What is a vCISO? (appTECH TALK Ep. 5)

Let’s face it.  Security is expensive.  Many organizations think of security as an unwanted expense when budgeting for the next fiscal year.  However, no matter what industry an organization is in, security IS its business too.

Every organization has something to protect, whether it be credit cards that are being traversed through the network, employee personal identifiable information (PII), trade secrets, or even the organization’s reputation.  Breaches are at an all-time high, and organizations are left trying to find direction on where to start and what steps to take next to ensure that layers of protection are in place.

Typically, a full-time CISO (Chief Information Security Officer) will cost an organization anywhere from $250,000 to $350,000.  The reason this cost is so high is because a CISO is normally packed with years of experience.  Many CISOs have worked on the defensive and offensive security, compliance, and the business side of information security.  A CISO not only has to understand the many aspects of security, but he or she also needs to be able to think like the business or organization.  Normally with a direct line to the board or stakeholders, a CISO can be the voice between security and the business.  A CISO speaks in a language that the business can understand, but also holds a deep knowledge of the technical side.  His or her job is to be able to speak to the business in terms that they can understand.  What does this mean?  Well, to give an example, a company might have a vulnerability that affects every point-of-sale system because it doesn’t have a high level of encryption.  Going to the board and talking to them about the technicalities of encryption wouldn’t do any good.  Conversations would be lost in translation, the level of risk may be understated, and ultimately the board may be less inclined to support remediation or spend simply because they do not understand in their own terms.  However, going to the board and explaining how that risk can affect the ability to continue doing business and the impact of business interruption would be something that could be understood.

So what’s the V in CISO?

Largely due to the salary expectations of a CISO, many organizations just can’t afford the expense.  These may be smaller organizations that just don’t have the budget for that high level of an employee or cannot justify the need for this type of full-time employee.  This is where the vCISO (virtual CISO) comes in.  A vCISO is an experienced Chief Information Security Officer that works for an organization virtually.  An organization may only be able to afford, or may only need, a vCISO for a few hours a week.  This would be enough time to allow a vCISO to take a look at the organization and make sure that the security posture is aligned with it properly.  Sometimes this type of arrangement is referred to as Fractional Services.

The responsibility of protecting an organization’s digital assets is huge.  Many times you will find a vCISO and a CISO co-existing.  As a recent example, I have worked with a newly hired CISOs as a “Stop Gap” to help steer them in the right direction until they have a proper handle on the organization.

A vCISO thinks strategically, long term, and from a 30,000 foot view to ensure that all of the pieces are being put together properly.  These are things such as:

• Preparing your team for compliance audits such as SOC2, PCI, NIST, and others
• Providing a security training plan for staff
• Building out a vulnerability management program
• Preparing an IRP (Incident Response Plan) in the event of a breach
• Evaluating and improving Policies and Procedures to make sure that they are aligned with the business
• Evaluating the organization’s ability to detect anomalies and breaches

These are only a few of the things that a vCISO can offer an organization.  The most important job of a vCISO is to be able to “think like the business”.  This means understanding the business, not siloed to just technical understanding and skills.  By doing this, it allows prioritization of budgeting for staff, software, hardware, and a security program as a whole, as well as monitoring overall impact to the various business functions should there be a security breach.

Each organization is unique and must decide for themselves if a full-time, on-site CISO is feasible, or whether a vCISO (fractional services) is a more viable option.  From my experience over the years, many organizations come to the realization that without proper strategic direction, many security departments are spending more money than they should.  Without a proper long-term strategy, the reactive dollar spend tends add up to more than it should.  However, by spending proactive dollars to ensure that a proper strategy is in place, companies tend to see a better return on investment.  Over the years without proper direction, many organizations will find their security posture stagnant.

If you would like to learn more about what a vCISO has to offer or how it can fit into your organization, visit our vCISO service page or contact us at 888-277-8320.

Mike Miller is a cybersecurity professional with 25 years of experience through the IT industry.  He has focused on security, specializing in the areas of Virtual Chief Information Security Officer services, Governance, Risk, and Compliance, PCI, SOC, Intrusion Detection, Penetration Testing, and Incident Response.  In 2011, Mike founded Cyber Protection Group, which was acquired by Appalachia in 2022.  Mike is passionate about mentoring and assisting aspiring cybersecurity professionals and can be found regularly sharing insight on his LinkedIn profile.  When he isn’t fighting cyber crime, Mike loves spending time with his wife and kids, often boating in the Ozarks.