The Popularity and Value of a vCISO
Enterprise operations continue to strive for improvements in their security posture while managing costs, project timelines and the ability to scale. These objectives and increasingly critical data, privacy and security concerns for businesses of all sizes have given rise in popularity and value of virtual or fractional security specialists.
With the need for companies to continually ensure that their data and systems are secure and compliant, many organizations are turning to Virtual Chief Information Security Officers (vCISOs) to manage and stay abreast of data, privacy and cybersecurity challenges.
As not all vCISOs are equally skilled or capable, this article provides some of the key considerations for determining and selecting a qualified and culturally-suited vCISO as a viable approach, including cost comparisons, assessment criteria, value and returns on investment. It is quite possible to find an accomplished security specialist who can readily deliver on your organization’s objectives, providing the necessary leadership and technical insights to effectively manage the data, privacy and security concerns within your organization, provided you’re prepared to delve into and document the specific security and cultural needs of your organization.
The Value of vCISO Engagement (At a Glance)
- Strategically enhanced organizational security posture and increased operational resilience
- Streamlined security processes and more efficient resource allocation
- Improved compliance with regulatory requirements and reduced risk of penalties for non-compliance
- Access to specialized expertise, perspectives and strategic guidance for enterprise-wide security decision-making
- Long-term value through ongoing support, risk mitigation and continuous improvement
- Strategic scalability, operational flexibility and timely incident response
Key Benefits of a vCISO
Flexibility, agility and awareness of industry threats and the overall security landscape are but just a few of the myriad benefits of a vCISO for your organization. The objective perspectives and tool agnostic approach of a vCISO will provide additional insights and having a vCISO who remains apart from your organization might serve to avoid political pitfalls or issues associated with internal office politics.
A vCISO is intended to perform, for your business, with clear guidelines, expectations and deliverables; they’re not just earning their salary and retaining their seat at the table. They know, contractually, that if they don’t deliver, they can be eliminated with minimal notice for failure to deliver and they’ll be motivated to deliver as such, often providing your business and your executives with the precisely candid, honest and trusted perspective of outside counsel.
Ensuring Organizational Goals and Objectives Alignment
Now, the relative objectivity of a vCISO does not preclude the need to align with your enterprise goals and organizational objectives. Part of the job in evaluating and hiring a vCISO is the cultural alignment of the contractor with your own approach to people and operations.
The vCISO should be a leader, a communicator and a knowledgeable resource.
Circulate your candidates and solicit feedback from your teams on your vCISO candidates and don’t just include your technical or data security teams. Get feedback from previous clients, colleagues or references on their communication style and their capacity. Read their blogs, publications or code release notes if they feature them. If the vCISO isn’t on board with your industry, your operation or your approach to leadership or culture, they might be the wrong fit. Don’t just assume they’ll succeed because they have the credentials; they’ll need to show you a commitment, understanding and capacity, just as a full-time executive hire would. They should also be able to readily apply their understandings and perspectives to your organization, even if they don’t have specific industry expertise. Broaden your horizons in your evaluation and narrow as you get to know your vCISO candidates in the selection process.
Minimizing Risks with Inadequate Security Leadership
An objective, outside perspective from an experienced security specialist who understands your operations, embraces your business culture and maintains a working awareness of the larger threat landscape will go a long way in minimizing risk.
A qualified and skilled vCISO may point out glaring security concerns that are the direct result of your own team’s inefficiencies or methods.
Not vested in the architecture or development of your systems and processes, there won’t be a human tendency to camouflage concerns in order to protect egos – a vCISO engagement may reduce the potential for confirmation bias within your organization.
A qualified vCISO, while they might have preferences, will invariably be platform and systems agnostic, understanding the value in different perspectives and the benefits or drawbacks of certain tools or approaches. This is one of the core benefits of a vCISO, an objective opinion based on industry awareness, not security leadership seeking to defend their own work, biases or perspectives.
Facilitating Seamless Integration with Existing Teams and Processes
A talented vCISO is a leader and a technical resource.
