Virtual CISO: Leveraging External Security Expertise

January 14, 2021
Michael Solomon

WRITTEN BY MICHAEL SOLOMON

Michael G. Solomon, PhD, CISSP, PMP, CISM, PenTest+, is a security, privacy, blockchain, and data science author, consultant, educator and speaker who specializes in leading organizations toward achieving and maintaining compliant and secure IT environments.
Virtual CISO: Leveraging External Security Expertise

Today’s organizations, both big and small, are finding that security activities consume more resources than ever before. Cyber criminals are getting better all the time, and staying just one step ahead of them is getting harder. But it’s not just more sophisticated criminals; organizational growth, increased infrastructure complexity and expanding compliance requirements also require more time, people and technology to avoid becoming a victim of a cybersecurity breach.

Security used to be focused on physical access to facilities and resources, or adding layers of logical controls to protect software and data. However, security concerns of the 21st century don’t fit into nice buckets anymore. Security concerns affect every aspect of an organization’s operations and should be an integral driver of strategic planning.

Information security used to be a good idea to include “if there is time.” Then it became more important as cyberattackers became more sophisticated at leveraging vulnerabilities. Now, information security is an integral component organizational strategic viability. It is just as important as fiscal integrity and product quality.

Executives have become acutely aware of the impact of poor information security on their organization’s profitability and longevity. A lack of security focus at the executive level could easily result in hefty fines for non-compliance, punitive rulings after finding liability or negligence, or a loss of customers and partners after a confidence-shattering breach. The risk of undervaluing information security is too great to ignore.

To address the growing awareness of information security’s importance to strategic planning, many larger organizations now include a Chief Information Security Officer (CISO) in the executive suite. A CISO provides executive leadership guidance on keeping organizations secure and compliant.

But with the average median salary for a CISO being over $200,000, many companies cannot afford their own CISO. The need is still there, but the budget doesn’t allow for a full-time person in that position.

However, there is an attractive alternative. Organizations that lack the budget for a CISO are increasingly turning to an outsourced solution: the virtual CISO, or vCISO. Let’s look at what a vCISO does and how one can benefit small and medium-sized businesses.

Benefits of a vCISO

A vCISO is generally a cybersecurity professional who works part-time offering security services to multiple organizations, working for several throughout any year. This job-sharing approach gives organizations access to a CISO without having to hire one full time.

The vCISO fills several needs through different types of services, including:

  • Cybersecurity guidance to executives
  • Security readiness assessment
  • Compliance alignment recommendations (for HIPAA, GDPR, PCI-DSS, CCPA and dozens more)
  • Remediation prioritization
  • Security architecture guidance
  • Incident response
  • Governance
  • Business continuity

A vCISO helps organizations transition from viewing security as a tactical requirement to a strategic one. This transition isn’t an easy one without support from the top. That’s the most important role of a vCISO: to solicit and ensure ongoing support of security from the very top of the organization’s leadership.

The strategic nature of a vCISO’s approach to security isn’t in contrast to existing security activities or other organizational goals. The vCISO should help ensure that security is addressed in all policies in a way that supports and even promotes existing and new organizational goals. Security should do more than simply align with goals; it should be an integral part of those goals.

Too many organizations still view security as a middle-management concern. These organizations invest substantial resources in adding security after the fact and end up fighting fires. Security becomes a reactive process.

Instead, security should be proactive. The push toward integrating security into the software development process as well as operations, DevSecOps, is a great move in this direction. In fact, it isn’t unusual for a vCISO to start a move toward DevSecOps. 

Up to this point, the benefits we’ve covered for a vCISO are essentially the same as for a full-time CISO. You could get these benefits either way. Where you’ll start to see advantages in a vCISO is in your investment. Currently, the average CISO salary is around $185,000 to $222,000 for medium-sized businesses. You may see some salaries under $100,000 for smaller companies, but the overall average is well above that. A vCISO can bring the same benefits as a full-time CISO for a fraction of the cost.

