What is a vCISO & How do You Find the Right One for You?

Why and how do companies work with a vCISO?

Every business with a digital presence needs cybersecurity support, but many can’t afford to hire someone at the CISO level full-time (and indeed, for many, this would be a waste of resources). And that’s where a vCISO can be ideal; you get 100% of their experience, but for a fraction of the cost. 

Ultimately, though, the vCISO role could be whatever you need it to be. 

For the smallest businesses, it’s a Swiss-army-knife-type individual who can come in and handle their (relatively small) cybersecurity needs, without the cost of a full-time hire. There’s minimal strategy here; they’re rolling up their sleeves and actively working on vulnerability management. 

At larger companies, vCISOs are parachuted in to help set the strategy and roadmap for entire cybersecurity teams, or may even work alongside an existing CISO to provide a fresh perspective and complementary skill set. This is less about having someone down in the weeds and doing the work, and much more about bringing in a senior perspective to help the business’s cybersecurity practices align with its future goals. 

Reduced cost isn’t the only reason to use a vCISO over hiring a full-time CISO, though (although for many, it’s the most significant one). vCISOs can also get up to speed much more quickly, and typically start sooner. 

While it might take a CISO upwards of six months to fully embed into your business, an experienced vCISO can orient themselves and start adding value within a matter of days, or weeks.

‍

Sentinel Guild provides you with flexible, fractional or full-time cybersecurity professionals to plug gaps in your team, offer an extra expert perspective, or help you prepare ahead of a busy period.

Our curated guild of experts is made up of trusted and experienced cybersecurity professionals. Each one has been carefully pre-vetted by us, and is ready to plug straight into your business and get to work. Find out more. 

‍

Do vCISOs act alone? 

Again, this varies. Some vCISOs work as individuals and simply spend a ‘fraction’ of their time managing your cybersecurity needs as agreed in the scope. 

But ‘vCISO’ and ‘CISO as a service’ are also increasingly popular offerings from managed service providers (MSPs). The result is (in theory) the same, but the work is chunked down and handed out to different cybersecurity specialists within that organization who deliver the work together as a team. 

And even vCISOs who predominantly act alone will likely need to call in extra help at points.

‍

Is vCISO just a ‘cybersecurity consultant’ rebranded? 

Not everyone loves the title vCISO. 

Some cybersecurity folk feel it’s an unnecessary rebrand of established terms like ‘cybersecurity consultant’. 

Some feel it does a disservice to the title of CISO, which signifies having a cybersecurity advocate within the C-Suite (something a contractor can’t really replicate) and has only existed as a title itself since 1995. 

But most agree that it’s a useful offering for small businesses who can’t afford a full-time CISO, and we’re in this camp of thinking, too. 

And while ‘consultant’ can feel a little nebulous, vCISO brings a clearer vision and value to the table; you’re getting ‘C’ level expertise but for a ‘fraction’ of the cost. 

‍

Getting clear on your own business goals 

So now we have a clearer picture of what a vCISO can do for you, it’s time to get really clear on exactly what you want them to do for your business. 

Here are some questions to ask yourself:  

1. Are you ready to change?

Regardless of what you employ your vCISO to do, they’re going to either make or suggest changes. 

Some of these changes may cost money, and many will impact your business objectives. 

Are you ready to let them do this work? Continuous pushback will make for a frustrating experience on both sides.

‍

2. Are you hiring a vCISO to check boxes, or to unlock new growth? 

Either is an acceptable answer. 

Some people hire a vCISO to get them up to a basic level of security, and that’s totally valid. 

But a rapidly growing SaaS company, for example, may bring in a vCISO to help them unlock new growth opportunities. Their vCISO can advise them on which security framework they should be using to land those ‘whale’ clients (the type that will security screen third-party services before signing up to them), and which audits they should be working towards. If this is the case, the kind of vCISO you’re looking for will have a very different skill set. 

3. Do you need someone to do the work, or just work in an advisory capacity? 

A vCISO can deliver a list of actions for you to tackle in-house, or they can do the work for you (with some help). Which is your business looking for?

‍

What to look for in the ideal vCISO

Finding a vCISO, or an MSP offering vCISO consulting services, is easy. A quick Google will return hundreds of potential candidates for the role, and because of the virtual nature of its delivery, there’s not even any pressure to find one in the same country. 

But how can you spot a good vCISO, and ultimately find the one that’s right for you? 

Cybersecurity has a steep learning curve. It has a language of its own, complete with a healthy dose of acronyms. So if you’re interviewing someone in the space, it can be hard to cut through the noise and work out if they’re any good. 

Here are some criteria to look out for: 

Possible certifications 

You don’t need any certifications to become a vCISO, but many will have them all the same—and that can only be a good sign. 

Depending on whether they’re focused on vulnerability management, compliance and governance, or a mix of both, they may hold any of the following: 

‍

• Certified in Risk and Information Systems Control (CRISC)
• Certified in the Governance of Enterprise IT (CGEIT)
• Global Information Assurance Certification (GIAC)
• Certified Information Systems Security Professional (CISSP)
• Certified Information Systems Auditor (CISA)
• Certified Information Privacy Professional (CIPP)
• Certified Information Security Manager (CISM)

‍

Every cybersecurity professional in The Guild has gone through multiple interviews before joining so we can fully assess their technical ability and understand their experience. This means we can match you with the best cybersecurity expert – or team of experts – for your needs. Find out more. 

A proven track record

Your ideal vCISO should be able to give proven examples of when and how their work has driven meaningful impact for similar businesses.

“Company X was working towards their SOC 2 audit. When I started working with them they scored X on their readiness assessment, and after X months of working together they passed the audit.” 

Most vCISOs don’t have a defined industry niche, and most of the time this is fine; the type of business they’ve worked with is likely to be a more valuable indicator. 

But some more sensitive or complex industries, such as healthcare, may benefit from working with vCISOs that specialize in their industry and are accustomed to dealing with its specific rules and regulations.

A proactive attitude

Traditionally, the CISO role is all about ownership and leadership. The right candidate should demonstrate these qualities from the get-go. 

They should be organised and clear in their communications and methodology, and speak knowledgeably. They should be curious about your business, and what you’re trying to achieve.

Ultimately, you will work closely with this person. Are they someone you can have a positive working relationship with? Are they someone you trust?

Good expectation management and clarity 

A good vCISO will know enough about cybersecurity to know that they’ll never know everything about cybersecurity, and they shouldn’t promise you otherwise. If they do, consider this a major red flag. 

They should also be able to set clear expectations about how you will work together, and how much it will cost you.  

Here at Sentinel Guild, we work with you to understand your specific cybersecurity needs before matching you with one of our vetted cybersecurity experts. If your match isn’t perfect during the trial period, you don’t pay. Find out more. 

‍

Does a vCISO need to have previously worked as a CISO?

Again, this is a hotly debated topic in the cybersecurity world. 

Some rightly point out that every CISO once became a CISO for the first time—nobody was born into the role. 

Others say that’s all well and good in theory—but they’d rather not be the first client of someone who has never held the role previously. 

Once again, we say context and nuance are important here.  

“If you were previously a second-level line leader at a global financial company, you could for sure go be a virtual CISO at a smaller company without ever having had that title”, says our founder, Sean Middleton. “So it's less about the title, and more about the qualifications. If you've been a junior security person in a small company, you're very unlikely to be able to step straight up into the bigger role.”

So never having been a CISO definitely shouldn’t be a deal breaker; qualifications and experience are always more important than job titles.