noted, transparency is essential for an effective engagement. The virtual CISO is positioned to improve the businesses’ information security posture through proactive means; this can only occur if the virtual CISO is seen as part of a team. This is not an audit engagement.
To that point, the virtual CISO usually works in the Second Line of Defense (Risk). The work they produce is for the client only and not generally intended to be used as a third-party attestation. That is the function of the Third Line of Defense, Audit. Understanding this up front will help with future expectations. The virtual CISO will prepare you for an audit but will not perform one. This maintains independence, plus these are two different skill sets.
Whether a vCISO is the best option for your organization is a business decision. The worst choice is to do nothing. vCISO Services, LLC is a leading provider of virtual CISOs. Contact us to learn how we can help your business’s security posture.