Skip to main content


Doing It All and Being a Security Expert? Consider a vCISO Solution.

Doing It All and Being a Security Expert? Consider a vCISO Solution.

A Tested Solution to a Modern Problem

The strategic use of contracted resources to perform activities traditionally handled by internal staff and resources is a commonly used definition of business outsourcing. While the term vCISO (virtual chief information security officer) is a rather new designation for those in the C-suite, the solution model is rather mature. The concept of outsourcing professional services to address an immediate need is a well-worn model that can be traced to the mid-nineteenth century as modern businesses began to be distracted from their core business due to legal and accounting issues. Thus, the birth of modern professional legal and accounting (audit) firms that fulfilled a strategic solution allowing the entrepreneur to pursue the core business without the day-to-day legal and accounting annoyances. As computers entered the business environment, entrepreneurs needed new solutions to filter the digital noise. Companies such as Electronic Data Systems (EDS) saw the opportunity to leverage idle computer time at one client to fulfill the computing needs of another client, a business model that eventually became known as outsourced processing. With breaches in information security being a persistent threat with no foreseeable silver bullet, exponential demand for information security consulting, and a limited supply of qualified specialists, outsourcing of the key information security officer position is a viable solution for those that understand the nuances of such an arrangement. Leveraging outsourced solutions to do more with less creates competitive advantages.


What is the Role of the CISO/vCISO?

Appointing a CISO and dedicating an individual entirely to the security of information is a strategic first step to the development of an effective enterprise-wide information security program that addresses cyber threats such as ransomware and complying with the requirements of industry and regulatory standards such as The Gramm-Leach-Bliley Act (GLBA), National Institute of Standards and Technology (NIST), and Health Insurance Portability and Accountability Act (HIPAA). Before making such a commitment, many organizations may be dependent on a few IT professionals to address the security of the organization’s infrastructure. Thus, those often responsible for implementing technology found themselves in the position of making security decisions. While no two CISO job descriptions are the same, neither are the needs of organizations. Considering the varying needs of every organization, the expected responsibilities of the CISO may include ensuring the effectiveness of the security awareness plan, managing a security team, or developing information security risk assessment, policies, procedures, and plans.

A CISO can be expected to wear many hats, and the expertise can be expected to vary between those that are technically oriented, business oriented, or strategical oriented. As you may expect, CISOs that are technically oriented will focus efforts on the management of technical aspects of security issues and may know what the organization's needs are prior to the organization but will often find difficulty in communicating those needs to upper management. Business-oriented CISOs will gravitate to focusing on security issues pertinent to the business, such as a system that interacts with the customer base. At the same time, a strategic CISO will concentrate on deciphering executive-level business requirements into security initiatives to support the organization's overall mission and purpose. Seldom will an individual have all three of these skills. Before selecting a CISO or vCISO, the organization should determine the type of expertise and skillsets best suited to address the needs of the current environment. In general, successful CISOs will have superb communication skills, genuine knowledge of technology and security issues, and a well-founded understanding of the organization’s business requirements.


What do vCISO arrangements look like?

vCISO outsourcing arrangements may take many varieties and are used by organizations of all sizes and sectors. The contracted service can be as limited as assisting information security staff with an assignment in which they lack expertise. Other outsourcing arrangements may call for the vCISO to perform all or several parts of the information security program. Under these types of arrangements, the organization should maintain an information security coordinator to adequately supervise consulting activities. The consultant usually assists the coordinator in determining the organization's areas of risk and the level of assistance and recommends and performs a work schedule approved by the organization’s coordinator. In addition, the consultant should work jointly with the coordinator in reporting significant findings to the board of directors or its IT committee.


What are the benefits of hiring a professional expert?

  1. Avoiding an Extended Recruitment Process - Even when offering competitive compensation, recruiting a CISO may take time and a significate monetary investment to identify a potential candidate. With today’s competitive job market and information security talent shortage, anticipate that the ideal candidate will be looking at several opportunities. Often employers may spend weeks selling their organization’s benefits and the appeal of the community, only for the candidate to choose another opportunity with a larger benefits package, signing bonus or salary, or less daily commute time. Using a vCISO service provides immediate access to a team of cybersecurity experts thus skipping a potentially lengthy, costly, and risky recruitment process. The average salary information for the chief information security officer salary in your state may be found at High turnover in the information security field can result in the scramble to find and onboard a replacement—which creates additional costs for recruitment and training. Enter the vCISO, who is competitively priced, and can provide the level of cybersecurity support your business needs.
  2. Varied Professional Knowledge - The skillset and knowledge base required for an effective information security program is constantly changing. Not only are professional consultants and advisors more apt to obtain and maintain professional credentials in the information security field, but these individuals are also highly likely to be performing a similar role with other clients in your industry. That experience of working through a wide variety of situations from across the industry provides a consultant with an expansive skill set and unique perspective of best practices. While an individual consultant may be the main contact, the professional firm can leverage a team of dedicated professionals to augment the talents of the individual assigned to your organization. vCISOs come pre-trained, pre-certified, and ready to help solve your security needs.
  3. Establishing a Fixed Cost - The CISO job market is competitive, and turnover occurs as salary and benefits expectations increase. Using a contracted vCISO service solution allows the opportunity to fix the labor costs of information security over the term of the contract, locking in a predictable cost over the contract term. An additional benefit of outsourcing is that the organization is not adding a full-time equivalent employee to the employment roster.
  4. Providing Measurable Deliverables - A prolonged recruitment process and training period will delay the organization's response time to address critical cybersecurity needs. An experienced vCISO service solution utilizing an established methodology can close the response gap and reduce the impact of future employee turnover and future information security gaps while improving examination and audit results.
  5. Establishing an Information Security Culture - The vCISO can be a central part of your leadership team and provide insight to develop the organization’s information security culture. Contingent on the company you choose to partner with for a vCISO solution, the consultant may be available for your organization’s IT committee and Board meetings. There is peace of mind in knowing that decisions are being made with information security factored in. A vCISO can also create customized information security policies that align with your organization’s strategic objectives and drive a culture of security.
  6. Training Staff to Safeguard the Organization’s Information - An important responsibility of a vCISO includes strengthening employee understanding of cyber risk. This can include holding workshops to establish basic cybersecurity etiquette, communicating important security tips, making sure employees are using adequate passwords, and training employees on the proper use of multi-factor authentication (MFA).