As a leader, they should have the soft skills, the capacity to communicate, connect and inspire teams across the enterprise. They should also be flexible and understanding, with enough awareness to jump in and address issues specific to your industry or systems architecture. Evaluated for cultural fit, they should seamlessly integrate with teams, systems and processes and provide ready insights out the gate, with a minimum of onboarding or indoctrination.
In contrast, a full-time CISO adopts or builds systems and teams, creating processes and a culture specific to your industry, geography, employee base and their own understanding. Your security posture will be formulated around specific perspectives and tools, to the exclusion of other resources. A full-time CISO may “clean house” upon entry, leaning on existing relationships and vendor preferences. And, while there are clear benefits to a deeply knowledgeable, industry and operationally specific data and information security team, you may run the risk of myopia, a blindness to their own processes. Without the broader awareness of a vCISO, or with a focused and busy full-time CISO working internally to support their own teams and initiatives, you might miss opportunities for enhancements or be ill-prepared for an emerging threat.
- Consider the vCISO’s communication style, interpersonal skills, follow-through and professionalism
- Evaluate the vCISO’s ability to work within your organization's existing culture and structures
- Align the vCISO’s values with your organization's mission and objectives
- Ensure a strong fit and rapport with key stakeholders and decision-makers
- Establish mutual trust and respect for a successful working relationship.
Maximizing the Value and Return on Investment (ROI) of vCISO services
Maximizing the value of your vCISO engagement requires clarity and research, of both the consultant and your own organizational and security needs.
Assess your current security posture and understand, at least minimally, your operational climate to establish clear goals. From this, you can document your objectives for the engagement.
- What do you hope to achieve with a vCISO?
- Are you reducing risk, improving compliance or finding ways to increase efficiency?
- Determine and document these objectives
- Revisit them as your needs change and goals are met in order to cultivate the most value in your engagement.
Establishing clear goals and objectives allows you to not only determine the value of engaging vCISO but will provide you the necessary insights to also evaluate their expertise and establish manageable goals. It is through the establishment and documentation of these goals and objectives where you’ll determine your best path to sustained success.
- Do you require agility and scalability from your vCISO?
- Would a full-time CISO be a better fit for your projected growth or company culture?
- Aligning this in advance of an engagement ensures proper fit with your overall goals and objectives.
You may also uncover gaps or inconsistencies in your information architecture or security protocols that were obscured prior to the assessment and documentation of your goals and objectives for considering a vCISO.
In addition to gaining clarity around your needs and objectives, you’ll also need to ensure organizational buy-in and effective enterprise communication. The leadership qualities and value of any CISO, fractional or otherwise, are only as good as those who communicate with them. Ensure clear lines of communication, escalation protocols, and outlining expectations for check-ins, status reports and performance evaluations. Gain buy-in and feedback from your existing data and security teams as well as input from your executives or leadership team. Communicate the value of the engagement across the enterprise so your teams know what they can expect and what they also might gain from an engagement with a vCISO.
With clear goals and objectives and open lines of communication, you’ll want to evaluate your results regularly. Is your vCISO having the desired impact on your security posture or organization? Are you meeting outlined goals and objectives as expected? You’ve hired your vCISO to meet specific demands, ensuring that they meet them is a collective effort between you, your enterprise leadership and your security team; establishing timelines to reinforce objectives and ensuring accountability to these goals, objectives and timelines will ensure that you’re getting the value you’d expect from the engagement.
Maintaining Regulatory Compliance and Reducing Potential Liabilities
While your vCISO may or may not be an industry specialist, as security specialists and information security professionals they will have a much wider and broader understanding of regulatory compliance protocols and expectations, which will serve to limit or reduce your potential liabilities. Depending on your industry this understanding may involve regular reviews of updates to regulations such as HIPAA, PCI-DSS, or GDPR and ensuring that your organization's policies and procedures are updated in accordance with these evolving regulations and timelines. Security policies and procedures for your organization should align with your industry regulations and best practices.
As part of their role in the organization, regular risk assessments and monitoring should be established and managed by the vCISO.
