May 3, 2019

Last Updated on June 19, 2024

By the time someone jumps on a phone call with us to discuss our Virtual CISO/Virtual Security Team offering, they generally understand its value proposition. But often they’re fuzzy on the mechanics of how it works: How much “vCISO” do we need? What will the vCISO be responsible for? How does the vCISO interact with management, clients and/or regulators? How much will this cost exactly and what is the pricing structure? How often do we meet with the vCISO? Add to that about a dozen more questions you’re probably wondering about yourself if you’re reading this.
It’s easier to visualize how a vCISO works if you start with the simple tenet that “information security is about having a plan.” This concept is fundamental to all major information security/technology frameworks. For example:

  • ISO 27001 Clause 6 is about “Planning” and covers key concepts including “addressing risks and opportunities” and “information security objectives and planning to achieve them.”
  • COBIT mirrors the “addressing risks and opportunities” concept with its concepts of “value preservation” (addressing risks) and “value creation” (opportunities).
  • NIST requires System Security Plans that “provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements and delineates responsibilities.”

From the starting point of “having a plan,” information security—and your vCISO discussion— can be (over) simplified to these four foundational questions:

  1. Do you have a plan?
  2. What resources do you need to execute your plan?
  3. How will you verify and adjust the plan’s effectiveness?
  4. Repeat


1) Do you have a plan?

Do you have a plan already? Or do you need the vCISO to work with you to develop your plan?
It doesn’t have to be a formal plan. All you really need is a reasonably good understanding of your current security practices, plus a short list of priorities that you want to address in the next three to twelve months.
Your plan can initially be as simple as one or two high-level objectives, such as:

  • “We have a client that is requiring us to achieve ISO-27001 certification.”
  • “We need to become GDPR/CCPA compliant.”
  • “We are migrating our document management system to a cloud service provider and need to make sure it is done right.”

If you don’t have a plan, you and your vCISO will need to work together to develop one. That generally involves the following activities:

  • Understanding Scope (e.g., critical information being processed, relevant laws and regulations, client contractual obligations, physical locations, technical infrastructure, key vendors, management’s objectives/expectations)
  • Understanding current information security controls (i.e., what is the extent/rigor/maturity of your current information security practices?)
  • Conducting a Risk Assessment (i.e., what are your key information related risks, and which ones are not yet being managed to a level that is acceptable?)
  • Developing a Risk Treatment Plan (i.e., the short-term information security plan you will be executing together with your vCISO)


2) What resources will you need to execute the plan?

What resources, bandwidth and expertise do you need to execute your “short-term” plan?
A vCISO answers part of your resources question—but he or she is unlikely to be the complete answer.
A “true” vCISO is a senior-level executive who will help you establish and maintain the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected. The vCISO can execute pieces of the plan, but much as you wouldn’t want to pay an architect to install sheetrock, you are not going to want your vCISO to document incident response procedures.
A good vCISO provides actionable guidance for a team to execute, whether that is your team or external resources. If your internal team is short on resources (time and/or expertise), working with a vendor like Pivot Point Security that offers a “Virtual Security Team” style vCISO engagement can provide significant value by flexing in these resources as needed.  In a sense, you get access to a team of security SMEs for the fractional cost of a vCISO. This can greatly reduce the number of vendors you need to onboard and manage to execute your information security plan.
Understanding your plan, your timeline and the resources needed to execute it will help you shape the work effort and expectations you have for the vCISO/Virtual Security Team:

  • Who will manage the project?
  • Should we meet weekly, bi-weekly or monthly?
  • Who will liaise with key stakeholders (e.g., senior management, customers, regulators)?
  • How will we track/report project status to key stakeholders?


3) How will you verify and adjust the plan’s effectiveness?

How will you verify that you are achieving your security objectives, and what resources will you need to do so?” Verifying the effectiveness of an information security plan is critical and might involve:

  • Security Metrics
  • Vulnerability Assessments/Penetration Tests
  • Internal Audits/Control Assessments
  • Incident Response Tests
  • Third-Party Audits (e.g., a customer, regulator or ISO 27001 auditor)


4) Repeat (ongoing risk management and tuning)

Who is responsible for managing ongoing risk and tuning your vision/plan accordingly?
Mike Tyson once famously said:

“Everyone has a plan until they get punched in the face.”

In information security, that punch is a “change of note” (think Zero Day or attack or GDPR compliance). If you architected a perfect plan and operated it with 100% effectiveness and nothing ever changed in your environment or the outside world, you would never need to adjust your plan. Unfortunately, all information security practitioners know the only constant is change: new threats evolve, new regulations are released, customer expectations change, technology changes, your products/services change, your vendors change…
These and similar issues require a review of your current risk assessment to determine whether the information security controls in place are sufficient to effectively manage this “evolved” risk.
Hopefully, thinking through the lifecycle of your information security plan and the elements you are going to need support on gives you some insight into what engaging a vCISO would be like for your business.