FAQs About vCISO Services

The vCISO concept has been gaining prominence as of late, particularly as small and medium-sized organizations face cyber threats that are growing in severity and sophistication. Without the resources to hire an in-house CISO and security team, businesses are increasingly turning to vCISOs for their cybersecurity requirements.  

Given that this role has become so critical, below are the answers to frequently asked questions about the vCISO.  

What is a vCISO?

A vCISO is a virtual CISO – where a regular CISO or Chief Information Security Officer is responsible for developing and implementing an organization’s information security program, a vCISO has the same role but for more than one company, i.e. they are not a full-time employee. CISOs and vCISOs have other roles and responsibilities, including compliance, security strategy and architecture, and communication of the organization’s cybersecurity posture to key stakeholders.  

vCISO services can be provided by individual security practitioners, consultants, or by trusted partners such as MSPs and MSSPs. 

Why does an organization need a vCISO?

It’s one thing to buy and deploy cybersecurity technologies and tools. It’s quite another to ensure that your company is set up to deal with today’s most advanced threats. For a comprehensive security posture, you need to take into account technology, processes, and people. “People” includes attracting and retaining talent with the security skills and expertise required, and training employees on cybersecurity; “Process” refers to identifying and addressing gaps in your security, including ensuring compliance; and “Technology” is about actually implementing the tools and products necessary for People and Process to be successful. 

Technological tools protect you to some extent, but the human factor is crucial to security and compliance. Without ensuring that the right processes and policies are set – and that people are aligned – technology can be worthless. That’s why every organization needs a CISO, who looks at security in a holistic and comprehensive way.  

Unfortunately, most SMEs and SMBs can’t afford a full-time CISO – which costs between $208k to $337k annually. They also don’t need a full-time person to fulfill this role. All they need is an external resource (part-time) who is responsible for the company’s cyber security. This is the vCISO. The vCISO also has the advantage of having an objective perspective on the company’s security posture.  

What is the difference between a vCISO, fractional CISO, and CISOaaS?

While the terms vCISO, fractional CISO and CISOaaS (CISO as a Service) can be used interchangeably, there are some implied differences between them.  

A fractional CISO can sometimes refer to a third-party (i.e.non-payroll) CISO who spends time on-site; whereas a vCISO usually provides their services completely off-site. CISOaaS can refer to a company providing third-party services, as opposed to an individual. 

What are the roles and responsibilities of the vCISO?

The CISO’s (or vCISO’s) role is to be accountable for cyber security, from A to Z. This means ensuring that Technology, Processes, and People are optimized. 

A vCISO would assess the current security posture of the organization, identify the gaps in security and compliance, and create a remediation plan. They would define the most important policies for that specific organization and monitor the progress of putting those policies in place.   

These policies could be related to Technology tools (for example email security or endpoint security), Processes (such as access management), and People (HR policies for example).   

A more comprehensive list of roles and responsibilities includes: 

• Outlining and architecting the vision and strategy of the company’s information security program 
• Determining the proper security framework(s) with which the company must comply 
• Preparing budgets and recommending (or selecting) security products 
• Assessing the security, regulatory, and other compliance requirements 
• Reviewing policies, standards, processes, and procedures 
• Assessing risk areas and preparing plans to mitigate this risk 
• Reviewing internal controls 
• Performing a gap analysis 
• Preparing a plan to address the results of the gap analysis 

Is vCISO a person, a service, or a technological product?

vCISO is a service. It can be provided by one person (a “one-man show”) or a company, such as an MSSP, MSP, or consulting firm. The person or company providing the service can use a vCISO platform to provide a higher quality, standardized service that is generally more efficient and less expensive. A vCISO platform is a technological solution that enables the service provider to provide vCISO services at scale. Without it, the provider is limited by the number of security professionals they have on their team, and there is a real skill and workforce gap in this space. 

Is vCISO a one-time project or an ongoing service?

It can be either. Normally, it’s an ongoing service, which starts with a risk assessment and is followed by a remediation plan and then the execution phase. This is the traditional vCISO service. 

It could also be a one-time or periodical risk assessment, where the output is a posture report, gap analysis, and a remediation plan, for example. In these cases, however, the vCISO isn’t actually accountable for the company’s security.

What types of organizations need a vCISO?

Almost any organization needs a vCISO. Because SMBs are now also targets of sophisticated cybercrime, cybersecurity has become a priority across the board and one of the key ways to address this risk is by having a vCISO in place. Some smaller companies may need a very light version of vCISO services, but they should have some form of this no matter their size. 

Retaining a full-time CISO is expensive. Additionally, there is much competition for full-time CISOs, so mid-size companies are competing with the largest corporations for top talent. That’s why a vCISO makes sense for any company smaller than enterprise level (usually 1,000 employees and above).  

Enterprise companies will likely have a full-time CISO and security team in place. But for companies that are smaller than this, a vCISO ticks all the boxes, without coming with a huge paycheck.  

When does an organization need a vCISO?

Right now – or at least as soon as possible. It’s important to be proactive before you’re attacked: have a vCISO assess your security posture, and then decide how broad you want the engagement to be.  

The ideal role of a vCISO is to come in and set out the vision, strategy, and implementation of a company’s information security program. By setting up the foundations correctly, a company is well placed to weather any cyber security incident in the future, as well as ensure ongoing compliance with relevant standards and regulations.  

Who provides vCISO services?

vCISO services are provided by individual cybersecurity professionals (“the one-man show”), MSPs, MSSPs, consultants such as EY and Grant Thornton, and others.  

It’s important to note that the term “vCISO services” is a general one, which encompasses activities such as security assessments, gap analysis, and remediation planning. Some organizations or individuals might offer these services, without referring to them holistically as “vCISO services.”   

Many of these providers typically gave IT and security services in the past – whether in the form of products, services, or advice. But providing vCISO services is a relatively new and fast-growing part of these providers’ offerings.  

This has developed primarily as a result of companies facing more complex cyber threats and more rigorous security-related regulations.  

How to choose a vCISO service provider?

Your vCISO service provider should be led by an experienced security professional, or at least have such an individual on the team. Look for partners who you trust (this could be an existing relationship with an MSP, MSSP, security professional, or consultant) and who deeply understand the vCISO space and requirements.  

Essentially, you want to ensure that the vCISO services you are receiving are high-quality, personalized, cost-effective, efficient, and are provided in accordance with international best practices.  

To achieve these goals, it is recommended to partner with a provider that uses a vCISO platform, such as that offered by Cynomi. 

Such a platform – modeled after the expertise of the world’s best CISOs – provides AI-powered, automated services to vCISOs to continuously assess client cybersecurity posture, build strategic remediation plans, and execute them to reduce risk; all according to well-defined standards.  

From comprehensive risk assessments to compliance assessments, all with auto-generated custom policies and remediation plans, a vCISO platform is the key differentiating factor when choosing a vCISO service provider.                        

What is the cost of a vCISO?

A vCISO service provided by MSSPs, MSPs, or consultants ranges from a few thousand dollars for a one-time project for a small organization, to $30k – $120k annually. This will depend on numerous factors such as: 

• Is it a one-time project or an ongoing engagement? 
• What is the scope of the engagement? 
• How mature is your current information security program? 
• How much policy framework development is involved? 
• Compliance: what standards are required to be complied with, such as ISO 27001, PCI, Cyber Essentials, or SOC2? 
• Will the vCISO be working alone or managing a team?