These ongoing assessments are used to prioritize initiatives and allocate ongoing resources. Consistent monitoring ensures the ongoing security health of your organization. Clear reporting guidelines should be established for monitoring, threats and compliance deviations.
A vCISO may suggest or implement automations in order to scale change management, compliance and threat detection across the organization. Automations, detailed reporting, clearly defined roles and responsibilities and a proactive posture established with your vCISO will ensure ongoing regulatory compliance, build organizational trust and reduce potential risks and liabilities.
Defining Success for a vCISO
Success for your vCISO engagement is largely determined by your organizational needs and the comprehensive evaluation and understanding of your security goals, objectives, deliverables and expectations.
A checklist for success should include clarity and documentation of the following:
- Your organization's data architecture, infrastructure, scale and security requirements for establishing clear expectations, goals and deliverables
- Alignment with and needs for meeting regulatory compliance requirements and specific industry standards or expectations
- A determination or estimation of the required levels of involvement, engagement and support from a vCISO
- Assessing the need for additional services, such as training or incident response planning.
Comparing the Costs of CISOs
The overall cost of a full-time CISO versus a fractional or vCISO is often a key motivating factor for organizations. Costs, however, should account for more than just salary, benefits and compensation.
We’ll explore some of these comparisons in more detail throughout this article, like opportunity costs, continuity and availability but will focus here on the basic considerations.
A vCISO operates on a fee-based model which, when carefully evaluated against benefits and objectives, is usually quite cost-effective, particularly for small-to-mid-sized enterprises. Conversely, a full-time CISO typically commands a high salary, along with benefits like health insurance, retirement contributions and other perks. Full-time CISOs also need to be recruited, often through a lengthy, and potentially costly and time-consuming process and eventually onboarded and oriented to the organization, adding to time and costs of just getting started with a CISO. These costs and time could prove challenging particularly in the context of an immediate threat landscape or active security concern. A vCISO, in contrast, can often start working much quicker and will considerably lower overall onboarding costs.
Full-time CISOs will, invariably, require dedicated office space, hardware, software and other resources which add to the overall expense of a dedicated Chief Information Security Officer. These expenses can often be reduced with a vCISO who would, typically, supply their own tools and leverage your existing infrastructure.
Less tangible than salaries, recruitment and human resources are expertise, experience, flexibility and scalability. A vCISO would, ideally, have experience working with clients across various industries which provides a significant advantage in terms of breadth of expertise and knowledge. Full-time CISOs might possess in-depth knowledge in your specific industry or organization but lack the diverse experience or perspectives of a skilled vCISO. The level of support and engagement of a full-time CISO is relatively fixed.
A vCISO may be a more flexible and thereby more cost-effective solution in the long term. As your organizational needs change or as your enterprise scales, a vCISOs engagement levels or services can change accordingly.
Continuity and availability are other important factors to consider. A full-time CISO will, as we all do at times, require vacation and sick time. A vCISO, on the other hand, may have the continuous (and potentially round-the-clock) support of a team of professionals to support your organization’s needs and service coverage.
Lastly, opportunity costs, which we’ll detail later, should be carefully considered when evaluating the overall costs of a full-time CISO or vCISO. Opportunity cost analysis allows your organization to comprehensively evaluate the best alternative to a vCISO, considering internal resource demands and other inherent costs in comparison to the best alternative.
Scalability and Adaptability to Organizational Needs
A vCISO can be available as needed for your business. With the variable engagement models discussed throughout this article, you can enlist your vCISO for specific projects or initiatives, to address immediate or imminent threats, or to focus on specific, larger-scale efforts.
As your business needs change and projects are completed, the requirements and expectations of the vCISO can change without the added challenges of lay-offs or compensation for unnecessary executives.
Organizational needs should be clearly and comprehensively documented along with the goals and expectations of a vCISO.
Early on, you might need a vCISO to improve your overall security posture or ensure compliance with industry standards but once these initial projects are completed, you might find that you need your vCISO less, freeing their time up for other projects, perhaps in other industries, and reducing the overhead and expenses for information security and your executive suite. As with your initial goals and objectives evaluation, you should revisit your objectives and goals as you reach the specific and outlined milestones established at the onset of the engagement.
