Does Your Company Need a Virtual CISO?

Numerous paths lead a company to retain a virtual chief information security officer (vCISO).

Companies that work with managed security service providers (MSSPs) may need to expand their security strategy and thus engage a vCISO. Following a breach, an incident response firm may recommend that the business develop a proactive security and response plan by hiring a part-time CISO. Venture capitalists may need a security expert to do due diligence during a merger or acquisition. Even cyber insurers now recommend vCISOs to policyholders to shepherd them through the process of developing best practices.

In the end, a virtual CISO gives a company an expert who can manage the security program of the business in a consistent way and often brings a different perspective, helping security teams see the forest and not just the trees, says Thomas Siu, CISO at Inversion6, a provider of virtual CISO services.

"We have a chance to step back from the business process or even the client because we're distant enough that we can look at the whole big picture," he says. "As a CISO, I could still bring in a fractional CISO to look at specific problem space for me — sometimes, the tree-forest issue does occur."

Virtual and fractional CISOs are taking off. While the shortage in cybersecurity-skilled executives makes hiring a full time CISO an expensive proposition, paying for a part-time leader to manage the overall security strategy often makes sense. While a consultant might fit the bill, often companies want an expert who could provide a consistent viewpoint based on an agreed-upon strategy or a fractional CISO who has specific skills or knowledge, such as in operational technology or a certain region's regulations.

Whether the hiring impetus is a merger, a cyber-insurance policy, or a security incident, a virtual CISO can help a company develop a long-term strategy, says Adam Tyra, general manager of security services at cyber-insurance firm At-Bay, which offers managed services and vCISO services.

"Most companies are only having that insurance conversation once a year, and then they don't have it again until it's time for the policy to renew, but the threat landscape is going to change continuously," he says. "You should be doing a lot more than the minimum that's required just to get insurance, and that's where your vCISO can help."

Lost Your CISO? Consider a vCISO

For Inversion6's Siu, the path to becoming a virtual CISO started with his work for an MSSP, handling discrete projects for clients. A former CISO at Michigan State University and Case Western Reserve University, Siu acted as a vCISO for a company doing executive protection, where he would create a cybersecurity plan for the company at risk and regularly check in to make sure the plan was being followed. Companies would also contact Siu to fill a gap when an existing CISO decided to move on.

"Somebody would lose their CISO, and they needed someone step in to do the program — it turned out to be a different economic model to have a vendor run that kind of strategic business advisory service long term," he says. "You weren't so much involved operationally. You were helping them with their budgets. You were helping them with their strategy. So you could dial it up as much as you want or dial it back, but you had to always be on call."

Typically companies in need of a vCISO reach out for one of three reasons: to meet their regulatory or contractual security requirements, to meet or exceed industry norms for cybersecurity, or to build a security program as a competitive differentiator, says At-Bay's Tyra.

"If you are a company that has a robust IT capability where you can implement all your own systems, and you're good at managing all your technology, a vCISO service may be all that you need," he says. "You get pointed in the right direction, with a punch list of projects to go execute, and then you have the IT capability to go do those things."

When a vCISO Is Not Enough

Yet often having a plan is not the same as executing a plan. In those cases, companies may want to seek out managed security services to acquire specific cybersecurity capabilities. Determining whether a company needs more than a vCISO is, oddly enough, a good job for a vCISO, says At-Bay's Tyra.

"This is an area where I think a lot of companies are not honest with themselves about whether or not they have those capabilities internally," he says. "That's another area where a vCISO could potentially provide input, helping people figure out if the advice going to be good enough or [if] you need actual hands on your systems to get where you're trying to go."

Finally, as new threats arise, companies often want to know how they could be impacted. Because vCISO services often have a depth of expertise that companies cannot retain on staff, they can come in and provide recommendations to deal with new technologies, like artificial intelligence, or changes to the threat landscape, says Inversion6's Siu.

"Even if someone has a security program already, they bring us in to touch places that they just don't have the depth for, which they might not even be able to hire for, because it's so specialized," he says. "We can use that to help people understand where those particular [threats] fit into their overall risk profile."