What to consider before choosing a vCISO provider?

Prior to entering into an outsourcing arrangement, an organization should perform due diligence to ensure that the consulting firm has sufficient expertise and a number of qualified staff members to perform the intended work. Since the arrangement is a professional services contract, the organization should be confident in the competence of the consulting firm and staff.

When negotiating the arrangement with a consulting firm, an organization should carefully consider its current and anticipated business needs in setting each party's information security responsibilities. Clearly defining the organization's duties and those of the consulting firm, the institution should have a written contract or proposal of services, often referred to as an engagement letter. The proposal should:

  • Define the expectations and responsibilities for both parties.
  • Set the scope, frequency, and cost of work to be performed by the consulting firm.
  • Set responsibilities for providing and receiving information, such as the manner and frequency of reporting to senior management and the board of directors about the status of contract work.
  • Establish the protocol for changing the terms of the service contract, especially for expansion of consulting work if significant issues are found.
  • State that any information pertaining to the organization must be kept confidential.
  • Specify the locations of deliverables.
  • Specify the period that deliverables will be maintained.
  • State that services provided by the consulting firm may be subject to regulatory or audit review and that examiners or auditors will be granted full and timely access to the deliverables and related work papers prepared by the consulting firm.
  • Define whether the consulting firm will or will not perform management functions, make management decisions, or act or appear to act in a capacity equivalent to that of an employee or a member of management of the organization, and will comply with applicable professional and regulatory guidance.


What are some sample questions for selecting a vCISO Partner?

  1. Does the company have a proven platform to efficiently manage an information security program? This should include IT risk assessments, business continuity planning, business continuity risk assessments, vendor management, policies and procedures, and an action tracking and reporting process.
  2. When was the company founded?
  3. Who is on the leadership team at the company? What are their backgrounds?
  4. Who are the founders of the company?
  5. Is the company financially healthy? Will the company provide financial statements?
  6. How does the company differentiate itself from competitors?
  7. Does the company perform criminal background checks for all employees?
  8. Over the next three years, how will the company’s strategic plan change?
  9. Is the company vendor independent or does the company utilize exclusive contracts with specific vendors?
  10. Will the company fill the vCISO position with one of their employees or will they 1099 someone from another company?
  11. How many full-time equivalent employees does the company employ?
  12. Does the company utilize contractors/sub-contractors or outsource any services being proposed?
  13. How many clients does the company provide Information Security Services to?
  14. Does the company have any awards or commendations in the last three years?
  15. Does the company have any experience in our industry?
  16. Will the company provide a list of references in our industry that may be contacted?
  17. What are the company’s top services per number of clients?
  18. What Information Security credentials and certifications does your staff hold?
  19. Does the company have forensics specialists on staff?
  20. Will we be assigned a dedicated information security specialist?
  21. Does the company perform IT audits, and how are they managed?
  22. Does the company perform social engineering testing, and how are they managed?
  23. Does the company perform penetration tests, and how are they managed?
  24. Does the company experience in red teaming a network?
  25. Does the company provide information security training?
  26. Has the company ever taken down a client’s network accidentally?
  27. Describe a sample incident response plan created by the company?


A Complete Solution

Organizations can not pursue partial solutions to solve multifaceted issues such as regulatory compliance or cybersecurity risk and expect success. A well-designed vCISO approach will permit an organization to fulfill or complement information security management without burdening current staff, enabling the organization to grow the business, stay ahead of threats, address annual compliance needs and exceed regulatory expectations.

As you scrutinize whether or not a vCISO solution is an appropriate fit for your organization, keep in mind that the security and protection of your organization's and your customer’s information is ultimately up to you. When you utilize a vCISO solution, the organization must ultimately own and sign off on all information and cybersecurity decisions. However, a good vCISO can truly guide you to make better cybersecurity decisions and do what is right to protect your organization.


Written by: 
Shane Daniel, CPA, CISA, CIA
Information Security Consultant
SBS CyberSecurity


SBS Resources: 
SBS CyberSecurity has been helping organizations identify and understand cybersecurity risks to make more informed business decisions since 2004. If your organization is looking to better understand your cyber risk; build, maintain, or test your cybersecurity program; and make smarter, more informed cybersecurity business decisions, SBS can help.

  • {Service} CyberSecurity Partnership (vCISO): Gain a trusted cybersecurity adviser who can keep you informed and help you adjust to changing regulations or potential incidents with a CyberSecurity Partnership (CSP) program or Virtual Chief Information Security Officer (vCISO) custom engagement.
  • {Blog} Building Out the Core Responsibilities of an ISO: There are plenty of different roles and responsibilities a financial institution has to consider; however, one of the more difficult roles to address is that of the Information Security Officer (ISO). Even though all financial institutions have been expected to assign the role of ISO for nearly two decades, many organizations are seemingly still working to flesh out the specific responsibilities that an Information Security Officer should handle.


Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.

Certified Banking Security Manager

Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Tuesday, April 6, 2021
Categories: Blog