In the event of a security breach or a threat, having a vCISO on retainer and available to address threats will save you critical time while still saving the expense of a full-time CISO with little to do in quieter periods or once you’ve scaled and are more fully established in your security approach. Time, in every case, is a critical factor in the overall fiscal and reputational impacts of a security or data breach.
With a vCISO in place, an organization maintains the flexibility and agility to scale operations according to budget, need and growth trajectories, including reductions in time or need as business development dictates. With flexible engagement models, as needs change, so can the roles, requirements and time of your vCISO.
Flexibility in Engagement Models
Startups, new businesses or enterprises with smaller project needs could well engage a vCISO on an hourly basis, provided the project scope and needs are well-defined and the engagements relatively short.
Hourly engagements, however, might not be appropriate for more ambiguous needs, more challenging projects or longer term engagements.
Paying fixed monthly or annual fees for predetermined services or hours is another means of engaging a vCISO. Costs are more predictable through retainers and ensure availability of the vCISO on an as needed and known basis. Increasingly, subscription models are employed in fractional engagements, with prepaid “buckets” of hours purchased in advance for fractional leadership on an ongoing or as-needed basis. This might be an ideal situation for an enterprise working within capital expenditure constraints as subscriptions can be categorized as operating expenses as opposed to the capital expenses associated with staffing and human resource development.
Other structures commonly employed for fractional leadership like a Chief Information Security Officers are “tiered pricing” models or performance-based compensation. With tiered pricing, services are provided at varying price points, allowing the enterprise to choose levels of support that meet their needs at different times or for different deliverables. This is an ideal model for businesses looking to scale quickly and remain agile in their approach or organizations with variable or emerging needs.
Performance based pricing associates the vCISO’s performance to established and agreed upon goals or performance metrics. Performance based models incentivize service providers to deliver tangible results, aligning their interests with those established by the client. If you are looking to move quickly with your security deliverables, or address a specific concern, a performance-based pricing model might be just the ticket for delivering on short-term initiatives.
Ability to Address Temporary or Project Specific Security Needs
With the variety of engagement models, your vCISO can be available for short-term and temporary projects or as needed for a data breach or specific security concern. Engaging with a vCISO provides advantages in awareness and threat landscapes which should translate to timely, industry-leading solutions to immediate challenges or specific security and compliance concerns. Their expertise and your engagement should provide you with a depth and breadth of understanding and insights that you might forgo with a full-time Chief Information Security Officer and at considerably less expense over the long term.
Evaluating vCISO Experience and Qualifications
When it comes to evaluating the skills, abilities, experience and qualifications of a vCISO, it is prudent to maintain a healthy degree of skepticism.
The integrity and security of your data and your client’s information are too critical to the success of your organization to trust baseless declarations. Following this short list of evaluation criteria will help you maintain a critical stance and ask the questions you’ll need to ensure a qualified and culturally fit fractional executive.
Verify Relevant Certifications and Professional Credentials
In an age where just about anything can be faked, it’s critical to confirm credentials and professional certifications. Check certification dates on all credentials and don’t rely solely on certificate images or links to an online certification course. Trusted and reputable certifying bodies provide various means of authentication, including certificate authorization numbers or searchable databases of credentialed professionals. If you recognize the certifying organization but can’t verify a credential holder, you can always reach out to the provider and confirm any certifications your candidate holds. If you’re unsure of the validity of a certification, ask for documentation or clarification, such as a transcript or letter from the certifying body attesting to their status.
Assessing Past Performance and Success in Managing Security Programs
Security certifications and credentials are one clear way to establish knowledge and expertise, but the proof is really in the performance. Carefully review the resume or CV of your vCISO candidates and make a few phone calls.
If they’re accomplished, communicate clearly and are capable of managing the security initiatives you’ve outlined, at the scale you require for your organization, you’ll be able to find other executives who can attest to their skills and capacities.
