vCISO – Virtual Chief Information Security Officer

Hiring a Chief Information Security Officer (CISO) is a big step in an organization. Before doing so, it is important to understand what the best business proposition is, based on risk: do we hire a CISO full time or we hire a virtual CISO (vCISO) for when we need it. Both have advantages and disadvantages over the other.

To understand advantages and disadvantages, as well as what is the best business decision, it is important to define the role of a CISO and that of a vCISO.

Chief Information Security Officer (CISO), defined:
An executive, typically an vice president or higher, responsible for organizational information and data security, to include security operations, security risk management, security threat intelligence, data protection, security architecture, identity and access management, security program management, security investigations, security forensics, and security governance.
Virtual Chief Information Security Officer (vCISO), defined:
A person representing a third-party with experience in building and implementing organizational information security programs to include security operations, security risk management, security threat intelligence, data protection, security architecture, identity and access management, security program management, security investigations, security forensics, and security governance.

Major Distinctions Between the CISO and vCISO

A CISO is an executive employed by your company versus a vCISO that an agent of a third-party, with the ability to have external visibility to your company as a CISO.
A vCISO is one who can build an implement a security program, while also serving as an agent for your company to facilitate building organizational information and data security.

Cost Model for a CISO versus a vCISO

The cost model for a vCISO is also different, as a CISO represents a salaried individual and a vCISO is available when you need it. Costs typically for each typically can come to total pay of $ 287,000 yearly (link). As an organization, remember to add payroll tax, 401(k) contributions, insurance contributions, unemployment insurance and as well numerous other line items versus a vCISO that will be via scope of work that will run you up to $375/hr., based on your industry.

As a cost comparison, one could pay 765 man hours for a vCISO before exceeding the threshold of the total pay of a full-time CISO.

Characteristics of a CISO versus a vCISO

This section is broken down into three areas: skills and experiences of each a CISO and a vCISO, and professional education to supplement skills and experiences of a CISO and a vCISO.

Chief Information Security Officer

Skills
- The ability to maintain security controls, policies, procedures, and standards.
- The ability to understand and maintain an organization’s compliance to security legal, regulatory and industry standards.
- The ability to plan for unforeseen events that would require business continuity and/or disaster recovery.
- The ability to supervise multiple teams to include security operations, security risk management, data protection, security architecture, identity and access management, security program management office, and the governance, risk and compliance team.
Experiences
- The CISO typically has a background in IT as well as business. Information Security is a function of risk so it is important to have a CISO that views information security as part of the risk equation.
Professional Education
- The CISO may have a wide variety of certifications. Each of the certifications requires a certain number of years of experience with references to validate the experience. Some of the most common security certifications include:
  - Certified Information Systems Security Professional, commonly known as the CISSP, issued by ISC(2) (Read more here);
  - Certified Information Security Manager, commonly known as the CISM, issued by ISACA (Read more here);
  - Certified Information Systems Auditor, commonly known as the CISA, issued by ISACA (Read more here); and,
  - Certified in Risk and Information Systems Control, commonly known as the CRISC, issued by ISACA (Read more here).
- While more rare for a CISO, certifications in the technical side of security may also be present to include the Global Information Assurance Certification, commonly known as the GIAC, issued by SANS (Read more here).
- Each of these certifications require annual continuing professional education.

Virtual Chief Information Security Officer (vCISO)

Skills
- One who has the ability to design, implement and maintain security controls, policies, procedures, and standards.
- One who can design and implement, sometimes maintaining, an organization’s compliance to security legal, regulatory and industry standards.
- One who has worked in multiple security roles who has the ability to provide knowledge in security operations, security risk management, data protection, security architecture, identity and access management, security program management , and governance, risk and compliance.
- One who has worked in multiple industries who understands information security from a macro point of view.
Experiences
- The vCISO typically has a background in IT, information security, as well as in business roles.
- The vCISO typically has strong relationships that enable him or her to pull resources together quickly to take action.
Professional Education
- The vCISO typically has the same certifications as a CISO, to include:
  - Certified Information Systems Security Professional, commonly known as the CISSP, issued by ISC(2) (Read more here);
  - Certified Information Security Manager, commonly known as the CISM, issued by ISACA (Read more here);
  - Certified Information Systems Auditor, commonly known as the CISA, issued by ISACA (Read more here); and,
  - Certified in Risk and Information Systems Control, commonly known as the CRISC, issued by ISAC (Read more here).
- While less rare than for a CISO, certifications in the technical side of security may also be present to include the Global Information Assurance Certification, commonly known as the GIAC, issued by SANS (Read more here).
- Each of these certifications require annual continuing professional education.

Validating the Professional Education of the CISO and vCISO

The vCISO and CISO career field is one that many try to enter daily. It is important to validate the professional education one lists on his or her curriculum vitae or resume. Below are the sites that can be used to validate each certification:

Certified Information Systems Security Professional Validation Link
- https://www.isc2.org/MemberVerification
- Ensure you have the person’s last name that their CISSP is listed under along with their member ID.
Certified Information Security Manage Validation Link
- https://www.isaca.org/credentialing/verify-a-certification
- Ensure you have the person’s last name that their ISACA card is listed under along with their certification number.
Certified Information Systems Auditor Validation Link
- https://www.isaca.org/credentialing/verify-a-certification
- Ensure you have the person’s last name that their ISACA card is listed under along with their certification number.
Certified in Risk and Information Systems Control Validation Link
- https://www.isaca.org/credentialing/verify-a-certification
- Ensure you have the person’s last name that their ISACA card is listed under along with their certification number.
Global Information Assurance Certification Validation Link
- https://www.giac.org/certified-professionals/
- Ensure you have the person’s last and first name that their GIAC is certified under.

Need a Chief Information Security Officer or a Virtual Chief Information Security Officer?

Looking for a vCISO? Contact Gilliam Security via our Contact Us page (link) and we would be glad to connect you with one of our vCISOs.

Looking for a CISO? Contact Gilliam Security via our Contact Us page (link) and we would be glad to help you find a CISO as well as interview one to provide you feedback from a third-party security professional.