October 14, 2021

When Does Using a Virtual CISO Make Sense?

By Drew Reusser, Senior Manager, Cybersecurity Defense & Threat Management, Marcum Technology

When Does Using a Virtual CISO Make Sense? Cybersecurity & Digital Forensics

Open any magazine or news site and you’ll be inundated by articles about the latest cybersecurity breach or software vulnerability. Companies are similarly inundated — they must juggle compliance requirements with multiple regulations in the government jurisdictions where they do business. That list could include NIST, ISO, PCI-DSS, GDPR, CCPA, COPA, HIPAA, etc. It’s a literal alphabet soup of acronyms that could give any company analysis paralysis.

Where Should You Begin?

Proactive leaders are attempting to get ahead of the cybersecurity game by hiring cybersecurity experts to help them navigate the various frameworks and develop a coherent strategy to address the government’s needs while delivering results for their clients.

Once an organization has committed to tackling the cybersecurity hydra, where should it begin? The first step is understanding where things currently stand, which can be done by engaging an external firm to review the company’s cybersecurity posture. The firm will then perform a risk analysis and implement a roadmap for developing cyber maturity throughout the organization.

Who leads this charge? Large organizations employ a chief information security officer (CISO) to lead the strategic implementation of a cybersecurity program. But what happens if you are running a smaller organization that cannot afford an executive who commands a salary of $250k-$400k per year?

Cybersecurity is a very competitive field, and some organizations are unable to attract top talent. As a result, the consulting market has adapted and many organizations now provide services that traditionally were exclusively run in-house by a full team. The rise of virtual CISO (or vCISO) services is no surprise, given that some organizations are unable to spend a quarter of the IT budget on one person’s salary.

A vCISO is a consultant who acts as a CISO, but is not a full-time employee of the client organization. This arrangement can be very beneficial as the client retains services from a highly trained individual for a fraction of the cost of keeping this individual on staff.

Before engaging a vCISO, company leaders need to understand what services or roles they want this consultant to provide. As with any position, vCISO roles come in many shapes and sizes depending on what tasks need to be completed and the cybersecurity (and IT) maturity of the client’s organization.

A few things to consider…Is the client looking for the vCISO:

  • To interface with the client’s other executives and board? Will they be creating budgets and obtaining funding?
  • To be a leader of an established cybersecurity organization, performing the HR and management functions of a typical manager in the company?
  • To be a technical expert in all things cybersecurity? Should they be the smartest technical person in the room to architect solutions?
  • To be a project manager who can implement multiple cybersecurity projects across the company?
  • To be a compliance and industry standards expert, creating and/or implementing recommendations?
  • To be its named cybersecurity owner, and manage an already implemented program?
  • To manage key results indicators (KRIs) and metrics for its cybersecurity program?

Each of these specific skillsets take years of experience to obtain, and very few people can expertly perform each of these roles. That is why it is critical for an organization to define how it wants to utilize a vCISO prior to engaging with a consultant. Working with a credible organization and interviewing possible vCISO candidates can help company leaders feel more comfortable shaping an engagement.

It’s also important to determine how the client organization wishes to engage the vCISO:

  • Must the vCISO be available daily from 8 a.m. to 12 p.m. to answer the client organization’s beck and call?
  • Is the vCISO to be available up to eight hours a week at unknown times during the week?

Keep in mind that the vCISO is an employee of a consulting organization which means the vCISO will have other clients. Many consulting organizations establish a minimum weekly time (whether it’s used or not) as part of the contract to ensure that the consultant’s time is billable to established engagements. A strategy to engage a vCISO should include defined weekly time blocks that are dedicated to the client.

There is one final, scoping question to understand: What does the client consider a successful vCISO engagement?

  • Will this be an ongoing engagement in perpetuity?
  • Are the tasks the client needs this vCISO to perform only active for a defined period of hours or months?
  • Will the vCISO only be around for a few project implementations?
  • Is the vCISO being utilized to assess the client’s environment and create a roadmap?
  • Will the client want the same vCISO to come back a year later to assess the client’s progress?
  • Is the client looking for the vCISO to implement a 50% reduction in its overall identified cybersecurity risk profile?

All of these can be tied to a vCISO engagement and need to be defined so that the client organization (and vCISO) can measure a successful engagement.

When Utilizing a Virtual CISO Makes Sense

Smaller organizations that cannot add a very expensive cybersecurity expert to their senior staff should consider hiring a vCISO. The vCISO should understand their client’s cybersecurity risk posture and work with them to develop remediation roadmaps. They should understand the day-to-day tasks the client is looking for the vCISO to perform. Together, the client and the vCISO should define how and when the vCISO will be available to the client’s organization. Finally, the client organization should determine how it will define and measure a successful project. Taking these preliminary steps will help the client get the most out of any vCISO or any consulting engagement.

Marcum Technology provides a full cybersecurity service offering. If you need any help, from beginning a review of your security posture to investigating a cybersecurity incident, or even if you just want to ask for advice on a situation you are facing, please contact us at hello@marcumtechnology.com #AskMarumTechnology