Male corporate executive touching CISO on an interactive virtual control monitor.
Image: LeoWolfert/Shutterstock

While a Chief Information Security Officer (CISO) can be invaluable to a company with regards to safety and cybersecurity, some smaller enterprises may want to look into a Virtual CISO (vCISO) to assist with cutting down on expenses. Michael Gray, Chief Technology Officer at Thrive, compared the positions and outlined the differences for companies looking to invest in this type of role.

A virtual CISO is that of an independent or contracted employee, who fills the role of a CISO but is not employed full time. This person makes decisions that a CISO would normally handle, but their role is not inherently intertwined with that of the company.

“I think for starters, maybe on the face of it, [a vCISO] looks very similar to a CISO, but when you peel the pieces back, there’s some really big differences,” Gray said. “Over time, we find that once companies have a good security program that is built on a solid foundation, many of them only need a fractional vCISO. So, they don’t need a full-time person once they get through an initial exercise. It’s frankly not a full-time job depending on the size of your organization.”

The benefits of hiring a vCISO

For small-to-medium sized businesses, saving revenue by employing a vCISO may be the route to take. Full-time CISOs command fairly hefty salaries that up and coming operations may not be able to afford with services they may not have need for. A full-time CISO in the United States earns an average of $230,223, which could be seen as unfeasible for smaller sized companies.

“[For businesses] up to 500, even 1,000 employees, you likely don’t need a full-time CISO, and you can leverage a virtual CISO, and get all the benefits that you would need without a significant expense,” Gray said. “The salary for a full-time CISO is pretty mind blowing at this point, and there’s not even a lot of good candidates out there. You may find a candidate, but they may have no understanding of your vertical, or the industry that you’re in.”

To counterbalance this from both a monetary and operational perspective, a virtual, independent CISO analyzes the existing and ongoing processes of a business and makes determinations based on the business infrastructure already in place. Gray says that this allows a vCISO to make tough decisions as needed, because their success does not solely lie with the company they are contracted to work for. This allows those in the vCISO role to be more objective when it comes to decision-making.

“Having an independent [virtual] CISO can say, ‘I see this stuff all the time. This security monitoring service you have, it’s not doing the trick, and you’re not getting your money’s worth out of it’,” he says. “But that may be difficult for a full-time CISO, especially in a smaller company, to see. The other thing is, a virtual CISO, at least how we view it, they’re going to help you get a lot more value for your existing investments. Whereas perhaps the CISO invests in a piece of security technology, and they’re sort of personally vested in it, they spend a lot of time, and at the end of the day it’s not the right fit.”

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

How businesses can help accommodate a vCISO

For SMBs looking to hire a vCISO, having the correct infrastructure in place can allow a worker in the role to hit the ground running from the moment they come on board. By taking stock of the company’s cybersecurity posture, virtual CISOs can begin work right away.

“The company has already done the first thing, which is highlighting the need to have a security program, not just a piece of technology,” Gray said. “First of all I’d ask, do you have anything today? What is your security program today? Do you have any documents? Just take a general inventory of where you stand, because that’s the first thing that anybody would ask, do you have any place that we can get started? Most don’t, and that’s okay, but being able to answer that question right off is really good.”

From there, Gray says that assessing the company’s risk is a major consideration, along with addressing compliance related questions that may arise.

“The question I would ask is, ‘Mr. Customer, are there any compliance frameworks that you need to be adhering to that I need to know about on day one?’ If they tell you, ‘Well, there might be, we’re not sure,’ that’s a difficult thing,” he said. “The third piece is really a risk conversation. Think about where your organization is comfortable, from a risk standpoint. We want to be 100% locked down, and we want it to be a very strict employee environment, or we’re open to our employees doing things like working from their phones or things like that. These are all business questions that you can ask yourself before the person even starts.”

By following this advice, small to medium sized companies looking to hire someone for the virtual CISO role can know what to look for, as well as how quickly a candidate can get an organization’s systems fully secured.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays