What is a Virtual CISO? How & When the Right Time is to Hire One

What does a CISO do? A chief information security officer (CISO) is the person in an organization who is responsible for defining and enforcing that organization’s cybersecurity policies, practices, and architecture. CISO duties can impact every process in an organization in some way—from the way employees use their emails, to which websites they can visit, to how they store important documents.

However, finding a CISO to add to the company’s internal org chart can be… challenging to say the least. Qualified applicants who can fulfill CISO job requirements are rare. This, in turn, leads to high salaries for these hard-to-find cybersecurity experts (about $225,328 on average, according to salary.com).

With intense competition for people who can understand and execute on the tasks inherent to the CISO job description, companies often have to offer top-rate pay in addition to a variety of other benefits to attract these individuals. However, there’s an alternative solution to hiring a traditional, in-house CISO to manage your company’s cybersecurity program. Instead of headhunting a C-level cybersecurity expert, your company could use a virtual CISO program or service.

What is a virtual CISO (VCISO)? What does a virtual CISO cost to hire? What are the benefits of hiring a VCISO? When should you hire a VCISO vs an in-house CISO?

What is a Virtual CISO?

A virtual CISO is a service provided by a managed security service provider (MSSP) that replicates the job functions of a Chief Information Security Officer—creating and managing cybersecurity policies for an organization—effectively outsourcing the role.

Where an in-house CISO is usually a single highly-ranked person in a company, VCISO services are typically delivered by a team of virtual CISO experts. This allows them to draw on a deeper pool of knowledge and provide near-constant protection against cyber threats.

How Does a VCISO Protect Your Organization?

Virtual CISO services help companies improve their cybersecurity architecture by providing expert advice on their critical security issues. Virtual CISO responsibilities often include tasks like:

  • Running penetration tests;
  • Proactively identifying critical security flaws;
  • Helping revise security policies and procedures;
  • Enabling compliance with key regulations (such as HIPAA, PCI DSS, GDPR, etc.);
  • Creating and implementing incident response plans (IRPs); and
  • Reviewing all existing cybersecurity tools and making recommendations for replacing or reinforcing them.

Just like with an in-house CISO, VCISOs are expected to maximize your cybersecurity while minimizing costs and performance impacts.

What is a Virtual CISO? How & When is the Right Time is to Hire One?

If an in-house CISO can cost a couple of hundred thousand dollars per year, what does a virtual CISO cost? The answer is: “It depends on what VCISO services you need.” Not every company will need the same level of service from a VCISO, so costs may vary.

One rule of thumb for VCISO costs highlighted by CSO Online states that “VCISOs are estimated to cost between 30 percent and 40 percent of a full-time CISO.” However, this is a rough estimate only, and may not necessarily line up with your real costs.

When researching virtual CISO services, it’s important to collect specific estimates from MSSPs so you can compare costs—though cost isn’t the only criteria you should consider when looking at VCISO services.

What Are the Benefits of Hiring a Virtual CISO?

Many people wonder what the benefits of hiring a virtual CISO expert are versus recruiting a permanent person for this C-level role. Some of the key benefits of using VCISO services as opposed to relying on a traditional, in-house CISO include:

  1. Eliminating a Lengthy Recruitment Process. It can take months and tens of thousands of dollars to create a successful CISO recruitment campaign. Aside from simply creating a CISO job description and posting it on Monster or LinkedIn, companies need to invest time to find and vet a qualified candidate. Worse, companies may spend weeks trying to get a candidate to sign on, only for them to be scooped up by some other company with a bigger budget for benefits or payroll. Using a virtual CISO service provides instant access to a team of experts—eliminating a lengthy, costly, and risky recruitment process.

  2. Getting “Round the Clock” Cybersecurity Monitoring. As good as a highly-skilled CISO can (and should) be, that’s still just one person being asked to handle security optimization and incident response/management for an entire organization. People need vacations, down time to brush up on new developments, or sick time—nobody can be on top of everything 24/7. With virtual CISO services, you get access to a team of experts who can cover for one another to provide constant surveillance and support. This helps to provide more security than any one person can offer.

  3. Virtual CISOs Are More Likely to Stay Up to Date. Cybersecurity threats and attack methods are constantly changing as attackers create new ways to steal data or cause harm. Keeping up with the latest threats is a full-time job in and of itself. VCISO service providers are often better able to keep up with new security threats because they have a whole team of people at their disposal. Instead of relying on one person to try to learn every single threat type (which is nearly impossible), MSSPs can have people who specialize in dealing with different threats, keeping up with the latest developments much more easily by spreading the burden.

