Minerva Studio - Fotolia

What are the pros and cons of hiring a virtual CISO?

A virtual CISO is a good option for smaller organizations that want stronger security leadership, but don't have the budget. Expert Mike O. Villegas discusses the pros and cons.

There's been a lot written about the concept of a virtual CISO, or a part-time CISO, who assists companies as needed....

This seems especially beneficial for smaller companies that don't have large infosec budgets. What are other benefits of using a virtual CISO? What are the potential drawbacks?

Several compliance regulations, such as the Payment Card Industry Data Security Standards (PCI DSS), International Organization for Standardization 27002, National Institute of Standards and Technology Special Publications 800-53 and other regulations, require a "formal assignment of information security to a Chief Security Officer or other security-knowledgeable member of management," as stated in PCI DSS Requirement 12.5.

For medium to large organizations, this function is typically assigned to cybersecurity professionals who have a working knowledge of information security and protection mechanisms. Larger organizations also assign a CISO or director of information security to oversee all aspects of the information security program.

However, with small to medium-sized businesses (SMBs), assigning a dedicated CISO or knowledgeable member of management can be a challenge. This is typically because the size of the organization restricts how much of the budget can be dedicated to a CISO.

Smaller organizations have resorted to hiring a virtual CISO, or part-time CISO, that can satisfy this requirement and dedicate his attention to the proper levels of protection over corporate assets. There are both pros and cons to hiring a virtual CISO.


  • The virtual CISO brings extensive experience gained as a CISO in other organizations, as well as knowledge from the other security positions he has held.
  • Since he's not a full-time employee, the virtual CISO does not require employee benefits, such as health insurance, there is no tax burden and he is used only when needed.
  • The virtual CISO can be placed on a retainer and can be on-call 24/7 if an incident occurs.
  • A virtual CISO indicates a higher confidence level in management, as opposed to hiring a virtual information security manager or virtual security engineer.


  • If not properly vetted during the interview process, the virtual CISO may not have the experience necessary to meet the high expectations of the position, and that could cause damage to the organization.
  • Scheduling conflicts could prevent the virtual CISO from being on site when called upon if the visit is not planned ahead of time.
  • Day-to-day decisions may still need to be made by full-time managers so that the virtual CISO's limited time can be used for less expedient matters.
  • Although a virtual CISO is less expensive than a full-time CISO, the cost savings may be greatly diminished as demands on the virtual CISO's time increase.

Hiring a virtual CISO is a good approach for SMBs to engage the management, deployment and maintenance of a sound information security program. They can even be an acceptable interim solution for medium to large companies that have an immediate need for information security management until a full-time CISO is hired.

However the virtual CISO is used in your enterprise, know that he undoubtedly has other clients, and he will have to decide which client he will respond to first when a conflict arises. The enterprise needs to fully understand the possible delays that may occur with a virtual CISO assignment.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Learn why a dedicated CISO job is still open to debate

Find out the pros and cons of different types of CISOs

Discover how chief data officers affect the CISO's role

This was last published in February 2017

Dig Deeper on Security operations and management