What is a vCISO?
A vCISO, or Virtual Chief Information Security Officer, is a security professional or group of security professionals contracted to provide support in creating, maintaining, or updating an organization’s security and/or privacy posture. These professionals can be cybersecurity experts, financial experts, lawyers, and more. The “virtual” in vCISO references the similar benefits a vCISO offers when compared to most third-party cloud platforms. A vCISO allows an organization to pick and choose exactly what services it needs just like Amazon’s “pay as you go” policy. Alternatively, you can think of a vCISO as “CISO (Chief Information Security Officer) as a service”. While this service is quite beneficial to those who don’t have an in-house security leader, it can also be utilized by those organizations that just need additional support. Throughout this article, we’ll be covering why you may want a vCISO whether you have a CISO or not, what role the vCISO plays in the organization, what services they can provide, and how much the services can cost.
What is the role of a vCISO?
The role of a vCISO is becoming increasingly important in today’s digital landscape. A vCISO provides strategic leadership and guidance to a business on matters related to information security and data privacy. Their responsibilities include managing risk, developing security policies and procedures, and ensuring compliance with regulatory requirements.
One of the primary goals of a vCISO is to act as a trusted advisor to senior leadership, helping to develop and implement comprehensive security programs that align with the organization’s goals and values. This includes identifying potential security risks and developing risk management plans that prioritize the organization’s most critical assets.
A vCISO works closely with IT teams and other stakeholders to design and implement technical solutions that support the business while mitigating risk. They oversee the implementation of security controls, including firewalls, intrusion detection systems, and antivirus software. They also monitor network traffic for signs of potential threats and respond to security incidents as they occur.
Another critical aspect of the vCISO’s role is ensuring that the organization remains compliant with regulatory requirements. This includes staying up to date with changes to data privacy laws and implementing the necessary controls to protect sensitive information. The vCISO is also responsible for developing and implementing policies and procedures that align with industry standards, such as ISO 27001, and working with external auditors to ensure that the organization remains in compliance with relevant regulations.
Why pay for a vCISO?
With the modernization of the world, the most important part of any organization has become their data – whether that is based upon confidential information, intellectual property, R&D, projects, employee information, or customer information, keeping that data safe must be a top organizational priority. Therefore, any organization of a significant size will have a CISO responsible for designing the cybersecurity and privacy strategy and for implementing the overall program. In addition, some state laws or industry regulations require appointed CISOs. Since CISOs are so crucial to an organization and finding someone with the necessary set of skills can be very challenging, finding the right person for the job can be more difficult than it sounds.
Qualified CISOs are in massive demand, so much so that they can and will reject offers until an acceptable one comes along. First off, a full-time CISO’s expected salary can range anywhere from $150,000 to $500,000, with the average being around $200,000. Secondly, in-house CISOs should be required to be on-site, meaning they will likely have to relocate and incur the associated expenses. And lastly, a potential CISO candidate may take one look at the current state of the potential employer’s procedures and practices and decline the offer. If you’re looking to hire a dedicated, competent, and hands-on CISO, you should expect them to look for companies they themselves think they can succeed at for the right amount of money.
In order to set the stage for a desired in-house CISO, some organizations turn to hiring a vCISO first! A vCISO team can lay the foundation for a CISO to be successful, help with the hiring process for a CISO candidate, or even help train a selected future CISO with the necessary skills. Contracted vCISO teams can take full advantage of their combined experience and expertise to work more efficiently and turn a daunting task into a more approachable one. vCISOs may become necessary for foundational tasks that help determine the success of a company’s security and privacy postures.
Another great use case for vCISOs is to utilize their ability to provide additional support to an organization. It should be obvious by now that full-time CISOs have a very crucial and difficult job. Their task is important, yet so broad that even with an entire team under them, it is still understandable if additional support needs to be brought in for a particular purpose. This allows the CISO to continue to focus on their tasks when new, unknown, or surprisingly difficult ones are proposed. For example, a vCISO such as BD Emerson could be utilized to check if your organization follows all necessary regulations or industry standards while providing proof of your organization taking the necessary steps as part of conducting due diligence. That way, there is no unnecessary or chaotic stress placed on the CISO and the relevant teams handling other important forms of security. No one can be an expert on everything and utilizing a vCISO can help cover any weaknesses within an organization.
