What are the reasons behind the latest trend of hiring a virtual CISO? Are there any disadvantages of this practice? Let’s explore…
Survey data from IDG shows that executives of companies without a chief information security officer (CISO) feel their security posture and cyber training are not as effective as they could be. A CISO’s services are undoubtedly precious for any organization, but not every small business or organization can afford a full-time employee in this capacity. In these situations, a virtual CISO (vCISO) can be a blessing.
In this article, we’ll answer the question “what is a vCISO?” Part of this discussion will explore what vCISOs do and why companies hire them. We’ll also go through the advantages and disadvantages of hiring a virtual CISO.
What Is a vCISO? Virtual CISO Services Explained
A virtual chief information security officer, also referred to as a virtual CISO, vCISO, or CISO-as-a-service provider, works as an outsourced or on-demand security practitioner. A vCISO role can be filled by a single individual or a team of virtual experts. Although they typically work as remote, part-time contractors, vCISOs provide many of the benefits of a full-time CISO but without the hefty price tag.
Consider a vCISO like a freelance chief information security officer. Companies often hire them on an ongoing basis, for a stipulated period, or for any particular project.
vCISO are generally involved in deciding the security framework and policies of the companies, providing strategic recommendations, and assisting in the implementation. Sometimes, they represent companies in board meetings and work with executives to justify security measures and their budgetary requirements. But there are many other duties a virtual CISO can take on depending on the needs of your organization and the terms of their contract with you.
As part of your organization’s executive team, a virtual CISO can do some or all of the following:
- evaluates your organization’s ability to detect, eradicate and prevent cyber threats,
- spearheads creating and implementing security programs and initiatives that incorporate regulatory compliance considerations,
- prepares your organization and IT team for audits,
- provides guidance for cyber security and risk assessments,
- evaluates and improves your security-related policies and processes,
- evaluates cyber security vendors,
- provides security training to the existing staff,
- provides hands-on technical expertise in the event of a cyber attack, and
- carries out other security-related functions when and as required.
But many companies aren’t just looking for technical leadership expertise from their chief tech officers. PwC’s 2021 Global Digital Trust Insights report shows that companies are increasingly looking for other skills and attributes as well, including:
- analytical skills (47%),
- communication skills (43%),
- creativity (42%), and
- critical thinking skills (42%).
Should You Hire a vCISO? Weighing the Pros & Cons
Now, it’s time to answer the million-dollar question: why should a company choose a vCISO over an in-house CISO? To answer this question, let’s consider some of the advantages and disadvantages of relying on a virtual CISO in lieu of an in-house executive.
Advantage #1 of vCISO Services: Virtual CISOs Cost Less Than In-House CISOs
Salary.com reports the median salary for CISOs was $224,305 in 2020. For start-ups and small to mid-size businesses, this can be a huge expense. In many cases, that kind of six-figure salary may cost more than the amount organizations dedicate to their entire annual cyber security budget!
vCISO pricing is highly customizable as per your organization’s security needs and threat level. Companies pay them as per the time spent or the services rendered by them. One estimate from Asher Security shows that you can have a vCISO’s services on retainer for as little as $28,800 a year (plus a monthly service payment cost that could range between $2,400 and $29,167).
Advantage #2: Hiring a Virtual CISO Reduces Recruitment Challenges & Costs
When you hire an in-house CISO, you have to rely on the local talent or pay a hefty relocation stipend to an outside candidate. A typical vCISO is a highly qualified professional with a bachelor’s degree in computer science or cybersecurity and has certifications like CISSP, CISM, CISA, and EC-Council’s CCISO. They also have seven to 10 years of work experience in information security, programming, and/or risk management.
Finding a talented CISO can be challenging in small towns and remote places. Plus, to convince a CISO to relocate to your office location, you have to attract them by giving a higher salary and/or greater benefits than what they are already receiving at their current employer. Your recruitment and on-boarding expenses also may increase.
And even after doing so much, CISOs have high job turnover rate. There’s no denying that being a CISO is a high-pressure and stressful job. Nominet Cyber Security reports that an in-house CISO lasts for an average of 26 months in a job due to burnout. That means, you could have to repeat the entire recruitment cycle again nearly every two years!
When you hire a vCISO who works remotely, you can find and hire someone from any corner of the world! It gives you a wide range of options and an opportunity to negotiate the contract price. This enables you to:
- save relocation allowances,
- reduce recruitment costs, and
- avoid paying extra benefits like 40k, insurance, paid leaves, parental leaves, etc.
Advantage #3: vCISOs Can Provide General or Niche Expertise
Sometimes, companies need a CISO’s expertise for specific tasks only such as:
- reviewing security concerns at the time of mergers and acquisitions,
- dealing with compliance or insurance, or
- doing a post-attack analysis to prevent a recurrence.
In such circumstances, hiring a vCISO will be a cost-efficient choice than hiring an in-house CISO.
Hiring a Virtual CISO to Deal with Insurance
Having a vCISO strengthens your organization’s cyber security landscape and helps to shift your company into a lower-risk category. If your virtual CISO reports directly to your board or another department (such as Compliance), this may result in reduced cybersecurity insurance premiums.
