They go by many names: virtual CISO (vCISO), fractional CISO, and CISO-as-a-service (CISOaaS).
At the end of the day, though, all these acronyms refer to the same thing: A worker or team—usually a contractor, but sometimes an internal officer, like a CIO—performing a CISO’s role on what’s typically a part-time basis.
It’s potentially a budget-friendly option for organizations looking to up their cybersecurity game while avoiding the cost of a full-time executive. Estimates of the average CISO salary vary, but tend to be in the hundreds of thousands of dollars.
A vCISO can save money, but there’s the potential risk of insufficient services that fail to meet an organization’s needs. To help understand the pros and cons, IT Brew interviewed experts on when to hire a vCISO, how to pick the right one, and what to avoid.
When to get one
Ben de la Salle, the director of UK-based CISOaaS firm ICA Consultancy, told IT Brew via email that organizations that provide online services, control personal data, or rely a great deal on intellectual property “should engage some level of security advice that goes above and beyond technical controls.”
The CISO role tends to be for larger companies; Rajiv Lulla, a partner at advisory firm Caldwell’s data, digital, and technology leaders practice, previously told IT Brew it is prudent for companies worth $20 to $30 million to have an executive with a portfolio covering cybersecurity. The threshold is lower, however, for contract roles.
“The majority of customers we support are either in a highly regulated industry, process some level of personal data (this does not need to be significant), or [are] a growth business that is looking to protect their investments/IP,” de la Salle wrote. ICA’s smallest client to date, he added, was a six-employee financial services business—though other clients are listees on the FTSE 100.
Questions that should come into play when considering whether to hire a vCISO include whether an organization understands its industry-specific or data privacy obligations, as well as how severe the consequences of a cyberattack would be, de la Salle advised.
Other factors he recommended taking into consideration include awareness (or lack thereof) of security weaknesses, what cybersecurity means to the organization at a strategic level, and the level of expertise already available.
“Ideally, the engagement should work in part as knowledge transfer, and upskill team members internally,” de la Salle added.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Michelle Drolet, the CEO and founder of security firm Towerwall, told IT Brew her clients have often hit a wall “when risk gets to a certain level.”
That might be lacking “the resources to build data classification programs, or incident response plans, or even the information security program, the overarching acceptable use AI policies,” she said. Other considerations might be regulatory requirements or vendor relationships, Drolet added.
How to pick
It’s especially important to vet candidates for a virtual or fractional CISO role carefully, experts told IT Brew, because they might lack the requisite experience to make the right impact. Greg Schaffer, the founder and CEO of Tennessee-based vCISO Services, noted clients can end up hiring “scammy” services if they don’t understand their own needs. That’s often the case in his experience.
“If you don’t have that, you don’t have any way to compare between providers,” Schaffer told IT Brew. “I always encourage prospects to create an RFI or an RFP—it doesn’t have to be anything really in depth.”
As CSO Online reported, experts in tech hiring caution CISOs have to balance between internal and external duties as well as serve as ambassadors for the business value of a cybersecurity program. Experience navigating those duties is arguably even more important for a vCISO, who Schaffer said is likely to be tasked with setting up fundamentals like vulnerability assessments, policy reviews, business continuity planning, and chairing steering committees.
Drolet said ideal vCISO candidates have “very senior security background,” noting less experienced candidates often have gaps in their knowledge. She recalled meeting a vCISO with less than a decade of professional experience, for example, who didn’t seem to understand GDPR compliance is a continual process.
Seek out either a reputable managed services provider or a consultant with excellent references, Drolet suggested: “I’ve seen some very good people that have really good certifications. I’ve seen some really bad people that are really good test-takers.”
And according to de la Salle, the first question for any vCISO candidate should be whether they have a background as a full-time leader in security.
“There is experience taken from working in industry that you just don’t get being an external supporting a business,” he wrote.