FoxPointe Security Hub

Considering the Value of Leveraging a Virtual Chief Information Security Officer (vCISO)


This post originally appeared on Security Magazine.

Ensuring the confidentiality, integrity, and availability of information must be at the forefront of any business in today’s environment. While many think they are up to this task, there’s a lot that goes into protecting data. Cyberattacks and data security breaches are at an all-time high in 2020 due to the increase in remote work, and according to a recent Information Systems Security Association and Enterprise Strategy Group survey, 63% of cybersecurity professionals have seen an increase in cyberattacks and security breaches related to the pandemic. This ultimately is a call to all businesses today that we all need to take the proactive steps to remain safe and secure.

A company’s in-house chief information security officer (CISO) is a key component to making sure the risk of a cyberattack or security breach is greatly reduced. The responsibilities of this position are critical for businesses working to protect themselves against cyberthreats, but the reality is, some companies can’t afford to add another member to the c-suite with an average salary of up to $250K. However, there’s another option: a virtual CISO or vCISO.

For a fraction of the salary of a full-time CISO, companies can hire a vCISO, which is an outsourced security practitioner with executive level experience, who, acting as a consultant, offers their time and insight to an organization on an ongoing (typically part-time) basis with the same skillset and expertise of a conventional CISO. Hiring a vCISO on a part-time (or short-term basis) allows a company the flexibility to outsource impending IT projects as needed.

A vCISO works closely with senior management to establish a well communicated information security strategy and roadmap, one that meets the requirements of the organization and its customers, but also state and federal requirements. Most importantly, a vCISO can provide companies unbiased strategic and operational leadership on security policies, which includes:

  • Guidelines, controls and standards
  • Regulatory compliance
  • Risk management
  • Vendor risk management
  • Infrastructure planning
  • Business continuity
  • Database management

Since vCISOs are already experts, it saves the organization time and money by decreasing ramp-up time. Businesses are able to eliminate the cost of benefits and full-time employee onboarding requirements. Also, if another employee had been handline the responsibilities of a CISO, a vCISO frees up some of their workload, enabling them to take on other priority tasks.

Many in-house IT departments are multi-faceted and may not have the time or resources to properly manage all IT functions, especially as they relate to information security. A vCISO can align a company’s information security program to a business’s overarching strategy to provide predictive budgeting to senior management.

There are also disadvantages to hiring a vCISO. One is that the vCISO most likely will need time to understand the culture and business operations of a company. Second, depending on the contractual arrangements made, a company can have unrealistic expectations that they are getting a full-time person for the cost of someone who works less than 20% of the time. The truth is, vCISOs most likely have other clients who they are involved with, so unless a company is hiring a vCISO full time, his or her time may be split between multiple companies. Finally, those who market themselves as vCISOs may lack the current knowledge of the industry. While these vCISOs may have years of technical experience, they may lack managerial security experience. Organizations must take care to properly vet a vCISO’s experience.

Information security is complex and everchanging. New vulnerabilities and threats are identified daily. Keeping up with threats, risks, and vulnerabilities is often a full-time job in larger organizations. Developing a strategic information security plan and program is a difficult task, and not everyone has the skills or the time to do it effectively. The right vCISO can provide a business with quality executive level information security experts by collaborating with executive management to make smart decisions on various security, privacy, and compliance requirements and issues. A seasoned vCISO will have had the advantage of seeing hundreds of companies struggling with many of the same challenges, and knows which policies, procedures, and technologies are best for solving specific problems. Overall, the main objective of a vCISO is to act as a bridge to the business and its technology team by providing a long-term framework that can be continuously modified as information security goals and threats evolve.

Reach out to John Roman today for more information about vCISOs.

FoxPointe Solutions is solely responsible only for the content of FoxPointe Solutions authored information and is subject to change at any time. Any forward-looking statements are not predictions. FoxPointe Solutions is not responsible for any errors or omissions, or for the results obtained from the use of this information. Questions regarding your legal or compliance position should be addressed through your legal counsel, security advisor and/or your relevant standard authority. Nothing contained herein should be used nor relied upon as advice nor constitute a consultant-client relationship.