  4. Saving Money on CISO Program Costs. As mentioned earlier, the cost of a VCISO tends to be much lower than that of their in-house counterparts. This is because many of the costs associated with recruiting for a C-level position (advertising, benefits, payroll, bonuses, ongoing cybersecurity training) are assumed by the MSSP. The MSSP can then have their virtual CISO service teams work on multiple accounts at the same time—spreading out the cost so you don’t have to bear the full burden alone.

The monetary savings that outsourcing CISO job functions to a VCISO service can provide is usually the most popular reason for using them. However, it’s important to consider more than just the cost.

Reasons to Hire a Virtual CISO Service

While the benefits listed above are often strong motivation to use a VCISO, some of the most commonly-cited reasons to use these services are:

1: Because VCISO Services Offer a Predictable Monthly Cost

While far from the only concern that companies seeking CISOs face, cost is one of the most frequently-cited reasons to go with a virtual service. People who have the right qualifications and experience to fill a C-level cybersecurity role know their worth—and will have options lined up around the block to hire them if your offer isn’t appealing enough. So, it’s not uncommon for a VCISO to leave after getting a better offer.

This can leave companies scrambling to find and onboard a replacement—which creates additional costs for recruitment and training. Additionally, considering the need for time off for vacations or random personal events, the return on a CISO’s services from month to month can vary (especially considering it’s typically a salaried position).

2: Because Good CISOs Are Hard to Find

Even when offering top-scale pay, it can be hard to find a CISO who is qualified for the position. So hard, in fact, that many organizations opt to take a regular cybersecurity expert and put them through either campus-based or virtual CISO training to produce a suitable candidate.

Additionally, there’s no guarantee that the person being trained will have the right mix of experience and skills to manage a large-scale cybersecurity plan that integrates smoothly with existing business processes.

Using a VCISO service to deliver a robust cybersecurity plan eliminates the need to headhunt or train a C-level cybersecurity expert. More importantly, virtual CISO teams often have much more experience in helping companies optimize their security plans than any individual might possess.

3: Because You Need CISO Support RIGHT NOW

A side effect of having to headhunt or train up a new CISO is going without critical C-level cybersecurity services for a prolonged period of time. During this time, critical cybersecurity issues are being left unaddressed—meaning your network is more vulnerable than it otherwise would be.

Using a VCISO service helps eliminate lengthy recruitment processes. This, in turn, helps ensure that your organization gets critical cybersecurity support when it’s needed.

4: Because You Want a Broad Range of Cybersecurity Expertise

As mentioned earlier, one of the key advantages of a virtual CISO service over using an in-house CISO is that the service leverages a whole team of people who can each specialize in different things. This provides a wider pool of knowledge that can result in better cybersecurity protections that address more of your biggest cybersecurity risks.

Additionally, a dedicated team of virtual CISO experts is more likely to be able to correctly identify specific security risks and create effective countermeasures than a single person. This helps to improve the efficacy of your incident response plans so you can minimize the impacts of security breaches and improve speed of response.

Should I Hire a CISO or a VCISO?

With all of the positives that have been mentioned about VCISO services, you might think that it would always be the best option. However, nothing is ever that simple. There are cases where it may make more sense to use an in-house CISO instead of an outsourced VCISO service.

For example, some organizations might prefer to have someone on staff who is wholly dedicated to their cybersecurity. With a VCISO service, their CISO expert team would be split amongst several other companies, which they may prefer to avoid—even though such a setup does have cost and knowledge benefits (teams working with multiple customers can apply lessons learned with one company to others).

Another benefit of having an in-house CISO is the potential impact on the company’s public image. Being able to retain a dedicated C-level exec to focus on cybersecurity helps demonstrate that the company has the resources to effectively manage security and the dedication to see it through—which can have positive impacts outside of just improving the company’s security architecture.

Finally, having an in-house CISO gives the people in your organization someone they can directly report to regarding cybersecurity issues. This helps to raise awareness and compliance with critical security initiatives in your company. Being able to directly distribute and collect reports with people in the company (and having the internal authority to make security policy decisions stick) can make a world of difference in how well cybersecurity initiatives are executed.

So, which is better for your organization? Well, the answer depends on what your goals are and what resources you already have available. Truly massive companies will most often benefit from having an internal CISO with a dedicated cybersecurity support staff in-house. Meanwhile smaller organizations might need to leverage the cost and 24/7 service benefits that using a virtual CISO can provide.

Need some help optimizing your cybersecurity policies and procedures, but not really sure if a virtual CISO service is right for you? Reach out to the Compuquip team to talk about your security needs and how to address them.