In addition to the compensation package, hiring a full-time CISO requires a substantial level of commitment and effort to find the right person. In order to be effective, your CISO must have the right experience for your type of organization and work well with your executives and management.

A vCISO generally has more experience across a wide range of organizations and executive personalities. This additional experience helps to provide a fresh and current perspective on security issues. There is less emphasis on “that’s the way we’ve always done it here,” and more emphasis on getting it done right.

The part-time nature of a vCISO also tends to promote neutrality. As much as organizations may try to limit the impact of internal politics on decisions, it’s always there. External personnel have long been valued for their ability to operate largely outside the sphere of political influence. Politics won’t ever completely go away, but a vCISO is often able to remain neutral when providing executive guidance.

Why you might need a vCISO

If you think your organization needs more security-related guidance at the executive level, consider whether a vCISO would be a good potential option. Do any of these scenarios sound like your situation? If so, and your budget won’t support a CISO, you might need a vCISO.

  • You don’t really know whether you’re vulnerable to security breaches: If your organization hasn’t invested the effort to assess its information security risk, you might need a vCISO to initiate and support that process.
  • You’ve been breached and no one saw it coming: Post-breach investigations and recommendations often lead to organizational leadership adjustments. One of those adjustments is to include a security-focused member of the executive suite. If this is the case, you might need a vCISO.
  • Substantial changes have occurred that could impact security: If your organization is about to or has recently merged, acquired or divested a business unit, security should be assessed. The same holds true if you have experienced growth or retraction in your market and customer base. And of course, any significant outside influences, such as a global pandemic, that materially alters how you conduct business can affect security. If you don’t have anyone who leads efforts to ensure security is not compromised in the face of changes, you might need a vCISO.
  • You haven’t yet transitioned to a new CISO: Larger organizations that do employ a full-time CISO on the executive team may find themselves between CISOs from time to time. If you need a CISO now and the vacancy isn’t yet filled, you might need a vCISO for the interim.
  • There’s an increased workload for the existing CISO: Changes to the organization or environment, including new regulatory compliance requirements, may increase the demands of a CISO beyond their current capability. If your CISO requires help to get through the crunch, you might need a vCISO.

There are many reasons a vCISO might be a good fit for your organization. A good vCISO can provide valuable guidance for the length of time tailored to your needs. Saving the salary of a full-time CISO is only one of the benefits.

How to find a vCISO

If you decide a vCISO would be a benefit to your organization, the next step is to find the right one. There currently isn’t a trusted authority that reviews vCISOs, so you’ll have to do a bit of your own investigative work.

Start with your favorite internet search engine. (If you’re security conscious, I’d recommend my favorite, DuckDuckGo.) Find a handful of vCISO offerings that seem to be a good fit for your organization.

Once you have an initial list in hand, explore the services each one provides, the experience they advertise, and how they structure their services and billing. Then you’ll need to set up a conversation to find the best fit from your list. Although committees may slow things down, a group decision during the selection process is a good idea and can help minimize bias.

The general process for engaging a vCISO generally flows like this:

  • You set up an initial consultation (commonly one hour at no charge)
  • The vCISO delivers a proposal of high-level state security readiness, proposed services and costs
  • Your organization accepts or rejects the proposal, and then moves forward

If you decide to engage a vCISO, find one with whom you are comfortable, and then negotiate an agreement that meets your goals. If you need a quarterly assessment and remediate report, make sure that’s explicitly stated in the agreement deliverables. Don’t assume anything.

An agreement with a vCISO can be set up for a few hours per month or quarter, or it may be proposed as a retainer fee with a maximum performance statement for the retainer. Maximum performance may be stated as a number of hours or deliverables. Regardless of the agreement type, ensure that you understand what you’re paying for and what you’re getting for the money.

A vCISO can be an affordable and flexible approach to adding extensive security experience and wisdom to your executive team. If a vCISO is a good fit, it can help you avoid the pain points of being unprepared in the face of aggressive cyberattacks.

Would you like to know more about implementing secure application development solution in your company? Get in touch with our Kiuwan team! We love to talk about security.