Talk to other security professionals facing the same challenges. What was their solution to a given problem? Does it align with the recommendations outlined by your candidate? With your specific goals and objectives defined, you’ll be able to assess the candidate's capacity to deliver on your needs while at the same time being able to assess their ability to communicate effectively. A skilled vCISO will maintain a caseload of successes, accomplished projects, and satisfied employers or clients.
In Evaluating the Experience and Credentials of a vCISO, consider the following:
- Verify relevant certifications and professional credentials
- Assess past performance and success in managing security programs
- Evaluate technical and leadership competencies
- Gauge industry specific experience and knowledge
- Evaluate their ability to adapt to an evolving security landscape
Access to Specialized Expertise and Industry Knowledge
Working across industries and applications brings a wealth of knowledge and expertise to an organization.
With vCISO engagements, enterprise operations can access a deep pool of insights, expertise and perspectives that could greatly enhance their security posture as their business needs and threat landscapes evolve.
With varied experience and wider exposure to security and threat landscapes for yours and other industries a vCISO with deep industry involvement is an indispensable resource for an enhanced perspective on data security, privacy, threats and changing regulations. Heavily ensconced in the security industry, a qualified vCISO remains constantly aware and vigilant of current and emerging threats. They maintain tools and awareness as well as a comprehensive pool of security information resources which you can ask about during your evaluation processes.
A broad security perspective may well provide a more substantial security posture than that of specific industry specialists. Maintaining awareness of the cybersecurity and information security landscapes, organizations gain invaluable insights into potential threats and can adapt and align strategies and insights from a wider industry view.
Skilled vCISOs can adapt to the needs of organizations and readily improve the security posture based on industry best practices, emerging threat vectors, trends or varied intelligence resources. Broad perspectives and exposure to threats across industries inform their views and lend them insights which translate to ready solutions designed to account for the size, industry, risk profiles and regulatory environments.
As experts in cyber and information security, your vCISO should profess a wealth of knowledge and experience across industries and organizations of varying sizes. With varied experience and expertise comes the capacity to adapt to your organization’s needs with the flexibility to adapt and deliver security best practices.
Staying Abreast of Trends, Threats and Industry Best Practices
- Demonstrates a commitment to continuous learning and professional development
- Leverages industry resources and networks to stay informed
- Applies the latest security best practices and methodologies
- Proactively addresses emerging threats and vulnerabilities
- Adapts security strategies and tactics to evolving industry trends
- Maintains a working database of industry connections, colleagues and professional resources
Cost and Budget Considerations
From hourly or project engagements to retainers and subscription models, a key benefit of vCISO engagements is the flexibility of pricing models. These structures afford organizations and enterprises of varying sizes the flexibility and scalability to meet specific project needs or leadership in support for varying stages of development. The models and structures will vary between vCISO’s and organizations and will largely depend upon requirements of the enterprise.
Comparing Pricing Models and Structures Among vCISO Providers
Many vCISOs and fractional executives offer a combination of pricing models or customized and hybrid pricing models. Retainers with additional hourly or specific project based fees beyond the retainer scope might be one approach. To ensure your organization receives the right level of support and expertise, remain flexible in your approach and be sure you have established clear performance metrics and benchmarks in advance of any contract or fee structure discussions with your vCISO candidates.
It might seem obvious, but comparing the pricing structure between two or more vCISOs will give you a better understanding of the overall landscape and may result in uncovering more value for your vCISO, as one qualified executive might prove more cost-effective or affordable than another, given your industry and budgets.
Estimating the Total Cost of Ownership (TCO) for vCISO Services
Total Cost of Ownership is the metric which considers both direct and indirect costs associated with engaging a vCISO or other fractional executive.
In addition to the obvious service fees or retainers for a vCISO, enterprises should factor in the additional costs for technology, systems, implementation, internal resources, incident responses and opportunity costs.
Service fees are pretty straightforward to calculate, but it is wise to include any additional feels or services not included in the base fee. Incident response costs, if the vCISO is responsible for managing security incidents, might significantly impact the TCO if incident response time and remediation aren’t considered in advance; incident response costs might also include third-party services or support beyond what is initially scoped by the vCISO.
