Virtual CISOs - When & how to hire one?

A Virtual CISO, as the name suggests, is an outsourced specialist who leads your organisation’s cyber security function and provides rich expertise remotely. Cybersecurity has quickly become the number one priority for many businesses across the globe and having the right kind of leadership at the helm of your IT and security can make all the difference today. 

A Chief Information Security Officer or CISO is basically a senior executive in the organisation responsible for the protection of computer systems, computer networks and sensitive information from cyber threats. The CISO has to establish the organisational vision with respect to risk management and protection of critical assets. The CISO role is complex and requires expert knowledge and diverse experience.

However, not every organisation can afford to hire a specialist cyber security expert, set up a dedicated cybersecurity team with information security managers or even put the right security measures in place in terms of information technology. To give you some perspective, a CISO’s salary can be anywhere from £120-250 thousand per year. Some of the best VCISOs in the market, on the other hand, can be hired around £12,000 per year.

A virtual CISO, then, is the perfect way to bridge the gap when it comes to navigating security risks for your small business in a cost-efficient way. 

A virtual CISO or VCISO is basically a trusted advisor/cybersecurity expert who acts like a security consultant for your business. The Virtual CISO is not a full-time employee of your organisation but will carry out all necessary tasks with respect to protecting your business and your sensitive data from security incidents.

1. What can a VCISO do for your organisation?
2. When and how should you hire a VCISO?
3. How to select the right VCISO service for your organisation?

The VCISO can do some or all of following for your business:

• Evaluate and assess your organisation’s vulnerability to cyber risks and overall breach readiness.
• Examine if your existing technology is adequate for risk management. Help identify, assess and select cost efficient technologies wherever required.
• Give trusted advisory on information security and data privacy.
• Offer a basic level of education to key stakeholders on how to protect your business against malicious software, phishing and social engineering attacks.
• Deliver specialised cybersecurity training to specific teams and executives in the organisation if required.
• Give vendor-agnostic advice on current and future cybersecurity investments.
• Manage and communicate with regulators for all data privacy and information security requests on your behalf.  
• Ensure organisational compliance with regulatory requirements if any.

Basically a virtual CISO will do everything for your business that is expected out of a cybersecurity leader, albeit virtually and on a consultancy basis. This brings us to the next question.

You should hire a VCISO when:

• You definitely feel the need for hiring security leadership but cannot afford a full-time CISO.   
• You may feel the need for an external security advisor. But you realise the requirement is not adequate to warrant hiring someone full time. In fact, you may realise that you don't actually need a CISO but a virtual information security manager and that requirement too can be fulfilled by most reputed VCISO service providers. 
• You need a bespoke security strategy created for your business.
• You want a vendor-neutral perspective and/or review on technology investments.
•  You want your business to align with international regulatory requirements & standards like the ISO 27001:2013, UK’s Cyber Essentials
• You want to implement NIST’s Cybersecurity Framework across your organisation.
• You are embarking on a major transformation project in IT or in IT Security.
• You want to implement the NIST’s Cyber Incident Response Methodology.

Secondly, when making your decision about how to hire a VCISO, keep in mind the expertise and experience they bring to the table. As a VCISO presents significant cost-savings to your business, you can actually go ahead and bring on board a very senior and experienced person to lead your security division.

Here are some of the things you should consider when looking to hire a VCISO service provider:

• The company must specialise in the area of cybersecurity consultancy and advisory overall.
• The leadership of the company itself should be respected and well known.
• The organisation must be flexible with their service contract options so as to meet your organisation’s different and evolving requirements over time.
• Make sure that the VCISO you hire is supported by a team of compliance and governance experts.
• The VCISO who will be working with you should have a track-record of being a great communicator and should be able to relate to both senior business executives and middle to junior level techies.