The virtual chief information officer (vCISO) is a new term for an old offering within the cyber security consulting field: executive level cyber security expertise and advise. Do you need that level of expertise and advice?
In short, the answer is “yes” if the question is asked. There are only a handful of reasons to consider a vCISO and they can all boil down to the same reason to acquire any type of consultant – results-driven problem solving and leadership. It’s like asking if a dental appointment is needed to relive tooth pain.
vCISOs solve problems related to higher-level elements of security around planning, management, and operations. Needing a vCISO is dependent on the need to solve those kinds of problems without the costs and risks inherent with hiring an employee.
Do I Need a Virtual CISO (vCISO)?
A lol of people I talk to have a misconception of what a vCISO knows and is capable of accomplishing, so at the risk being obnoxious, a vCISO is not an expert in all things security – no one is. They don’t need to know everything and anything anymore than a military commander needs to know how Semtex works.
In short, a vCISO is the same thing as a regular CISO but with a different value proposition (which we’ll get to in a moment).
A vCISO is not a low-rent CISO
So what is a (v)CISO? A CISO is first a capable leader and communicator, then a strategist, and finally a strong cyber security generalist with one or two areas of expertise built through experience.
Now back to the question.
To answer it more fully, the reasons for considering a vCISO in the first place need a little exploration.
Given a vCISO should have the same* abilities as a traditional CISO the matter at hand is the vCISO’s value proposition in relationship to client’s particular need.
The vCISO value proposition is providing short term access to extensive leadership, strategy, and knowledge. This short-term access allows the vCISO to solve problems and create plans at a fraction of the price of hiring a full-time CISO.
The needs of the client, and the reasons for wanting a vCISO, will vary but can get broken down into the following categories. If the client’s needs (I.E., your needs) fall into any of these categories, then get a vCISO.
- General Cyber Security Advice
- Strategy Development
- High-level Problem Identification and Solutions
- Program Development & Management
- Risk Identification & Management
- Crisis Leadership
If the need is lower level, like designing and implementing an Identify and Access Management solution then get a different kind of consultant, like a security architect. Though to be fair, a vCISO and security architect could work for the same consulting firm.
Is a vCISO Worth the Cost?
The value of a vCISO is in their ability to show up, press the strength of their expertise onto a problem, and then leave. A traditional CISO is always around, always getting paid – maybe solving problems that need solving, maybe not.
A vCISO is worth the cost when you see a need for solving particular problems without needing to bring someone on fulltime. The question then becomes are you willing the pay the price for any given vCISO under consideration.
So, if your problem falls into one of the aforementioned categories and you agree you do, in fact, need a vCISO to resolve your issues, gain awareness, and altogether improve the security of your organization, then then it is at least worth talking to a few vCISOs to get a sense of the cost.
These conversations are discussions with experts in the field to discover the depth of the problem and determine what a firm will charge to solve the problem. This goes into a selection process which is summarized below and discussed in depth in How to Choose a Cyber Security Consultant.
A traditional, full-time CISO can run on the low end, about $165k per year in salary. When bonuses, health insurance, other compensation, and the cost of employing someone are factored in, this same CISO will cost $250,000/year.
A virtual CISO, also on the same low end as the full-time CISO costs** about $150/hour at a small firm to $350/hour at a larger firm (~ $300k/year).
Besides overall lower fees when duration of project is taken into consideration, a vCISO also brings the following intangible benefits:
- An objectivity only an outside view can bring. Whether it’s about the problem itself or with the politics around the problem, a vCISO is not weighed down with the same constraints.
- A diversity of problem-solution experience not possible with a traditional CISO. One vCISO can handle a dozen clients per year (depending on the size of the projects). Each project bringing exposure to new problems, riffs on old problems, and the satisfying solutions.
Small to medium sized businesses with no desire to build internal cyber security teams benefit the most from outsourcing their cyber security needs.
In a year-to-year comparison a full-time CISO may make sense if you want to start building an internal team. The vCISO starts making sense when you decide to outsource the expertise and problem solving
- Need a strategy developed? “Yes, but not every month. Just give me a strategy and I will follow it on my own and talk to you again when I have another problem or don’t understand anything”
- Need to understand your risks? Not on a daily basis.
- Have an important cyber security question? Not one so often that it’s worth dropping $250K/year.
How to hire a vCISO
Since a vCISO is another type of consultant, then to hire a vCISO you just need to follow the same rules and processes you normally follow to hire any kind of consultant.
An overview of a 4-step selection process looks like this:
- Research: Generate a list of candidates. Look for markers of quality or red flags.
- Interview: Talk to candidates and ask questions pertaining to your problem and their solution.
- Analysis & Follow-on Calls: Review notes and do call backs for statements of work and bids.
- Budget Considerations & Selection: Workout budget and decide based on multiple factors.
* When I say same, this is a matter of capability distribution. Anywhere on the bell curve of experience and capability there exists both vCISO and traditional CISO. Pluck one CISO from each type from anywhere on the spectrum and the distinguishing characteristic is the value proposition, not experience and capability. Virtual CISOs are not low-rent CISOs.
** Not all virtual CISO’s (or firms) have hourly based fees but to try and make a fair comparison the vCISO cost is calculated in hours.