Is the vCISO Model Right for Your Organization?

Over the past few years, the job of protecting businesses from hacker- and compliance-related security issues has become unwieldy, to say the least. While larger companies typically have chief information security officers (CISOs) to handle these issues, smaller companies often don't. Sometimes it's because smaller businesses haven't felt the need to have one, and sometimes it's purely a budget decision.

It's getting harder to justify not having a CISO, so many businesses that have never had one are filling the gap with a virtual CISO (vCISO). A vCISO, sometimes referred to as a fractional CISO or CISO-as-a-service, is typically a part-time, outsourced security expert who helps businesses protect their infrastructure, data, personnel and customers. Depending on the needs of the company, vCISOs can work on-site or remotely, for the long term or short term.

There are plenty of reasons why companies are going the vCISO route. Sometimes it's an internal crisis where a company's CISO has unexpectedly resigned and the board needs time to find a permanent new one. Other times it revolves around new regulatory or business requirements or a cybersecurity framework the company needs to adhere to, like NIST's Cybersecurity Framework 2.0 (expected in 2024). Sometimes a board member used to being briefed by the CISO may request a vCISO.

"A smaller company might need a CISO but just a few days a week, and that type of delivery model is perfect for a vCISO," says Russell Eubanks, a vCISO who is also on the faculty of IANS Research and an instructor with SANS Institute.

The key is flexibility, he adds. If the company needs the vCISO for 40 hours a week for some period of time, that's also OK.

In addition to smaller businesses, organizations in the software-as-a-service (SaaS), manufacturing, industrial and healthcare industries are also good candidates for the vCISO model. While some believe the financial arena can also be a good fit for vCISOs, others say the area is so heavily regulated that financial institutions should have their own full-time CISOs.

What vCISOs Do

The most common duties vCISOs perform for companies include governance, risk, and compliance (GRC), developing and executing strategic plans, and evaluating and enhancing security maturity, according to a Hitch Partners report. Experienced vCISOs will understand cyber-risk, technology, and enough about the business to orchestrate an effective security strategy.

vCISOs also spend time advising permanent vCISOs. Nick Shevelyov, who spent years as a CIO and then CISO at a San Francisco area bank, says he routinely called in vCISOs to pick their brains. Today, Shevelyov is an executive cybersecurity adviser and vCISO operating his own boutique consultancy.

"CEOs, CFOs, CIOs, CTOs, or even CISOs can engage a vCISO to help them quickly understand what they need to prioritize and assess whether their tech is correctly configured, installed, and architected, which can cause cybersecurity vulnerabilities," Shevelyov says. "As a CISO, I wanted to learn whatever I could."

Sometimes companies even engage a vCISO to define the role within the company so the vCISO can eventually prepare the next, permanent CISO to take over.

"More often than not, I've seen highly qualified fractional CISOs work themselves out of a job because they are grooming someone," says Nick Puetz, managing director of the security and privacy practice at Protiviti, a technology consultancy that provides vCISO services.

Companies interested in finding a vCISO have plenty of options. In addition to asking industry experts they know, they can find plenty of candidates from large consulting firms, boutique firms specializing in vCISO services, and managed services providers. The key, Eubanks says, is that candidates have experience working as a CISO, preferably in the same industry as the company seeking the vCISO.

Finding the Right vCISO Fit

A few years ago, when a midsize credit union unexpectedly lost its cyber leader to another company offering more money, it found itself at a crossroads. With about only 600 employees and no prepared succession plan, the credit union didn't have anybody on staff who could step into the CISO role. So while the executive team prepared for a months-long search for a new CISO, it turned to global consulting firm Protiviti to provide a part-time, temporary CISO.

Finding the right vCISO for that midsize credit union took some work on Protiviti's part.

"It's about sitting down with them and understanding what they need to accomplish and where we would start the journey," Puetz says. "With that information, we can suggest packages we offer that might make sense or tailor something specifically to their needs."

Here are some other tips to keep in mind when scouting for a vCISO.

Know what you need. Before even diving into potential candidates, it's important to know what you're looking for and nail down your requirements, says Deron Grzetich, national cybersecurity lead at West Monroe, a digital consulting firm.

"Sometimes you need someone who is more like a cruise ship captain, not there to make a lot of changes but to keep the train moving. Then there are field CISOs, who are more like evangelists who help solve relevant cyber issues and are more a face of the company," Grzetich says. "It depends what you're looking for and where you are in your cyber maturity journey."

With that in mind, define the scope and outcome expectations of the vCISO role clearly. Having these factors defined will help ensure that the person is aligned with the role, he adds.

Find appropriate candidates. There are plenty of places to look, but finding the right person — someone who understands your company's dynamics and has the right experience — can be frustrating. First off, make sure they have experience as a CISO. That might seem like obvious advice, but it's important.

"There are plenty of senior consultants out there who can't find a good job, so they put out a shingle advertising their services as a vCISO," warns Ira Winkler, longtime president of the Internet Security Advisor's Group and field CISO at CYE, a global consultancy. "But if you dig in, you'll find they have never been in charge of the security at an organization."

Vet candidates carefully based on your priorities. Familiarity with the industry can be important because it reduces the learning curve and helps ensure that the potential vCISO understands your company's issues. For example, if your company is a highly regulated financial organization, experience in that area would be key. If your company has a heavy customer focus and is sales-driven, experience in that realm would be helpful. It's also useful for the candidates to have experience in companies of a similar size.

But while compatibility is important, the right vCISO can override some of it.

"The size of the company and vertical are important, but they aren't deal-breakers," Eubanks says. "For example, I've done work in healthcare, financial, and communications industries, and I can see many similarities in other industries like manufacturing. Many similar requirements permeate multiple industries."

Don't rush the process, and be realistic. "I've seen many situations [where] organizations don't take the time to find the right type of person, or they're unwilling to get the right type of counsel they need to find the right type of person," Puetz says. "If they rush to bring someone in, sometimes they will find that it's not a fit."