January 11, 2019

When to Hire a Virtual Chief Information Security Officer (vCISOs)

A Chief Information Security Officer (CISO) is responsible for managing Information Technology (IT) teams that implement, troubleshoot and maintain cybersecurity efforts in a company. This c-level management position requires vast Information Security experience as well as the ability to lead. Without a CISO, IT security departments would not have the backbone they need to protect a company’s data and digital assets.

Some CISO responsibilities include:

·        Developing IT security policies, procedures and standards

·        Leading and/or supporting Incident Response and risk

·        Developing Information Security programs

A virtual Chief Information Security Officer (vCISO) is remote based consultant who often works part time hours. As today’s workforce becomes more remote, more Information Technology jobs are going off site. The demand for IT jobs is increasing along with today’s rapidly evolving technologies, and many companies are hiring consultants to bridge the talent gap. Additionally, more companies are hiring vCISOs rather than full-time permanent CISOs. Hiring external resources for IT jobs can be cost-effective, but only with the right candidates. Virtual CISOs can bring a lot of value to a company when brought on strategically and for the right reasons.

Pros of Hiring vCISOs

Companies typically only use vCISOs as needed and don’t owe them benefits, which saves money.  

vCISOs usually have enough technical skills needed to adapt easily to the job. CISOs also are more experienced and can provide higher level leadership than security managers or engineers. They may also have connections with vendors and other industry professionals, which brings further value to the company’s IT team. When seeking a virtual CISO, it’s helpful to seek candidates who are familiar with the company's tools, industry, and organizational structure. For example, a startup business may benefit more from a vCISO who has thrived in a small business in the past.

Although this isn't always the case, small companies typically work better with remote CISOs as there are fewer employees to manage and because it saves money on hiring a full time CISO.

Challenges of Hiring External CISOs

Companies may find it challenging to communicate effectively with remote workers. Since CISOs are leaders, good communication is very critical for success. When looking for a virtual CISO, companies should consider how much in-person contact is needed from the candidate. Holding virtual meetings may be a potential option for out of state consultants. It's important to schedule meetings ahead of time with vCISOs as they likely do work for multiple clients.

It’s important that vCISOs are properly vetted whether the company recruits internally or seeks help from an agency. An efficient vetting process ensures the CISO has the experience level and personality to be successful on the job, and can meet expectations when working remotely.

The vCISO should do the following to be successful on the job:

·        Understand the company’s short and long term goals, as well as available resources

·        Perform and drive results of a risk assessment

·        Communicate with management regularly

·        Inventory of staff skill sets

·        Develop a budget, strategy, program, and a board for Information Security with employee roles


It is undoubtedly clear that vCISOs are efficient and can result in company cost savings when hired correctly. It's important for companies to create a strategic, well thought out plan when deciding to go virtual with a CISO, and to hold the individual accountable to meet company goals.