Hiring a virtual CISO to help your security team
March 9, 2022
0 mins readAs cyberattacks become more common, organizations are starting to understand the importance of having effective security measures in place. A virtual Chief Information Security Officer (vCISO) within the organization can generate significant progress toward that goal.
What is a virtual CISO?
A virtual CISO is a part-time or remote security practitioner or provider who offers their time and expertise to an organization on a temporary or ongoing basis.
A virtual CISO can be effective at companies that want to put security controls in place but cannot hire a full-time CISO. If you are in a small or medium-sized business and want to get all the necessary security controls in place, hiring a virtual CISO could be a good way to start. As companies hire more people in consulting positions across the organization, part-time roles as a virtual CISO are becoming increasingly common.
People working as virtual CISOs can be placed by a company that hires them out as a service — much like a talent agency — or they can take virtual CISO work on a freelance basis. In either scenario, organizations can hire a virtual CISO without adding a full-time person on-site, but they can still reap the benefits of having access to security expertise.
CISOs are very difficult to hire. This is becoming increasingly challenging as more businesses recognize the value of having a CISO on staff, particularly considering times when CISOs can assist in lowering the cost of a data breach.
vCISO vs CISO: Which is suitable for your business?
Companies want to scale at lightning speed, but they have to consider and abide by security standards at the same time. A vCISO can help them achieve both. Companies who want a second opinion about their security posture can rely on a vCISO to provide it.
In many cases, a virtual CISO can be an excellent fit for organizations whose primary focus is not in technology. A full-time CISO might not have many options for career growth in these companies, and may eventually seek other opportunities. This could potentially leave the organization without qualified security expertise. This is when having access to a virtual CISO can be extremely beneficial. Even in large organizations with a full-time CISO on staff, the additional assistance of a virtual CISO — who can take on some of the work when the full-time security officer is inundated — can be helpful.
vCISO use cases
A virtual CISO may be a compliance officer, a risk assessment officer,, or an application security specialist. In many cases, the CISO is occupied with business leaders or clients and may need help with some of their more specialized tasks This is when a vCISO fits the bill.
vCISOs are available on demand, and typically don't require any training or a 30/60/90-day plan. They jump into their work on day one, whereas a full time CISO would take time to ramp up to full performance in a new organization. While different vCISOs have different skill sets, many should be capable of handling a wide range of tasks, from the tactical to the strategic. They might be able to assist in the development of security policies, guidelines, and standards. Some can also help with recruiting, developing security strategies, procuring solutions, resolving incidents, and laying the groundwork for ISO 27001 and 9001 compliance.
Duration of the vCISO role
The virtual CISO role is short-term or long-term based on the needs of an organization. After the primary work of security architecture or compliance program setup is complete, only very incremental changes are needed within the whole security architecture. As soon as the process is stabilized, the virtual CISO’s work is complete. Then the virtual CISO can start a new journey in another organization — although some companies will want to stay connected with the vCISO for future work.
Virtual CISO Rohit Srivastwa: “A lot of companies have come back to us, asking if we can set up a retainer model, so that whenever there is a need for security expertise, we'll provide it. But yes, there is a limited time frame.”
This role can be defined in different ways and flavors to suit an organization's requirements. Imagine a buffet of services provided by a vCISO agency: companies can pick specific services based on their appetites.
Executive influence of the CISO vs. vCISO
Full-time CISOs, as permanent employees at the organization, have to persuade and influence a board of directors to adopt their recommendations for security practices. However, virtual CISOs are chosen and appointed by the executive team, so any recommendation made by a vCISO will be implemented by default (as executives have already accepted them as authorities on the subject).
If the basic practices are strong and clearly defined within an organization, a vCISO program is easy to set up. Many organizations see the value of a vCISO program as soon as they begin to consider it. For example, at the start of the Covid-19 pandemic, many companies shifted to a cloud-based, remote work structure with very few requirements in place. This created huge security concerns. The board of directors at many organizations opted to use the services of a vCISO, and became confident in the quality of those services. When a board of directors is confident with a vCISO program, they’ll continue to use it.
Business considerations for hiring a vCISO:
Your Non-Disclosure Agreement should be in place. Apply the same NDA to a project-based vCISO that you would apply to a CISO being hired full-time. Good privacy policy should be embedded as part of the NDA.
Do proper employee verification. Proper verification should be conducted on the vCISO agency, as well as the individual providing vCISO services.
A vCISO could be your best option
A virtual CSO program allows an organization to reap the benefits of having the expertise of a CISO, without adding a full-time employee on permanent payroll. This can potentially be a win-win situation for all parties involved. Every organization should consider using a vCISO option to reach their security objectives.