How to become a Virtual CISO (vCISO)
28th February 2022
Companies are turning to Vitual CISOs to drive cyber security strategy and implementation. We discuss what it takes to become a Virtual CISO.
Over the last year, demand for Chief Information Security Officers (CISO) has exploded and led to the increased adoption of Virtual CISOs (vCISOs). We spent 5-minutes with CyPro’s Managing Director, Rob McBride, to learn more about how to become a Virtual CISO.
What is a Virtual CISO (vCISO)?
As more cyber breaches hit the headlines, an increasing number of organisations have seen the value in appointing a CISO. Data from IDG shows that companies that do not have a CISO fear their security posture and cyber training are not as effective as it could be.
Responsible for both strategic and operational leadership, a CISO’s role is to architect an organisation’s security strategy, present that information to the board, and help to manage the implementation.
A virtual CISO (vCISO) is an outsourced position, where an individual or team of experts perform the role part-time for a stipulated period, or to support a particular project. As Gartner explains, a vCISO involves:
- An on-site or virtual presence in meetings, events, operations and strategic planning.
- Management of roadmaps, architecture and policy, and running risk management and risk assessment processes.
- Providing coaching or advisory services to train the next generation of security and risk leaders.
Why do organisations need vCISOs?
Perhaps the most compelling reason for any business to hire a vCISO is the challenge of finding and recruiting cyber security talent.
Over the last 8-years, the IT security market has quadrupled, which has left 3.5m positions unfilled globally. While great news for experienced CISOs, who have abundant opportunities to choose from and the leverage to negotiate salaries, it’s terrible news for recruiting organisations who face the competitive battle.
For smaller organisations, it can mean the cost of hiring a CISO is prohibitive. Depending on their skills and experience, CISOs can command salaries between £120k – £250k per year. Costing on average 30% – 40% less, a vCISO enables smaller organisations the ability to develop a mature security programme that would otherwise be unattainable.
Additionally, smaller organisations don’t always require a full-time CISO. Data security and privacy remain a priority at all times. Still, they don’t necessarily need the full-time expertise of a senior professional to meet security and privacy requirements – and an unfulfilled CISO is likely to walk elsewhere. Instead, a vCISO provides the level of protection required while allowing the professional the opportunity to work across several organisations – and leverage the experience gained to everyone’s benefit.
However, don’t be fooled into thinking a vCISO is just for smaller businesses since the role also benefits larger enterprises.
An external perspective can prove invaluable. Reviewing the current cybersecurity strategy, critiquing budgetary spend, evaluating risks and supporting recruitment, a vCISO is an intelligent way to enhance an organisation’s security posture. Furthermore, as an outsider, a vCISO is more likely to remain unaffected by ‘office politics’, instead of focusing on the outcome, with unbiased KPIs and reporting.
vCISOs are also worth engaging when an organisation requires specific skills/experience. Particularly in relation to compliance, it may be that an internal CISO would benefit from some specialist support to ensure the business doesn’t fall foul of the regulators.
What makes a good vCISO?
Perhaps surprisingly, the most critical skill a vCISO can possess is communication.
Once you have a security strategy in place, you need to secure buy-in from the board. For a vCISO, this requires you to have the ability to articulate risk and present how to address it in a succinct and compelling way.
Of course, as a vCISO, you are external to the organisation. Therefore, the opposite skill – listening – is of equal importance. Listening enables a vCISO to learn quickly about an organisation, the specific environment in which it operates, and the long-term vision and strategic goals the business is aiming for.
vCISOs are not created equal. Your value is determined by the experience you possess and how it benefits the businesses you serve. For example, if your background is working for FTSE 250 companies, your experience is less relevant for a startup. With relevant experience, you can empathise with their situation, understand how specific regulations affect their operations and be aware of the likely risks.
What training and experience do you need to become a vCISO?
To be a successful vCISO, you need experience across information security, risk management, IT, and governance. Typically, this translates to 10-years’ experience – including at least 5 in management positions.
A study by Kaspersky Lab discovered that 68% of CISOs have master’s degrees. However, with cyberattacks becoming increasingly sophisticated, technology constantly evolving, and the pace of change faster than anything we’ve ever experienced before, continuous professional development becomes more important than formal qualifications.
There are dozens of professional certifications to support you in your role of vCISO, including:
- Certified CISO
- Certified Information Systems Security Professional
- Certified Information Security Manager
- Certified Ethical Hacker
- Offensive Security Certified Professional
- Certified Information Systems Auditor
- GIAC Security Leadership
- Certified in the Governance of Enterprise IT
Whilst attaining all of these is not necessary, having one or two of these badges to wear on your sleeve is generally expected if you are to be respected as a CISO or vCISO