Why should you hire a Virtual Chief Information Security Officer (vCISO)?

Pawel Wilczynski headshot By

With the ever-increasing number of cyber threats and data breaches, it’s no surprise that businesses are seeking better ways to protect their sensitive information, whether it’s intellectual property (IP), business critical non-public information (NPI), cardholder data (CHD) personal identifiable information (PII) or personal health information (PHI). Traditionally, a company may take the approach of carving out a new internal role for a highly experienced qualified individual to oversee the information security program. However, with growing demand and high price tag of hiring security professionals, it’s not always feasible to recruit a Chief Information Security Officer (CISO).

For instance, a report from Heidrick & Struggles International, Inc. found that median total cash compensation for U.S. CISOs rose by 15% from 2021 to 2022. With this in mind, one solution that has been gaining popularity in recent years is engaging a third-party consultant to serve as an organization’s “virtual” Chief Information Security Officer (vCISO). 

A ’right fit’ solution

First and foremost, virtual CISOs provide businesses with the expertise of a highly trained security professional without the high cost of hiring a full-time employee. This can be particularly beneficial for small and medium-sized businesses (SMBs) and nonprofit organizations (NFPs), who may not have the resources to hire an in-house CISO. A virtual CISO can provide the same level of knowledge and experience as an in-house CISO, but at a more affordable and scalable cost. 

Larger companies, even those who have an in-house CISO, can also benefit from a vCISO, in a form of a deputy CISO. While two CISOs may sound like overkill, managing enterprise-wide cybersecurity at a large corporation should not be taken lightly. Ensuring you have the proper coverage of cyber resources and strategy can mean the difference between a high-profile breach and data risk mitigation. Having a second experienced security professional serving as a professional advisor can be advantageous to evaluate and implement cybersecurity tools and technologies to support the organization’s security program. 

Seeing from all angles

Another advantage of hiring a virtual CISO is the ability to bring a fresh perspective on your organization’s security strategy. Sometimes, it can be difficult for an in-house CISO to identify areas of weakness or opportunities for improvement because they are so close to the company’s operations. A virtual CISO can provide new insights on a company’s cybersecurity environment and identify potential security risks that an in-house CISO may have overlooked. Working with a virtual CISO gives you access to the experience they have gained from working with other comparable client-companies within your industry and beyond, which can be invaluable.  

Whatever you need, more or less

Virtual CISOs also bring a level of flexibility that is not always possible with an in-house CISO. With a virtual CISO, you are essentially working with them on retainer and can choose the amount of time and resources you pay for based on your organization’s security needs. This means that you can scale up or down as needed, which can be particularly useful for businesses that experience seasonal changes or fluctuations in workload. It also allows for smaller businesses and nonprofits with more limited resources to ensure cybersecurity for their employees and customers without breaking the bank. 

In addition, virtual CISOs are often able to provide a wider range of services than an in-house CISO. For example, a virtual CISO may have experience working with a variety of industries and can bring that expertise to your organization. This can be particularly useful for businesses that work in a highly regulated industry or that have unique security needs. 

One of the biggest advantages of hiring a virtual CISO is that they can provide your organization with access to the latest security tools and technologies. This is because virtual CISOs are often able to work with a variety of vendors and providers, which means they can bring a wealth of knowledge and expertise to your organization. This can be particularly beneficial for SMBs that may not have the resources to stay up to date on the latest security trends and technologies. 

Covering all the bases

What can a "virtual" chief information security office bring to your organization?

Finally, hiring a virtual CISO can help to improve your organization’s overall security posture. Virtual CISOs can work with your organization to develop and implement a comprehensive security strategy that addresses all areas of risk. This can include everything from developing policies and procedures to implementing security training programs for employees. By working with a virtual CISO, your organization can ensure that it is taking a proactive approach to security and is better prepared to prevent and respond to security incidents. 

Now, start looking!

Before engaging with a virtual CISO, work with your team to develop a comprehensive list of requirements for their role. What areas of your cyber environment do you want them to monitor, improve, or develop from scratch.

Consider the following questions when vetting a professional partner in this area: 

  • Are they willing to work alongside your in-house information systems and cybersecurity leaders and/or team, if needed? What is their approach to communication and transparency? 
  • Do they have experience or currently work with organizations in your industry or with your similar governance structure? Ask what they see as the biggest cyber threats and challenges facing your industry today. 
  • What other resources, either from their firm or their referral network, will your organization have access to? Is their network and access to other tools or professional expertise going to add value? 
  • Do they value educating, training, and teaching as part of their approach? Will engaging them in this role bring some level of professional development to your in-house team? 
  • Do they offer scalable rates or terms for their time? How flexible are they on increasing or decreasing their hours based on your organization’s needs?

This article discusses just some of the  many reasons to consider hiring a virtual CISO. Consider their answers to the questions above and make sure those answers align with your business approach and philosophy. A virtual CISO relationship works best when treated like an in-house hire—cultural and values alignment are important, and a passion for supporting your organization’s success is necessary. 

From cost savings and flexibility to access to the latest security technologies and expertise, virtual CISOs can provide a wide range of benefits for businesses of all sizes. If you’re looking for a scalable, specialized, and innovative solution, a virtual CISO may just be the right fit for you. 

To learn more about engaging a virtual Chief Information Security Officer at your organization, contact Pawel Wilczynski, BNN’s cybersecurity specialist. 

Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, investment, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.

Keep reading

Information Systems & Risk Assurance
Pawel Wilczynski Published in Greater Boston Chamber of Commerce Blog
Pawel Wilczynski headshot By Pawel Wilczynski
Read more about Pawel Wilczynski Published in Greater Boston Chamber of Commerce Blog
Managing Your Password Manager: Lessons Learned from LastPass and Security Best Practices
Pawel Wilczynski headshot By Pawel Wilczynski
Read more about Managing Your Password Manager: Lessons Learned from LastPass and Security Best Practices
Updates to GLBA's Standards for Safeguarding Information
Pawel Wilczynski headshot By Pawel Wilczynski
Read more about Updates to GLBA's Standards for Safeguarding Information