Once you’ve selected and contracted with a vCISO, the fractional leader must be integrated into the organization which requires time, training and human resources, so implementation costs should be factored into the TCO, including the costs for acquiring, implementing and maintaining any additional or specific tools and technology required by the vCISO. In addition, considerable time will be spent in meetings, generating reports, collaborating and onboarding with a new vCISO, so costs associated with management, IT and other human or technical resources are best factored into the TCO.
In addition to implementation, technology and internal costs associated with a vCISO implementation are the opportunity and ongoing costs related to a vCISO arrangement. An enterprise should consider the cost of a vCISO over alternatives like a full-time, in-house CISO or utilization of other security solutions. To understand the opportunity costs of a vCISO, an enterprise needs to compare the benefits and costs of the alternatives. Calculating opportunity costs requires the estimation of difference in benefits and costs between a vCISO and the next best alternative; the opportunity costs represent the value that might be realized had the best alternative option had been chosen and could include factors such as:
- In-house CISO – salary, benefits, recruitment costs, onboarding and training.
- Alternative Security Solutions – subscriptions, licenses, services fees for managed security services or automated tools (and the effectiveness and comprehensiveness of these solutions)
- Time-to-Value – an evaluation of the time it takes to fully realize the benefits of the chosen solution. A vCISO might be available much quicker than a recruited CISO.
- Flexibility and Scale – consider the adaptability of a vCISO versus an in-house CISO. A full-time CISO may be less adaptable to varying workload demands than a vCISO.
- Resource Allocation – consider the impact of each option on your internal resources and teams; a vCISO might free up internal staff to focus on core business functions, while hiring and supporting an in-house CISO could require more internal support and collaboration.
- Risk Mitigation – What is the risk associated with each of your chosen options? Weigh the potential risk reduction of a vCISO against the risk potential or risk reduction of your other achievable alternatives.
Opportunity costs represent the value that could have potentially been realized with options other than the vCISO approach.
Considering the opportunity costs in the context of TCO will allow your enterprise to make a well-informed decision as to whether to engage a vCISO or pursue another security solution.
In addition to opportunity costs and other cost considerations already mentioned, an enterprise must consider the ongoing costs associated with maintaining a vCISO such as performance reviews, meetings and evaluations. These along with compliance and certification costs might come into play should a Virtual CISO be charged with helping your organization achieve specific security standards and certifications or to maintain compliance with industry regulation.
Once you’ve had the opportunity to evaluate and consider the factors involved in total cost of ownership for the expected duration of your vCISO engagement, you can consider these costs in the context of the value the vCISO will bring to your organization which may not be directly reflected in the TCO calculations. Comparing the potential benefits of an improved security posture, reduced risk and compliance provides a more comprehensive and informed understanding of the value of a vCISO engagement.
When considering the costs of selecting and enlisting a vCISO you’ll want to:
- Assess the potential ROI or long-term value of vCISO engagements in the context of alternatives and your existing needs
- Balance cost-effectiveness of a vCISO with quality, scope of services and organizational need
- Consider alternative solutions or blended models for cost optimization
A vCISO can cost-effectively deliver on security objectives and provide the expected guidance, leadership and technical insights to effectively manage data, privacy and security concerns for your organization at scale and as necessary.
While the benefits and value of a vCISO to your organization are clear, it takes careful consideration, thought and documentation of needs and objectives as well as continued communication with teams across your enterprise to realize the full value and return on your investment in a Virtual Chief Information Security Officer.
Establishing clear goals and objectives in advance of any vCISO recruitment or engagement efforts allow you to determine the value of engaging vCISO and provide the necessary insights to also evaluate their expertise against these specific goals. It is through the assessment, development and documentation of these goals and objectives where you’ll determine your best path to sustained operational and security success. Aligning this in advance of an engagement and evaluating with a healthy degree of skepticism will ensure proper fit with your enterprise, your goals and your security objectives. Following the above considerations should provide you alignment and a quality fit, but should you require further evaluation resources, additional insights or the services of a qualified vCISO, reach out to our own Chief Information Security Officer for a comprehensive consultation and additional resources.