Virtual CISOs: Security Leader or Security Risk?

Every organization needs a leader dedicated to establishing, executing and preserving its information security mission. For many mature organizations, this leader is the chief information security officer (CISO). The CISO is an executive- level position representing the information security function within an organization and is generally responsible and accountable for the organization’s security architecture, operations, governance, risk and compliance.¹

Although it is important for an organization’s CISO to have a technical IT and security background, the CISO also needs excellent business acumen to understand the goals of the organization and how security can be properly aligned for the organizations to accomplish those goals. More important, the CISO must have the communication skills to articulate technical security terminology into business language and metrics so that the CISO’s executive peers and the board of directors (BoD) can understand.²

These skills are important because the majority of the CISO’s job function is to ensure that the organization’s security posture is properly aligned to the organization’s mission. Thus, the organization can deliver products and services to its clients securely, efficiently and effectively.³ It is important to remember that CISOs are not there to implement hands-on security.⁴ Instead, the CISO plans, advises, coordinates and manages the security strategy, policy, implementation and operation. As organizations become more dependent on technology, as well as using the cloud and integrating Internet of Things (IoT) devices into their products and services, the demand for the CISO function continues to grow.⁵

In many organizations, to be hired as a CISO, a candidate must have multiple credentials, such as a technical or business administration master’s degree along with cyber management certifications (e.g., Certified Information Security Manager^® [CISM^®]). They must also have a certain number of years of experience in IT, security, management and leadership.⁶ Along with all the experience a CISO may bring to the table, they also may come with a hefty cost to an organization, including an average annual salary of US$150K–US$250K.⁷ This cost can be two or three times that, in some cases, when the cost of the organization-paid benefits are included.

Because of the level of expertise, high salaries and the known lack of supply of qualified CISOs, many small and mid-sized organizations cannot afford or justify the case for a full-time CISO.^{8, 9} This may lead an organization to lump the responsibilities of a CISO with another executive role, such as the chief information officer (CIO), or to not focus on having a strategic information security role at all.¹⁰ The lack of a dedicated information security leader can put an organization at higher risk for a security compromise.

Virtual CISOs

To address the demand for CISOs in the industry, virtual CISOs are being used by small and mid-sized organizations, advertised in job ads and marketed by managed security service providers (MSSPs). Virtual CISOs can be described as independent security experts offering “CISO-as-a-Service” solutions. An organization procuring these services can hire a virtual CISO as an independent consultant or from an MSSP.¹¹ When procuring virtual CISO services, the individuals who can be hired are often former executives, seasoned professionals and career consultants in the information security field. Based on their backgrounds, virtual CISOs are often security experts who have:^{12, 13}

• Years of experience in security strategy, risk and compliance
• Experience communicating at the executive and board levels
• Experience implementing security within an organization

Typically, a virtual CISO provides remote and part- time services to their clients, and many work with multiple clients simultaneously.¹⁴ CISOs and virtual CISOs typically have similar qualifications, experiences, roles and responsibilities. For example, the roles and responsibilities of both virtual CISOs and CISOs should be to strategize, advise, coordinate and manage information security—but not to perform hands-on implementation of firewalls.¹⁵

A VIRTUAL CISO IS MAINLY FOCUSED ON PRESENTING TO EXECUTIVE MANAGEMENT PEERS, THE BOD AND EMPLOYEES OF THEIR ORGANIZATION.

Like CISOs, a virtual CISO is mainly focused on developing and implementing a security strategy for the organization and presenting to executive management peers, the BoD and employees of their organization. Therefore, they must have good communication skills to articulate security language in both business terms and IT vernacular.^{16, 17} What separates the virtual CISO from the CISO is the fact that the virtual CISO must be able to quickly understand each of their different clients’ business and market environments and then adapt the security strategy to secure the specific environment.¹⁸

Virtual CISO services can be procured using a number of different methods, including on retainer, on a project-specific basis or on an as-needed basis (figure 1).^{19, 20, 21, 22} There also can be several different hybrid methods of using virtual CISO services, but those listed in figure 1 tend to be the most common.

The Benefits of a Virtual CISO

There are many benefits and reasons why an organization may decide to hire a virtual CISO rather than a full-time, dedicated CISO. The biggest reason might be cost. Many small and medium-sized organizations cannot afford a full-time CISO, and it can be difficult to justify hiring one when the organization’s security has not been compromised. Using a virtual CISO can cost as little as a third of hiring a full-time CISO because of differences in labor hours, benefits and taxes.²³

Hiring a virtual CISO can also be beneficial for organizations that belong to non-IT-focused markets and startup enterprises that are focused more on innovation investment efforts than on security.^{24, 25} The virtual CISO can be brought into these types of organizations to help secure and educate, as necessary, so that the organization can focus on its line of business while spending only what is needed to secure their products and services.

