What does a CISO do? A chief information security officer (CISO) is the person in an organization who is responsible for defining and enforcing that organization’s cybersecurity policies, practices, and architecture. CISO duties can impact every process in an organization in some way—from the way employees use their emails, to which websites they can visit, to how they store important documents.
However, finding a CISO to add to the company’s internal org chart can be… challenging to say the least. Qualified applicants who can fulfill CISO job requirements are rare. This, in turn, leads to high salaries for these hard-to-find cybersecurity experts (about $225,328 on average, according to salary.com).
With intense competition for people who can understand and execute on the tasks inherent to the CISO job description, companies often have to offer top-rate pay in addition to a variety of other benefits to attract these individuals. However, there’s an alternative solution to hiring a traditional, in-house CISO to manage your company’s cybersecurity program. Instead of headhunting a C-level cybersecurity expert, your company could use a virtual CISO program or service.
What is a virtual CISO (VCISO)? What does a virtual CISO cost to hire? What are the benefits of hiring a VCISO? When should you hire a VCISO vs an in-house CISO?
A virtual CISO is a service provided by a managed security service provider (MSSP) that replicates the job functions of a Chief Information Security Officer—creating and managing cybersecurity policies for an organization—effectively outsourcing the role.
Where an in-house CISO is usually a single highly-ranked person in a company, VCISO services are typically delivered by a team of virtual CISO experts. This allows them to draw on a deeper pool of knowledge and provide near-constant protection against cyber threats.
Virtual CISO services help companies improve their cybersecurity architecture by providing expert advice on their critical security issues. Virtual CISO responsibilities often include tasks like:
Just like with an in-house CISO, VCISOs are expected to maximize your cybersecurity while minimizing costs and performance impacts.
What is a Virtual CISO? How & When is the Right Time is to Hire One?
If an in-house CISO can cost a couple of hundred thousand dollars per year, what does a virtual CISO cost? The answer is: “It depends on what VCISO services you need.” Not every company will need the same level of service from a VCISO, so costs may vary.
One rule of thumb for VCISO costs highlighted by CSO Online states that “VCISOs are estimated to cost between 30 percent and 40 percent of a full-time CISO.” However, this is a rough estimate only, and may not necessarily line up with your real costs.
When researching virtual CISO services, it’s important to collect specific estimates from MSSPs so you can compare costs—though cost isn’t the only criteria you should consider when looking at VCISO services.
Many people wonder what the benefits of hiring a virtual CISO expert are versus recruiting a permanent person for this C-level role. Some of the key benefits of using VCISO services as opposed to relying on a traditional, in-house CISO include:
The monetary savings that outsourcing CISO job functions to a VCISO service can provide is usually the most popular reason for using them. However, it’s important to consider more than just the cost.
While the benefits listed above are often strong motivation to use a VCISO, some of the most commonly-cited reasons to use these services are:
While far from the only concern that companies seeking CISOs face, cost is one of the most frequently-cited reasons to go with a virtual service. People who have the right qualifications and experience to fill a C-level cybersecurity role know their worth—and will have options lined up around the block to hire them if your offer isn’t appealing enough. So, it’s not uncommon for a VCISO to leave after getting a better offer.
This can leave companies scrambling to find and onboard a replacement—which creates additional costs for recruitment and training. Additionally, considering the need for time off for vacations or random personal events, the return on a CISO’s services from month to month can vary (especially considering it’s typically a salaried position).
Even when offering top-scale pay, it can be hard to find a CISO who is qualified for the position. So hard, in fact, that many organizations opt to take a regular cybersecurity expert and put them through either campus-based or virtual CISO training to produce a suitable candidate.
Additionally, there’s no guarantee that the person being trained will have the right mix of experience and skills to manage a large-scale cybersecurity plan that integrates smoothly with existing business processes.
Using a VCISO service to deliver a robust cybersecurity plan eliminates the need to headhunt or train a C-level cybersecurity expert. More importantly, virtual CISO teams often have much more experience in helping companies optimize their security plans than any individual might possess.
A side effect of having to headhunt or train up a new CISO is going without critical C-level cybersecurity services for a prolonged period of time. During this time, critical cybersecurity issues are being left unaddressed—meaning your network is more vulnerable than it otherwise would be.
Using a VCISO service helps eliminate lengthy recruitment processes. This, in turn, helps ensure that your organization gets critical cybersecurity support when it’s needed.
As mentioned earlier, one of the key advantages of a virtual CISO service over using an in-house CISO is that the service leverages a whole team of people who can each specialize in different things. This provides a wider pool of knowledge that can result in better cybersecurity protections that address more of your biggest cybersecurity risks.
Additionally, a dedicated team of virtual CISO experts is more likely to be able to correctly identify specific security risks and create effective countermeasures than a single person. This helps to improve the efficacy of your incident response plans so you can minimize the impacts of security breaches and improve speed of response.
With all of the positives that have been mentioned about VCISO services, you might think that it would always be the best option. However, nothing is ever that simple. There are cases where it may make more sense to use an in-house CISO instead of an outsourced VCISO service.
For example, some organizations might prefer to have someone on staff who is wholly dedicated to their cybersecurity. With a VCISO service, their CISO expert team would be split amongst several other companies, which they may prefer to avoid—even though such a setup does have cost and knowledge benefits (teams working with multiple customers can apply lessons learned with one company to others).
Another benefit of having an in-house CISO is the potential impact on the company’s public image. Being able to retain a dedicated C-level exec to focus on cybersecurity helps demonstrate that the company has the resources to effectively manage security and the dedication to see it through—which can have positive impacts outside of just improving the company’s security architecture.
Finally, having an in-house CISO gives the people in your organization someone they can directly report to regarding cybersecurity issues. This helps to raise awareness and compliance with critical security initiatives in your company. Being able to directly distribute and collect reports with people in the company (and having the internal authority to make security policy decisions stick) can make a world of difference in how well cybersecurity initiatives are executed.
So, which is better for your organization? Well, the answer depends on what your goals are and what resources you already have available. Truly massive companies will most often benefit from having an internal CISO with a dedicated cybersecurity support staff in-house. Meanwhile smaller organizations might need to leverage the cost and 24/7 service benefits that using a virtual CISO can provide.
Need some help optimizing your cybersecurity policies and procedures, but not really sure if a virtual CISO service is right for you? Reach out to the Compuquip team to talk about your security needs and how to address them.