The Do's and Don'ts of Hiring a vCISO

July 28, 2021 Jose Bormey Jose Bormey

5 Min Read

As the cybersecurity landscape continues to evolve and new threats continue to emerge, having a strong information security plan in place is essential to protecting your assets. The employee charged with developing, implementing, and managing such a crucial plan is the Chief Information Security Officer (CISO), but what if your company can’t afford a full-time CISO? The solution is hiring a vCISO.

However, finding the right vCISO matters. Follow these best practices for finding the right vCISO for your organization. 

Quick Links:

What is a vCISO?

The Virtual Chief Information Security Officer (vCISO), utilizes their years of cybersecurity and industry experience to help organizations develop, implement, and manage an information security strategy. Employees in the role of vCISO build out the organization’s cybersecurity plan and actively maintain it to adapt to a variety of factors, ranging from legislative changes to new types of security threats. Additionally, the vCISO presents the organization’s state of information security to the organization’s board, executive team, auditors, regulators, and other pertinent leadership.

The vCISO role differs from the traditional CISO employee in a couple of key ways, namely that the vCISO can be located anywhere. Rather than searching for someone locally, which limits your options, or paying relocation costs, the vCISO works as a remote consultant. On the other hand, a standard CISO is someone solely focused on the singular organization and is a long-term hire whose salary averages more than $200k

What Do vCISO Services Entail?

vCISOs can provide value to organizations by supporting a number of facets pertinent to the overall information security program, including:

  • Information security planning and management activities
  • Organizational and management structure
  • Initiatives affecting information practices
  • Security risk management activities
  • Evaluating third-parties with access to organizational data
  • Coordinating audits by regulators or customers

The Do's of Hiring a vCISO

Before your organization hires a vCISO, consider the following advice when searching for and interviewing potential candidates:

DO Look at a vCISO Candidate’s Staying Power

An information security program build or recalibration can take an average of 5 years, depending on the various parameters and timelines. Your organization wants someone who demonstrates a commitment to their role in your company, and who will stick through to the end of their work with you. A resume loaded with too many short-term experiences might be a red flag that the candidate won’t see their project to its full potential.

DO Hire a vCISO With Case Studies & Data to Show Deliverables

The main objective of hiring a vCISO is for your company to develop a strategic security plan and then effectively implement it. When assessing potential candidates, dig deep into their experience with these two qualities of developing and implementing. It’s one thing for a candidate to say they’ve created plans without going into further detail - it’s another when they have specific examples of doing so for other customers and what they have helped achieve at other organizations.

For a vCISO to be considered legitimate and reputable, they don’t need a long list of well-known brands as customers; instead, they should be able to present case studies and data that evidences their experience. If the candidate can walk you through a high-level cybersecurity roadmap example during the interview process, then it confirms they have the experience to lead your security efforts.

DO Hire a vCISO with Incident Response Plan (IRP) Experience

If you don’t currently have an Incident Response Plan (IRP) - as 77% of companies don’t - this will need to be at the top of your vCISO’s responsibilities. During the hiring process, be sure that this deliverable is part of the candidate’s expertise so they can develop, implement, and maintain this critical component of your company’s cybersecurity landscape. The vCISO can quickly develop an interim one, then work to craft a formal IRP, and ensure all parties are aware of it and know their roles.

The Dont's of Hiring a vCISO

Watch out for these signs when considering a vCISO candidate. 

DON'T Hire a vCISO Without Specific Experience in your Industry

Highly regulated industries, such as healthcare and finance, have rigorous needs when it comes to vCISOs and the cybersecurity world. There are specific laws and strict requirements to which the vCISO must adhere; thus, the candidate should have in-depth knowledge of whatever particularities apply to your company’s industry. Be sure to ask about their past experience with these compliance measures to evaluate how familiar they are with operating within the established parameters.

DON'T Hire a vCISO Who Is Not Up To Date With Current Cybersecurity Trends

A stagnant cybersecurity program is bound for failure - after all, cybercrime is projected to cost the world $10.5 trillion annually by 2025, so a passive plan simply won’t work. Your vCISO needs to be aware of new threats as soon as they are identified, so it’s important to ask candidates how they stay current on emerging threats and what types of resources they leverage to learn about new trends in cybersecurity strategies and programs.

Furthermore, countries around the world are beginning to pass more cybersecurity-related legislation. Thus, your vCISO needs to keep tabs on new legal requirements and their effects when they take effect. This goes hand-in-hand with another important quality - their ability to work well with legal counsel. Your vCISO candidate needs to know when to get legally involved and what legal counsel needs should an incident occur. For example, if your company must comply with specific regulations such as HIPAA or SOC, be sure to ask specific questions about the candidate’s level of knowledge and experience with these requirements. 

DON'T Hire a vCISO Who Isn't Comfortable with C-Suite Communication

This question points to the importance of strong communication skills for a vCISO. After developing a strategic plan to fortify your company’s security posture, the vCISO must be able to present it to the C-Suite. Someone who prefers to sit behind a computer screen will not do well in this aspect of the vCISO role—and without executive support, your cybersecurity program won’t get very far. The need for communication will continue, as your security strategy will change over time and thus require constant interaction with the C-Suite to keep them updated on progress. 

Transform Your Cybersecurity Strategy With a Virtual CISO!

Compuquip Cybersecurity is a Florida-based managed security service provider that is trusted by organizations throughout the nation. Compuquip offers a virtual CISO (VCISO) and security program development service that helps organizations establish mature and reliable cybersecurity programs to protect their businesses against modern cyber threats.

Need some help optimizing your cybersecurity policies and procedures, but not really sure if a virtual CISO service is right for you? Reach out to the Compuquip team to talk about your security needs and how to address them!virtual-ciso-services

cdo-guide-to-omnichannel-security