March 14, 2019

Last Updated on March 14, 2019

Is a virtual Chief Information Security Officers (vCISO) relationship right for your business? As an experienced vCISO currently serving several clients, these are some of the best reasons my colleagues and I see for “when” it makes sense to hire a vCISO:

  • To meet compliance requirements, you need someone with the title/role of CSO, CISO or data protection officer (DPO). But you don’t otherwise see an immediate need for a full-time CISO.
  • Your current CTO or CIO has ended up taking on more security tasks than he or she is comfortable handling. This is common in growing organizations that are increasingly focused on maturing their security processes.
  • You need to fill the role quickly. This can be a challenge in today’s security job market, where qualified CISOs are hard to come by.

If one or more of these scenarios rings a bell, a vCISO engagement is probably worth considering, at least as an interim step.

How to Hire a Virtual CISO

Now let’s take a look at three key best practices for “how” to successfully plan for, evaluate and engage in a vCISO relationship:

  1. Start by understanding and prioritizing your current security needs, both strategic and tactical. If your biggest concerns center around dealing with GDPR and privacy, for instance, you need to make sure you’re getting that experience. If you really want someone to take responsibility for building and managing your information security program end-to-end, make sure that’s clearly understood and communicated to service providers. You may even need to start with someone who can help you define a security strategy.
  2. Relate your needs to metrics (as best you can). If you want your vCISO to manage your ISO 27001 certification process, for example, start by creating metrics around the number of nonconformities, opportunities for improvement (OFIs) and corrective action procedures (CAPs) you anticipate you’ll need to address per year. If your in-house staff has security metrics they’re accountable for, you can potentially use those same metrics to help enforce accountability and measure progress in your vCISO partnership. Establishing and communicating useful metrics will help ensure a successful vCISO relationship.
  3. With your prioritized list of needs as a basis, build a scorecard to rate and compare potential vCISO partners. Virtual CISO offerings differ widely across cost and available skills. For example, are you getting an individual? Or a “service” staffed by multiple experts under the direction of a team leader/senior advisor? How flexible is the offering? Can the vCISO relationship change as your needs change?

Once you’ve determined that you want to engage (or at least consider) a vCISO, and have identified your key needs and objectives, how do you successfully onboard and operationalize your new vCISO? The most experienced vCISO vendors will be anxious to help you avoid common pitfalls and ensure success. It’s critical for both parties to share the same vision for the role and scope of the vCISO.
It’s also essential to recognize and plan for your changing needs. For example, we find that many vCISO engagements move from a starting point of “mitigation” and addressing urgent issues to a focus on “building” and executing on an InfoSec strategy, and then on to “optimizing” and managing a program once it’s in place. Reliance on a single expert may be less effective (and less cost-effective) than a “team” vCISO approach to successfully move through those transitions.
To connect with experts about whether a vCISO is right for you, what your vCISO job description should look like, or how to integrate a vCISO into your organization, contact Pivot Point Security.

For more information: