What is a virtual CISO (vCISO)? Does your business need one?

How does a virtual CISO differ from a traditional CISO?

A virtual CISO performs most -- if not all -- the same core functions as a traditional, full-time CISO. They just differ in terms of engagement model, cost, flexibility and organizational presence. Some of the differences include the following:

What are the benefits of hiring a vCISO?

There are several benefits to a virtual CISO, including the following:

• Cost-effective expertise. Ideal for organizations with limited resources but want to improve security and information systems. Also prevents long-term financial commitment.
• Regulatory compliance. Ideal for organizations looking to ensure readiness frameworks -- such as ISO 27001, HIPAA or GDPR. This would include policy creation, gap assessments and audit support.
• Security leadership without delay. Ideal for organizations wanting to access senior-level guidance without hiring delays. Great for filling leadership gaps during transitions, post-breach response, IT team restructuring and M&A activity.
• Executive-level strategy. Ideal for organizations wanting to develop a clear cybersecurity roadmap aligned with their business and digital transformation objectives.

Does your business need a vCISO?

The key dividing line between having a virtual and full-time CISO is the need. Virtual CISOs are best suited for small- to mid-sized businesses that have emerging demands for security and information management but don't have the size, growth or income to justify a full-time C-Suite level executive.

A vCISO enables a small, growing company to start off with a part-time chief to help build its security and information systems. And when growth warrants it, they can switch over to a permanent, full-time CISO. This way, the CISO position does not have to be left empty until the company has reached sufficient size to justify hiring someone. Issues addressed by a CISO don't wait until the company has grown to a large size -- they are there from the beginning, and leadership should be, too.

Conversely, businesses should choose a traditional CISO in the following situations:

• Need a dedicated security leader for a large or high-risk environment.
• Have a complex internal infrastructure and large IT/security team.
• Need continuous strategic leadership and culture building.

How much does a vCISO cost?

The salary of a vCISO varies based on several factors, including the following:

• Scope of services. Services rendered can range from basic, single-task projects to comprehensive services such as compliance management and incident response. Like everything else, the more complex and comprehensive the project, the more it will cost.
• Experience and expertise. Highly experienced vCISOs with specialized knowledge will command higher fees, especially those with specific skills in areas of technology or markets.
• Company size and complexity. Larger organizations with more complex IT environments will cost more.
• Geographic location. Salaries vary based on the cost of living where the project takes place. A job in San Francisco will cost more than a job in Nebraska.

Salary is also determined based on the length and scope of the project:

• Project-based pricing. Ranging from $10,000 to more than $100,000 per project, this is ideal for one-time projects and specific initiatives such as security audits, compliance assessments or incident response planning.
• Hourly rate. Ranging from $150 to $500 per hour, this is ideal for organizations with minimal time requirements or specific project-based work. For example, a startup might seek a one-time security assessment.
• Monthly retainer. Ranging from $5,000 to $20,000 per month, this is ideal for a company needing ongoing interaction with a vCISO for management and oversight. Whereas the hourly rate would most likely be confined to a single issue or topic, a monthly retainer would cover multiple issues. Such an arrangement would likely be done on set hours per month.
• Annual retainer. Ranging from $30,000 to $120,000 per year, this is ideal for organizations that are on the verge of hiring a full-time CISO and are seeking a comprehensive, long-term security partnership. Companies might bring in a candidate for the position on a temporary basis, and if it works to their mutual approval, the position could become permanent.

How to find the right vCISO service

Hiring a virtual CISO is no different from hiring any other C-Suite-level executive, in that it is done through a trusted executive search firm. These firms specialize in high-level placements and offer a comprehensive, discreet and tailored approach.

The top and most reputable C-suite recruiting firms are referred to as the "Big Five" or "SHREK firms" -- an acronym for their names. They include the following:

• Spencer Stuart.
• Heidrick & Struggles.
• Russell Reynolds Associates.
• Egon Zehnder.
• Korn Ferry.

Beyond that, it's up to the hiring company to do most of the legwork and preparation. That means:

• Defining the role and your needs by assessing your current security posture.
• Defining the responsibility and scope of the vCISO's responsibilities.
• Identifying the key qualities and technical expertise of an ideal candidate.
• Having a deep understanding of cybersecurity frameworks, technologies and emerging threats.
• Finding a candidate with a proven track record of building and leading security teams.