Companies must balance quality and cost in cybersecurity. Hiring skilled personnel and retaining them can increase the budget, especially for roles like the chief information security officer (CISO), who ensures effective cybersecurity but is expensive. A virtual CISO (vCISO) offers a cost-effective solution without compromising quality.
Read on for more about vCISO.
What is a vCISO?
A vCISO is an outsourced equivalent of a conventional CISO, offering cost savings and enhanced security. On this page, we will:
- Define what full-time CISOs do
- Compare the roles of a vCISO, including their pros and cons
- Details of what to expect from top vCISO partners or solutions
By the end, you’ll be ready to decide if a vCISO is right for your company.
Conventional (Staff) CISO Definition
CISOs are top-level security executives responsible for the cybersecurity functionality of an entire company. Of course, not all companies have them, but the majority do—per one 2020 study of cybersecurity priorities, about 61 percent of companies had a CISO or some equivalent security executive. That figure shoots up to about 80 percent for the most prominent companies surveyed, suggesting that the role becomes more critical the bigger the scale and stakes of company-wide IT.
CISOs are typically among the highest-ranking individuals for companies with them, regularly occupying a position on the C-suite. In some configurations, companies will employ a chief information officer (CIO) to whom the CISO reports directly. In others, however, the CISO and CIO roles may be the same, or the CISO may report to the CEO directly instead.
Security Architecture and Oversight
A CISO’s primary role is to ensure seamless implementation of cybersecurity architecture that protects all sensitive information. This covers on-premises hardware and software, WiFi security, and cloud computing safeguards. They must ensure these protections are installed and maintained.
Beyond managing hardware and software, the CISO oversees security awareness training programs. These programs should involve staff in maintaining a secure company culture and be integrated with other training efforts, including regular drills and assessments tied to incentives.
Legal and Regulatory Compliance
Finally, one more major pillar of cybersecurity for which CISOs are typically responsible is the realm of regulatory compliance. Depending on your company’s industries, you may need to follow one or more regulatory frameworks. Some common examples include:
- PCI / PA-DSS – Companies that process payments via credit card or payment platforms must follow the Data Security Standards (DSS) or Payment Application DSS (PA-DSS), respectively, of the Payment Card Industry (PCI) Security Standards Council (SSC).
- HIPAA / HITECH – Companies in or adjacent to the healthcare industry must follow the Health Insurance Portability and Accountability Act’s (HIPAA’s) Privacy, Security, and Breach Notification Rules, enforced by the Dept. of Health and Human Services (HHS).
The CISO will determine strategies and resources needed for compliance implementation and maintenance, both internally and with the help of external, third-party assessors and advisors as needed.
The Costs of Hiring a Full-time CISO
Because CISOs have business-critical responsibilities, they typically carry years of expertise and are paid relatively high salaries. For example, consider current data on CISO compensation:
- The median base salary for CISOs in the US is $224,305 dollars. Those in the bottom 10th percentile earn $169,967 dollars, and those in the 90th earn $290,694 dollars annually.
- These are only base salaries. Factoring in bonuses and benefits adds another $48,843 dollars (bonus) and $84,247 dollars (benefits) for a total annual cost of $357,395 dollars.
High as they are, these salary figures may underestimate the cost of employing a CISO. For example, they do not factor in the costs of lengthy interviewing and onboarding processes necessary to hire and integrate a CISO, nor the retention programs to keep them long-term.
vCISO Definition and Comparison
A vCISO (virtual Chief Information Security Officer) and a conventional CISO have nearly identical roles, including managing cybersecurity architecture, leading staff training, and ensuring compliance. However, vCISOs are more cost-effective than traditional CISOs. Additionally, their external position can offer enhanced and complex protection benefits.
Let’s explore these factors further.
Cost Savings of a Virtual CISO Solution
An outsourced vCISO costs significantly less than a full-time executive CISO, with prices ranging from $67,291 to $89,722 annually, about 30-40% of a conventional CISO’s cost. The primary savings come from paying only this base rate, typically as a monthly retainer, without needing bonuses or additional benefits—strictly paying for their services without extra retention costs.
Greater Security, Advanced Approaches
Choosing a vCISO over a traditional CISO not only reduces costs but also provides access to a team of experts with broad and advanced security practices. A vCISO can integrate penetration testing programs, both external (simulated attacks from outside) and internal (simulated attacks from within), efficiently addressing vulnerabilities. This approach consolidates contracts, saving expenses without compromise.
External Positioning: Hidden Strength
The final difference between a conventional CISO and a vCISO might seem at first to be a weakness or con. A vCISO is, by definition, external to your company. The team fulfilling the role does not occupy a spot in your active roster, much less the c-suite of executives. They will report and answer to these leaders, but otherwise, be considered an outsider.
On its face, this may suggest challenges to integration with your internal personnel. However, vCISOs’ external positionality is another reason they’re so effective at keeping you safe.
With an internal CISO, there are inherent concerns about how office politics may compromise their performance and commitment to the company. A CISO is likely to act in ways that benefit their own career interests, like growth upwards or laterally. So, they may have ulterior motives to misrepresent security integrity to hide flaws. This isn’t true of vCISO.
Maximizing Overall Security Awareness
Awareness is not achieved solely through training. An effective cyberdefense program must be capable of scanning for, identifying, and mitigating all vulnerabilities, threats, and risks. A comprehensive threat and vulnerability management program overseen by a vCISO is an optimal approach to predicting and preventing potential attacks.
The vCISO will supervise various data gathering and analytics methodologies to achieve this. They will evaluate baseline performance expectations for hardware, software, users, and information, comparing these against the current status at regular intervals. Teams will also utilize third-party risk management to monitor vendors, contractors, and other third parties. Additionally, teams will assess the broader risk environment, including attacks on similar companies.
Overall, the vCISO will work to minimize cyber-attacks on the business and ensure preparedness when they occur, which leads to the final point.
Responding to Cybersecurity Incidents
Awareness and intelligence are crucial for preventing attacks. However, even highly protected companies may experience an attack eventually. The key to surviving these incidents is a systematic approach to incident management:
- The vCISO will oversee monitoring and immediate identification of incidents in real-time.
- Incident logging and analysis will inform appropriate mitigation tactics.
- The vCISO will diagnose causes and recommend immediate response protocols.
- The vCISO will assign resources and personnel to identify mitigation strategies.
- Upon resolution of the incident, further analysis into root causes will commence.
- The vCISO will ensure business continuity and client satisfaction as required.
DCP Security’s vCISO program offers comprehensive services that go beyond the standard definition of a vCISO. Contact DeVault Cyber Plus to learn more about how these services can benefit your company.
