How To Select & Hire a vCISO

Ensuring Organizational Goals and Objectives Alignment

Now, the relative objectivity of a vCISO does not preclude the need to align with your enterprise goals and organizational objectives. Part of the job in evaluating and hiring a vCISO is the cultural alignment of the contractor with your own approach to people and operations.

The vCISO should be a leader, a communicator and a knowledgeable resource.

Circulate your candidates and solicit feedback from your teams on your vCISO candidates and don’t just include your technical or data security teams. Get feedback from previous clients, colleagues or references on their communication style and their capacity. Read their blogs, publications or code release notes if they feature them. If the vCISO isn’t on board with your industry, your operation or your approach to leadership or culture, they might be the wrong fit. Don’t just assume they’ll succeed because they have the credentials; they’ll need to show you a commitment, understanding and capacity, just as a full-time executive hire would. They should also be able to readily apply their understandings and perspectives to your organization, even if they don’t have specific industry expertise. Broaden your horizons in your evaluation and narrow as you get to know your vCISO candidates in the selection process.

Minimizing Risks with Inadequate Security Leadership

An objective, outside perspective from an experienced security specialist who understands your operations, embraces your business culture and maintains a working awareness of the larger threat landscape will go a long way in minimizing risk.

A qualified and skilled vCISO may point out glaring security concerns that are the direct result of your own team’s inefficiencies or methods.

Not vested in the architecture or development of your systems and processes, there won’t be a human tendency to camouflage concerns in order to protect egos – a vCISO engagement may reduce the potential for confirmation bias within your organization.

A qualified vCISO, while they might have preferences, will invariably be platform and systems agnostic, understanding the value in different perspectives and the benefits or drawbacks of certain tools or approaches. This is one of the core benefits of a vCISO, an objective opinion based on industry awareness, not security leadership seeking to defend their own work, biases or perspectives.

Facilitating Seamless Integration with Existing Teams and Processes

A talented vCISO is a leader and a technical resource.

As a leader, they should have the soft skills, the capacity to communicate, connect and inspire teams across the enterprise. They should also be flexible and understanding, with enough awareness to jump in and address issues specific to your industry or systems architecture. Evaluated for cultural fit, they should seamlessly integrate with teams, systems and processes and provide ready insights out the gate, with a minimum of onboarding or indoctrination.

In contrast, a full-time CISO adopts or builds systems and teams, creating processes and a culture specific to your industry, geography, employee base and their own understanding. Your security posture will be formulated around specific perspectives and tools, to the exclusion of other resources. A full-time CISO may “clean house” upon entry, leaning on existing relationships and vendor preferences. And, while there are clear benefits to a deeply knowledgeable, industry and operationally specific data and information security team, you may run the risk of myopia, a blindness to their own processes. Without the broader awareness of a vCISO, or with a focused and busy full-time CISO working internally to support their own teams and initiatives, you might miss opportunities for enhancements or be ill-prepared for an emerging threat.

Maximizing the Value and Return on Investment (ROI) of vCISO services

Maximizing the value of your vCISO engagement requires clarity and research, of both the consultant and your own organizational and security needs.

Assess your current security posture and understand, at least minimally, your operational climate to establish clear goals. From this, you can document your objectives for the engagement.

• What do you hope to achieve with a vCISO?
• Are you reducing risk, improving compliance or finding ways to increase efficiency?
• Determine and document these objectives
• Revisit them as your needs change and goals are met in order to cultivate the most value in your engagement.

Establishing clear goals and objectives allows you to not only determine the value of engaging vCISO but will provide you the necessary insights to also evaluate their expertise and establish manageable goals. It is through the establishment and documentation of these goals and objectives where you’ll determine your best path to sustained success.

• Do you require agility and scalability from your vCISO?
• Would a full-time CISO be a better fit for your projected growth or company culture?
• Aligning this in advance of an engagement ensures proper fit with your overall goals and objectives.

You may also uncover gaps or inconsistencies in your information architecture or security protocols that were obscured prior to the assessment and documentation of your goals and objectives for considering a vCISO.

