CISO as a service (vCISO, virtual CISO, fractional CISO)

What is a CISO as a service (CISOaaS)?

A CISO as a service (CISOaaS) is the outsourcing of CISO (chief information security officer) and information security leadership responsibilities to a third-party provider. By hiring a third-party provider to manage its security program remotely, an organization gains access to staff and resources that it doesn't have in house, allowing it to better keep up with information security and compliance demands.

CISOaaS is often paid for on a subscription or per-use basis, like many XaaS models. Also like many XaaS models, CISOaaS offerings may be entirely remote, or may be a hybrid model in which the provider's experts work with an organization's existing security team both remotely and onsite.

Having robust security leadership is important in the modern organization, as digital transformation increases an organization's overall breadth of vulnerabilities. But the industrywide cybersecurity skills shortage means that affordable, skilled security leaders are hard to find and easy to lose. High stress levels also fuel CISO turnover, leading many to bounce from organization to organization. CISOaaS provides a potential solution to staffing problems by providing access to cost-efficient security leadership on an as-needed basis.

CISOaaS may also be referred to as a fractional CISO or virtual CISO (vCISO). Editor's note: Fractional CISO is also the name of a company that provides CISOaaS offerings.

CISO-as-a-service responsibilities 

The CISOaaS has mostly the same responsibilities as an in-house CISO. These include the following:

• protecting the confidentiality, integration and availability of data;
• long-term cybersecurity strategy development;
• governance, risk and compliance program development;
• risk assessment;
• risk management;
• security awareness and training;
• developing secure business and communication practices;
• reporting on security operations;
• monitoring security operations;
• defining metrics to measure program success;
• management of personnel and vendor relationships; and
• integration and management of other third-party security services.

CISOaaS providers serve multiple businesses at once. A vCISO must therefore have good people skills and be able to adapt to, understand and meet each customer's unique needs.

CISO-as-a-service job requirements and certifications 

Virtual CISOs have certain job requirements that closely mirror the requirements of a traditional, in-house CISO.

Virtual CISOs should have strong leadership skills and an in-depth understanding of information systems and security. They should also be able to effectively communicate their complex security and IT knowledge to colleagues with varying levels of technical understanding.

CISOaaS vendors will often display cybersecurity certifications and credentials that demonstrate their expertise in the field. They may also offer training programs for clients' staff to earn these certificates themselves. Such certifications might include the following:

• Certified Information Systems Security Professional (CISSP) certification;
• Certified Information Systems Auditor (CISA) certification;
• Certified Information Security Manager (CISM) certification;
• Certified in Risk and Information Systems Control (CRISC) certification; and
• Certified Chief Information Security Officer (CCISO) certification.

Benefits of employing a CISO as a service 

Using a virtual CISO can have both pros and cons. The potential benefits of hiring a CISOaaS include the following:

• Unbiased analysis. As an external third party, the vCISO may be able to evaluate an organization's existing security program more objectively than an internal employee.
• Cost-effectiveness. Pay-as-you-go pricing allows organizations to pay for only the time and services they use. A vCISO is usually drastically cheaper than having a salaried CISO in house and saves on capital expenditures.
• On-demand service. Using a service provider allows for constant, flexible availability of security resources. As demands change, clients can alter their services accordingly.
• Long- and short-term benefits. In the short term, vCISOs can make organizations more secure by identifying immediate risks and introducing or tightening controls. In the long term, they can help lay the groundwork for a future in-house security program through training and improvement of core processes and infrastructure.
• Experience. Many vCISOs have had extensive experience working with a wide array of diverse organizations.

One of the disadvantages of hiring a vCISO is that they likely will be serving other organizations as well. This could potentially lead to problems with loyalty, timely responses and risk ownership if a breach occurs. An in-house CISO is a better option for organizations that need an employee with no other external commitments.

Additionally, as Gartner analyst Sam Olyaei has pointed out, anyone can claim to be a vCISO. That means organizations interested in CISOaaS must do their homework to find candidates with the necessary qualifications, experience and capabilities.

Determining if you need a CISO as a service 

Any organization without a CISO in house could consider CISOaaS as a viable option. Following are several scenarios in which this might be the case:

• Startups without the resources to hire full-time CISOs can use vCISOs for their expertise and cost-effectiveness.
• Organizations that are in the process of looking for new permanent CISOs can hire vCISOs temporarily to fill the gap.
• Organizations under pressure to meet security or compliance goals can benefit from vCISOs' on-demand nature.
• Organizations looking to upgrade their cybersecurity programs can seek the third-party expertise of vCISOs.
• Organizations that use lean IT principles can temporarily employ a vCISO rather than investing in a full-time position.
• An organization without a permanent security team that wants to lay the foundation for a new, long-term program can get started with a vCISO.

CISO-as-a-service offerings

CISO-as-a-service offerings are usually pay-as-you-go and on-demand. They are often paid for on a yearly subscription basis using a retainer. The amount of time the vCISO spends on site is then negotiated and the retainer is based on a set number of days or hours per year. This varies based on the vendor's offerings and the customer organization's needs.

Sometimes vCISOs are hired for short-term fixes to security issues; other times they are hired for longer-term solutions, such as developing a company's entire security program.

CISOs are some of the highest-paid professionals in IT security. Hiring a vCISO is often drastically cheaper because of this payment model. Organizations may spend between $100,000-$200,000 a year on retaining in-house talent, whereas a vCISO generally costs less than half of that.

Some organizations that offer CISOaaS include Fractional CISO, Lares, ITgovernance, Truvantis and iSecure.