Lastly, another potential use case for a vCISO would be an “Interim” or “Substitute” CISO. In some circumstances, an organization may be missing a full-time in-house CISO. If absolutely necessary, a vCISO can be contracted to perform ALL tasks a CISO would typically perform until a new CISO is found or indefinitely. Unfortunately, vCISOs are likely less cost efficient for large businesses at that point. However, a vCISO could allow the business to remain fully operational while maintaining safety and efficiency.
What services can a vCISO provide?
A vCISO can provide many potential services depending on the size and expertise of each vCISO. They could cover many different subtopics of security such as physical security, network security, data privacy, and more. A few example services a vCISO could provide include the following:
- Policy development including privacy policies, security policies, etc.
- Compliance with regulations and/or industry standards such as ISO, SOC2 or PCI.
- Vulnerability Assessments through vulnerability scans, penetration testing, and/or white hat hackers.
- Physical Security to ensure proper procedures are practiced to prevent unauthorized access by people or to systems or data.
- Executive and Board Support to help produce methods to showcase a new security posture to your company’s executives.
- Training and Development of a new CISO to lead your organization’s security posture.
- Recruiting new people to fill security roles, such as the CISO, by providing advice on industry standards and potentially taking part in interviews.
- Stand-in CISO to fill in for a leaving or future CISO.
How much do vCISOs cost?
The price of vCISO services can vary significantly depending on a few factors. As mentioned earlier, it’s similar to a “pay as you go” or “pay only for what you need” format. Prices can range anywhere from $5,000 to over $250,000 a year, depending on various factors, including:
- How developed or “mature” are your organization’s current cybersecurity/compliance programs?
- How many hours does the vCISO need to spend on the organization?
- How is the contract structured?
- Contracts that lock in longer terms usually cost less over the duration.
- How niche are the services required by your organization?
- How much of an expert is the vCISO you’re contracting? How many experts? What is their level of knowledge?
- As may be expected, big name / well-known firms will cost more.
The low end of $5,000 could include services such as vulnerability assessments or penetration tests, whereas the upper end will most likely consist of services roughly equivalent to that of a full-time CISO. By being mindful of these factors, you can make educated decisions about whether or not a vCISO is a good fit for your organization.
When should an organization work with a vCISO or CISO?
To begin with, each organization should examine what requirements exist and how they can be addressed. Any business dealing with valuable, sensitive, or personal data will likely need a CISO or vCISO. As mentioned before, this is often required in practice by either laws or industry regulations. If your organization is an SMB or just needs a few specific requirements addressed, a lot of time and/or money could be saved by hiring a vCISO. On average, a vCISO is estimated to be 30-40% the price of a full-time CISO. However, this is not the case when the vCISO is being used to stand-in for a full-time CISO for large companies in which it could cost 30-60% more than an in-house CISO. There are both benefits and downsides to both use cases, and an organization needs to weigh the benefits of contracting a vCISO vs. hiring their own CISO.
- Customizable services.
- Pay for only what you need.
- Globally accessible.
- Via calls or their personal portals with detailed reports.
- Remove stress from your executives or security team to focus on other parts of security/privacy.
- Likely more experienced since they have broader opportunities.
- Group of people with different expertise rather than a single person.
- Dedicated/Specialized expertise.
- Hands-on and on-site.
- More availability.
- Potentially more cost effective in the long run.
For organizations currently growing or just launching, a good plan would be to hire a vCISO to lay the groundwork and cover for a CISO until a full-time CISO is found on a more permanent basis. Then, the vCISO can also help onboard the full-time CISO and be brought in as needed in the future. For smaller organizations, it will likely only be necessary to bring in a vCISO as needed for workstreams an organization cannot manage internally due to lack of resources, specialized knowledge, or the level of risk.
About BD Emerson
As a vCISO service provider, we at BD Emerson understand the importance of developing and implementing comprehensive privacy and security programs for businesses of all sizes. We have extensive experience working with various regulations, including HIPAA, GDPR, CCPA, CDPA, and other emerging data privacy laws. Our team of experts, including legal, technology, and compliance professionals, can support businesses in building and implementing holistic programs that comply with regulatory requirements.
We also recognize the critical role that technology plays in today’s business environment. As such, we specialize in providing guidance on technical controls for your organization while ensuring compliance with data privacy and information security regulations. We work with companies to design and develop customized security programs that align with their business needs and comply with regulatory requirements. If you believe your organization needs guidance from a vCISO or needs a cybersecurity strategy, please allow us to help by contacting us at firstname.lastname@example.org or email@example.com.