In addition to gaining clarity around your needs and objectives, you’ll also need to ensure organizational buy-in and effective enterprise communication. The leadership qualities and value of any CISO, fractional or otherwise, are only as good as those who communicate with them. Ensure clear lines of communication, escalation protocols, and outlining expectations for check-ins, status reports and performance evaluations. Gain buy-in and feedback from your existing data and security teams as well as input from your executives or leadership team. Communicate the value of the engagement across the enterprise so your teams know what they can expect and what they also might gain from an engagement with a vCISO.

With clear goals and objectives and open lines of communication, you’ll want to evaluate your results regularly. Is your vCISO having the desired impact on your security posture or organization? Are you meeting outlined goals and objectives as expected? You’ve hired your vCISO to meet specific demands, ensuring that they meet them is a collective effort between you, your enterprise leadership and your security team; establishing timelines to reinforce objectives and ensuring accountability to these goals, objectives and timelines will ensure that you’re getting the value you’d expect from the engagement.

Maintaining Regulatory Compliance and Reducing Potential Liabilities

While your vCISO may or may not be an industry specialist, as security specialists and information security professionals they will have a much wider and broader understanding of regulatory compliance protocols and expectations, which will serve to limit or reduce your potential liabilities. Depending on your industry this understanding may involve regular reviews of updates to regulations such as HIPAA, PCI-DSS, or GDPR and ensuring that your organization's policies and procedures are updated in accordance with these evolving regulations and timelines. Security policies and procedures for your organization should align with your industry regulations and best practices.

As part of their role in the organization, regular risk assessments and monitoring should be established and managed by the vCISO.

These ongoing assessments are used to prioritize initiatives and allocate ongoing resources. Consistent monitoring ensures the ongoing security health of your organization. Clear reporting guidelines should be established for monitoring, threats and compliance deviations.

A vCISO may suggest or implement automations in order to scale change management, compliance and threat detection across the organization. Automations, detailed reporting, clearly defined roles and responsibilities and a proactive posture established with your vCISO will ensure ongoing regulatory compliance, build organizational trust and reduce potential risks and liabilities.

Scalability and Adaptability to Organizational Needs

A vCISO can be available as needed for your business. With the variable engagement models discussed throughout this article, you can enlist your vCISO for specific projects or initiatives, to address immediate or imminent threats, or to focus on specific, larger-scale efforts.

As your business needs change and projects are completed, the requirements and expectations of the vCISO can change without the added challenges of lay-offs or compensation for unnecessary executives.

Organizational needs should be clearly and comprehensively documented along with the goals and expectations of a vCISO.

Early on, you might need a vCISO to improve your overall security posture or ensure compliance with industry standards but once these initial projects are completed, you might find that you need your vCISO less, freeing their time up for other projects, perhaps in other industries, and reducing the overhead and expenses for information security and your executive suite. As with your initial goals and objectives evaluation, you should revisit your objectives and goals as you reach the specific and outlined milestones established at the onset of the engagement.

In the event of a security breach or a threat, having a vCISO on retainer and available to address threats will save you critical time while still saving the expense of a full-time CISO with little to do in quieter periods or once you’ve scaled and are more fully established in your security approach. Time, in every case, is a critical factor in the overall fiscal and reputational impacts of a security or data breach.

With a vCISO in place, an organization maintains the flexibility and agility to scale operations according to budget, need and growth trajectories, including reductions in time or need as business development dictates. With flexible engagement models, as needs change, so can the roles, requirements and time of your vCISO.

Flexibility in Engagement Models

Startups, new businesses or enterprises with smaller project needs could well engage a vCISO on an hourly basis, provided the project scope and needs are well-defined and the engagements relatively short.

Hourly engagements, however, might not be appropriate for more ambiguous needs, more challenging projects or longer term engagements.