Plus, when a cyber attack occurs, a vCISO works as a trusted representative of the organization, deals with insurance disputes, and tries to fetch maximum benefits from the insurer.
Hiring a vCISO for Compliance Needs
Compliance rules can be overwhelming and many organizations need an experienced CISO to deal with those regulations. On one side, many companies can’t afford to hire a full-time CISO, but on the other side, non-compliance penalties can be financially devastating.
To aid the situation, companies hire virtual CISOs to avoid non-compliance penalties. In general, virtual CISOs have a wide range of compliance experience with regulations such as
Advantage #4: CISO-as-a-Service Often Gives You Access to a Team of Pros
Many security consulting firms and managed detection and risk (MDR) service providers hire a large team of in-house security professionals. They provide what’s known as “CISO-as-a-Service,” meaning you don’t need to find, evaluate, hire, and negotiate with a vCISO. You just need to hire such an agency, and they’ll assign a qualified vCISO to you based on your organization’s requirements.
One of the biggest benefits of such agencies is that vCISOs often have access to many advanced-level tools and have a team of experts at their disposal (such as threat hunters, compliance specialists, security analysts, and penetration testers). Hence, the workload is evenly balanced, and you can get the benefit of a full-fledged security team at a lower fixed cost.
Now that we’ve covered the advantages of virtual CISO services, we’d be remiss if we didn’t also talk about some of the disadvantages.
Disadvantage #1: Their Time & Attention Are Divided Among Multiple Clients
An in-house CISO would focus 100% on your organization’s security. But when you hire a virtual CISO, they have multiple companies to look after simultaneously and can’t devote special attention to your company. You can’t tell them not to work on multiple projects and how they should divide their time.
If your vCISO has taken more projects than they can handle, it might cause negligence or deteriorate the quality of work. Also, if there’s an emergency, like you notice an unusual threat approaching or a sudden cyberattack takes place, your on-call CISO may or may not be available to respond immediately due to their other engagements. As such, you may not be able to rely on a vCISO in an emergency situation. The exception here might be virtual CISO services that provide 24/7/365 access, but then you’re looking at contracts that often involve significantly higher costs.
Disadvantage #2: They Lack In-Depth Knowledge of Your Systems
Virtual CISOs aren’t intimately familiar with your organization’s IT infrastructure, policies or procedures because they split their time between multiple clients, whereas a full-time CISO works solely for you. In other words, in-house CISOs are already aware of your company’s vulnerabilities and threat patterns, while the vCISOs have to start everything from scratch.
Full-time CISOs know your company’s security posture so closely that they can detect any usual signs of attacks more quickly than a virtual CISO. In the same way, the in-house CISO can do a post-attack investigation and damage control more efficiently and rapidly than a vCISO because they have an in-depth knowledge of each component of your technical infrastructure.
When you hire a vCISO for individual projects, they may be apathetic about the overall security structure of your company and just focus on their specific tasks. They may not recognize or bother to inform you of any big loopholes that need to be addressed. At the same time, a full-time CISO will have a holistic approach and take responsibility for the entire defense mechanism of your company.
Disadvantage #3: No Blending with an Organization
An in-house CISO is an authoritative figure and an integral part of your organization. When they outline any policy changes and recommendations, the other IT staff tend to take those suggestions seriously and implement them relatively quickly. But a vCISO might be considered an “outsider” and maybe not taken seriously by others unless management intervenes.
In the same way, if a full-time CISO suggests security measures that management deems “too-much-hassle” or expensive, they are still answerable to CISO for rejecting any proposals. A full-time in-house CISO holds a louder voice in budgetary discussions and negation than a vCISO. Management can easily deny any recommendations of a vCISO, many times, due to trust issues.
For example, management can consider a vCISO’s recommendations as a means to extend the length of their contract or increase the scope of the project to charge more money. Due to such reasons, even the highly crucial security suggestions stay on the shelf and put companies at risk in the long run.
However, being an “outsider” can also be a positive attribute depending on your perspective. If a virtual CISO isn’t part of your organization’s internal culture, they can serve as an impartial third party. As such, they’re less likely to be susceptible to internal or political pressures than an internal CISO may experience, which can make them more effective.
Final Words on vCISO Services
In cyber security, no matter how many advanced tools you use, human intervention is still a necessity. The threat actors who carry out attacks are real humans with unique motives and agendas. And to understand their mindsets, you must employ qualified, well-trained cyber security staff. A key part of this includes having a leader in place who can strategize and lead your organization’s cyber security initiatives from the front.
While hiring a full-time CISO in house is an option that many companies consider, there are some obvious disadvantages to this approach. This is why many organizations, including small businesses, opt to hire a virtual CISO to meet their needs. But hiring a vCISO may not be the best course of action for every business, and you must choose the right path based on your organization’s specific needs.
Regardless of whichever route you choose to take, having an in-house CISO or a virtual CISO in place speaks volumes. Having someone in this type of role demonstrates that you’re taking steps to improve your organization’s cyber security and are committed to protecting your organization’s sensitive data and IT resources.