What is a virtual CSO?
Organization’s today host a wide range of information that, due to its external value to competitors, nation-states, or cybercriminals, needs to be properly protected. The role of a Chief Security Officer (CSO) is to establish and maintain the organizational strategy and execution to protect its sensitive and valuable information assets and surrounding technologies.
But many organizations, while having data that needs protecting, choose to utilize a virtual CSO (vCSO) to address the needs of the CSO role rather than hire one internally.
What is a virtual Chief Security Officer?
The vCSO is a security practitioner who uses the culmination of their years of cybersecurity and industry experience to help organizations with developing and managing the implementation of the organization’s information security program. At a high level, vCSOs help to architect the organization’s security strategy, with some helping to also manage its’ implementation. Internal Security staff may still exist, either reporting to or working with the vCSO and their team to execute an impactful security program. Additionally, the vCSO is usually expected to be able to present the organization’s state of information security to an organization’s board, executive team, auditors, or regulators.
vCSOs can provide value to organizations by helping with a number of aspects of the overall information security program, including:
Information security planning and management activities
- Organizational and management structure
- Initiatives affecting information practices
- Security risk management activities
- Evaluation of third parties with access to organizational data
- Coordination of audits by regulators or customers
Why are vCSOs becoming more popular?
The idea of a virtual CSO has grown in demand with organizations for a number of reasons:
CSOs are in demand – Cybersecurity has moved to the forefront of organizational concern. With the rise in cyberattacks, data breaches, sophistication in attacks, and the focus locked in on an organization’s information, organizations wanting to put a comprehensive set of controls and technologies in place need a CISO. A vCSO allows organization to quickly fill a CSO role, without needing to go through the hiring process.
CSOs are expensive – According to salary.com, the average CISO costs over $400,000 a year. While nearly every organization needs a CISO, not every one of them can afford one. A vCSO allows organizations to avoid the expense of employing one in-house full-time, only paying for the services and time used.
vCSOs can be more experienced – A vCSO has implemented information security programs for many clients in a diverse set of industries and sizes, giving them a broad range of expertise that can be applied to your organization.
vCSOs can be anywhere – Rather than needing to hire someone locally (which limits your options) or need to help pay for a candidate to move, the vCSO works as a consultant, working from just about anywhere, giving the organization exposure to more potential candidates.
vCSOs are a consumption-based option – While not every vCSO works the same, this is a contractor who will perform the tasks based on an agreed upon scope of work. So, you’re paying for the services you want from them.
Use Cases for a vCSO
The choice of a vCSO versus a full-time CSO may still be unclear. So, allow me to provide a list of a few possible use cases for when a vCSO may be a great choice:
Bridging and Hiring a New Full-Time CSO – The departure of a business’s existing CISO may be untimely with regard to current security initiatives. A seasoned vCSO can come in, provide value in reviewing the current cybersecurity strategy and help recruit, select and transition to a full-time CSO.
Developing a Mature Cybersecurity program for a Smaller Organization – When a full-time CSO is too costly for an SMB, a vCSO works part time to provide enterprise-caliber expertise to craft a security program and the organization would, otherwise, not be capable of developing.
Creating a Compliance Program – Organizations with or without a current CSO many not have the expertise on a specific compliance mandate and how it translates to creating policy and process to secure protected information. A vCSO that specializes in a given compliance regulation can assist to develop a strategy and execution plan that meets the specific mandates – think PCI DSS experts helping retail businesses or a HIPAA savant supporting a healthcare org.
Re-aligning Cyber Spend – Whatever the organization was doing 6 months ago to protect against cyber risk is likely not as effective today. A vCSO can help organizations of every size by taking a look at the current budget, how it’s spent, and help identify ways to more effectively and efficiently spend it to create a more secure stance.
Who should consider hiring a virtual CISO?
Let’s walk through a few reasons that may provide some guidance as to whether a vCSO is a good fit:
The Org Has Sensitive Information – this is pretty much every organization today, regardless of size, industry, etc. The question at hand is whether the organization is serious enough about protecting that data (and the organization) to hire an expert to help develop and put in place a program that keeps valuable data safe and secure?
The Org Has a Limited Budget – Those organizations that are limited in budget should be considering a vCSO. The cost of a vCSO is estimated to be between 30-40% of a full-time CISO.
The Org Has Specific Information Security Needs – it’s possible that the intent isn’t to fully utilize a CISO, but instead to address a few specific tasks. This include defining needed security policies, helping to classify data, addressing procedures and policies to meet compliance objectives, performing a risk assessment, and more. When the focus isn’t to fully develop and implement an information security program, but instead some subset, a vCSO is the perfect choice.
The Org Requires Specific Skill Sets – Not every CSO has the same set of experiences, expertise, industry institutional knowledge, etc. This makes finding just the right CSO to fire full time difficult. vCSOs – particularly when part of a larger consultancy organization – either have the experience themselves to address your specific needs or work as part of a larger consulting team that, combined, have the needed skills and experience.
CSO vs vCSO: Which one should you choose?
Let’s start with one foundational truth: if you have valuable and sensitive information within your environment, you need some form of information security program in place. And that means you need someone at the helm driving the program forward and steering the vision, strategy, and implementation to meet the organization’s information security objectives. The question of whether to hire a CSO or a vCSO really comes down to the both the organization’s strategy (e.g., they want someone long-term who is solely focused on just your organization, so a CSO is the right choice), as well as any constraints (such as a lack of budget).
If you’re not sure which is the right choice, I’d suggest starting with a vCSO to get the ground work started and see if there is support internally from the executive team or the board for putting a proper information security program in place, and then, if needed, work towards hiring a full-time CSO to complete the work.