Paying fixed monthly or annual fees for predetermined services or hours is another means of engaging a vCISO. Costs are more predictable through retainers and ensure availability of the vCISO on an as needed and known basis. Increasingly, subscription models are employed in fractional engagements, with prepaid “buckets” of hours purchased in advance for fractional leadership on an ongoing or as-needed basis. This might be an ideal situation for an enterprise working within capital expenditure constraints as subscriptions can be categorized as operating expenses as opposed to the capital expenses associated with staffing and human resource development.

Other structures commonly employed for fractional leadership like a Chief Information Security Officers are “tiered pricing” models or performance-based compensation. With tiered pricing, services are provided at varying price points, allowing the enterprise to choose levels of support that meet their needs at different times or for different deliverables. This is an ideal model for businesses looking to scale quickly and remain agile in their approach or organizations with variable or emerging needs.

Performance based pricing associates the vCISO’s performance to established and agreed upon goals or performance metrics. Performance based models incentivize service providers to deliver tangible results, aligning their interests with those established by the client. If you are looking to move quickly with your security deliverables, or address a specific concern, a performance-based pricing model might be just the ticket for delivering on short-term initiatives.

Ability to Address Temporary or Project Specific Security Needs

With the variety of engagement models, your vCISO can be available for short-term and temporary projects or as needed for a data breach or specific security concern. Engaging with a vCISO provides advantages in awareness and threat landscapes which should translate to timely, industry-leading solutions to immediate challenges or specific security and compliance concerns. Their expertise and your engagement should provide you with a depth and breadth of understanding and insights that you might forgo with a full-time Chief Information Security Officer and at considerably less expense over the long term.

Assessing Past Performance and Success in Managing Security Programs

Security certifications and credentials are one clear way to establish knowledge and expertise, but the proof is really in the performance. Carefully review the resume or CV of your vCISO candidates and make a few phone calls.

If they’re accomplished, communicate clearly and are capable of managing the security initiatives you’ve outlined, at the scale you require for your organization, you’ll be able to find other executives who can attest to their skills and capacities.

Talk to other security professionals facing the same challenges. What was their solution to a given problem? Does it align with the recommendations outlined by your candidate? With your specific goals and objectives defined, you’ll be able to assess the candidate's capacity to deliver on your needs while at the same time being able to assess their ability to communicate effectively. A skilled vCISO will maintain a caseload of successes, accomplished projects, and satisfied employers or clients.

In Evaluating the Experience and Credentials of a vCISO, consider the following:

• Verify relevant certifications and professional credentials
• Assess past performance and success in managing security programs
• Evaluate technical and leadership competencies
• Gauge industry specific experience and knowledge
• Evaluate their ability to adapt to an evolving security landscape

Access to Specialized Expertise and Industry Knowledge

Working across industries and applications brings a wealth of knowledge and expertise to an organization.

With vCISO engagements, enterprise operations can access a deep pool of insights, expertise and perspectives that could greatly enhance their security posture as their business needs and threat landscapes evolve.

With varied experience and wider exposure to security and threat landscapes for yours and other industries a vCISO with deep industry involvement is an indispensable resource for an enhanced perspective on data security, privacy, threats and changing regulations. Heavily ensconced in the security industry, a qualified vCISO remains constantly aware and vigilant of current and emerging threats. They maintain tools and awareness as well as a comprehensive pool of security information resources which you can ask about during your evaluation processes.

A broad security perspective may well provide a more substantial security posture than that of specific industry specialists. Maintaining awareness of the cybersecurity and information security landscapes, organizations gain invaluable insights into potential threats and can adapt and align strategies and insights from a wider industry view.

Skilled vCISOs can adapt to the needs of organizations and readily improve the security posture based on industry best practices, emerging threat vectors, trends or varied intelligence resources. Broad perspectives and exposure to threats across industries inform their views and lend them insights which translate to ready solutions designed to account for the size, industry, risk profiles and regulatory environments.

As experts in cyber and information security, your vCISO should profess a wealth of knowledge and experience across industries and organizations of varying sizes. With varied experience and expertise comes the capacity to adapt to your organization’s needs with the flexibility to adapt and deliver security best practices.

Staying Abreast of Trends, Threats and Industry Best Practices

• Demonstrates a commitment to continuous learning and professional development
• Leverages industry resources and networks to stay informed
• Applies the latest security best practices and methodologies
• Proactively addresses emerging threats and vulnerabilities
• Adapts security strategies and tactics to evolving industry trends
• Maintains a working database of industry connections, colleagues and professional resources

Estimating the Total Cost of Ownership (TCO) for vCISO Services

Total Cost of Ownership is the metric which considers both direct and indirect costs associated with engaging a vCISO or other fractional executive.

In addition to the obvious service fees or retainers for a vCISO, enterprises should factor in the additional costs for technology, systems, implementation, internal resources, incident responses and opportunity costs.

Service fees are pretty straightforward to calculate, but it is wise to include any additional feels or services not included in the base fee. Incident response costs, if the vCISO is responsible for managing security incidents, might significantly impact the TCO if incident response time and remediation aren’t considered in advance; incident response costs might also include third-party services or support beyond what is initially scoped by the vCISO.

Once you’ve selected and contracted with a vCISO, the fractional leader must be integrated into the organization which requires time, training and human resources, so implementation costs should be factored into the TCO, including the costs for acquiring, implementing and maintaining any additional or specific tools and technology required by the vCISO. In addition, considerable time will be spent in meetings, generating reports, collaborating and onboarding with a new vCISO, so costs associated with management, IT and other human or technical resources are best factored into the TCO.

In addition to implementation, technology and internal costs associated with a vCISO implementation are the opportunity and ongoing costs related to a vCISO arrangement. An enterprise should consider the cost of a vCISO over alternatives like a full-time, in-house CISO or utilization of other security solutions. To understand the opportunity costs of a vCISO, an enterprise needs to compare the benefits and costs of the alternatives. Calculating opportunity costs requires the estimation of difference in benefits and costs between a vCISO and the next best alternative; the opportunity costs represent the value that might be realized had the best alternative option had been chosen and could include factors such as:

• In-house CISO – salary, benefits, recruitment costs, onboarding and training.
• Alternative Security Solutions – subscriptions, licenses, services fees for managed security services or automated tools (and the effectiveness and comprehensiveness of these solutions)
• Time-to-Value – an evaluation of the time it takes to fully realize the benefits of the chosen solution. A vCISO might be available much quicker than a recruited CISO.
• Flexibility and Scale – consider the adaptability of a vCISO versus an in-house CISO. A full-time CISO may be less adaptable to varying workload demands than a vCISO.
• Resource Allocation – consider the impact of each option on your internal resources and teams; a vCISO might free up internal staff to focus on core business functions, while hiring and supporting an in-house CISO could require more internal support and collaboration.
• Risk Mitigation – What is the risk associated with each of your chosen options? Weigh the potential risk reduction of a vCISO against the risk potential or risk reduction of your other achievable alternatives.

Opportunity costs represent the value that could have potentially been realized with options other than the vCISO approach.

Considering the opportunity costs in the context of TCO will allow your enterprise to make a well-informed decision as to whether to engage a vCISO or pursue another security solution.

In addition to opportunity costs and other cost considerations already mentioned, an enterprise must consider the ongoing costs associated with maintaining a vCISO such as performance reviews, meetings and evaluations. These along with compliance and certification costs might come into play should a Virtual CISO be charged with helping your organization achieve specific security standards and certifications or to maintain compliance with industry regulation.

Once you’ve had the opportunity to evaluate and consider the factors involved in total cost of ownership for the expected duration of your vCISO engagement, you can consider these costs in the context of the value the vCISO will bring to your organization which may not be directly reflected in the TCO calculations. Comparing the potential benefits of an improved security posture, reduced risk and compliance provides a more comprehensive and informed understanding of the value of a vCISO engagement.

When considering the costs of selecting and enlisting a vCISO you’ll want to:

• Assess the potential ROI or long-term value of vCISO engagements in the context of alternatives and your existing needs
• Balance cost-effectiveness of a vCISO with quality, scope of services and organizational need
• Consider alternative solutions or blended models for cost optimization