On-demand access to multidomain information security experience is another benefit of hiring a virtual CISO.²⁶ The vast experiences virtual CISOs have enable them to be excellent security advisors.²⁷ Because virtual CISOs are temporary and part-time, an organization can hire:

• An individual virtual CISO with a wide range of experience
• Multiple independent virtual CISOs specializing in different areas of expertise
• An MSSP that has access to multiple virtual CISOs to support the needed effort

Virtual CISO services can be customized in varying ways based on the needs of the organization.²⁸ This flexibility, along with its cost-savings potential, makes virtual CISO services more attainable for many organizations than hiring a full-time CISO with the same required/desired level of expertise and experience.²⁹ Also, if the virtual CISO is not performing to the satisfaction of the organization or not meeting their contract obligations, it is easier to change the virtual CISO than it is to fire and rehire a full-time CISO.³⁰

Compliance with standards and regulations is another common reason organizations procure virtual CISO services. For example, a virtual CISO can be procured to help an organization put in place the necessary administrative and technical security controls to achieve compliance, but they can also be hired to simply comply with having a dedicated entity or leader responsible for the security function.³¹ The US State of New York Department of Financial Services regulation 23 NYCRR Section 500, which requires an organization to designate a qualified person to be responsible for its cybersecurity program, is an example of such a requirement with which a virtual CISO can be hired by an organization to be in compliance.³²

Because the virtual CISO is external to the organization, an organization’s internal IT and security team may be more likely to share their concerns and ideas with the virtual CISO, whose job is to allocate security resources so the employees can do their jobs more effectively.³³ Moreover, while the virtual CISO is focusing on the security strategy and the board’s communication efforts, the internal IT and security teams can focus more on security implementation and monitoring efforts.³⁴

Some people believe that virtual CISOs have no loyalty to the organizations they are working for because they have several clients and their roles are temporary at each organization. Thus, they are not as concerned about losing their job compared to a full-time CISO. For this reason, virtual CISOs tend to be more straightforward with bad news and their recommendations are not hindered by organizational politics.³⁵ Although a virtual CISO may not be as loyal to the organization as a full- time employee, they still do need to perform at an exceptional level for all their clients to uphold their reputation and receive referrals.³⁶

ONE RISK OF USING A VIRTUAL CISO IS THE LACK OF ACCOUNTABILITY WHEN A SECURITY INCIDENT OCCURS.

Even if an organization already has a full-time CISO, a virtual CISO could be hired to:^{37, 38, 39}

• Be the interim CISO when the position is vacant
• Mentor a new CISO
• Participate in specific efforts in which the full- time CISO lacks expertise or has time constraints
• Perform a task that requires separation of duties from the full-time CISO

With the many benefits that a virtual CISO can bring to an organization, it would not be unusual to see more organizations of varying sizes adopting the virtual CISO model or purchasing some variation of virtual CISO services.

The Risk of a Virtual CISO

Although there are many benefits to hiring a virtual CISO, organizations should also weigh the potential risk that can occur. One risk of using a virtual CISO is the lack of accountability when a security incident occurs. As it should, the accountability for security- related events and activities falls onto the organization’s board members and executive management.⁴⁰ But having a virtual CISO who is not an employee of the organization can sometimes give the illusion that the accountability ends at them. In fact, some virtual CISO service organizations have legal documents that are part of the service agreement to protect their virtual CISO and the liabilities that might result from the services.⁴¹

Another major risk that may arise when using a virtual CISO is their dedication and timeliness to their client’s incident response.⁴² For example, if three of a virtual CISO’s clients are experiencing security compromises at the same time, how can they respond properly and in a timely manner to each? If virtual CISO services are from an MSSP, then it is likely that the organization will still receive the necessary support because MSSPs can allocate resources to different clients at the same time. However, if an organization’s virtual CISO is an independent consultant with multiple clients, they may not have time to work on each client’s issues as thoroughly.

Another risk that may arise when using a virtual CISO is their loyalty to the organization.⁴³ For example, the loyalty of a virtual CISO can be questioned when they prioritize some clients over others based on revenue or past relationships. Loyalty can also come into question when the virtual CISO recommends services and products that the client organization does not need. For example, a virtual CISO working for an MSSP may try to upsell their client services and products that are provided by the MSSP.⁴⁴ Similar to Cloud or cloud service provider (CSP) lock-in, CISO lock-in could become a risk for the organization.⁴⁵ CISO lock-in can occur when an organization is too dependent on a particular virtual CISO service, which could make it difficult to switch to a different virtual CISO service when the organization desires to do so.

ORGANIZATIONS CAN START DEFINING ROLES AND RESPONSIBILITIES BY LOOKING AT CURRENT OPEN CISO JOB ADS.

Considerations When Hiring a Virtual CISO

Besides weighing the benefits and risk, there are several other things to consider when deciding to hire a virtual CISO:

• Clarify the organization’s needs and wants—Whether the organization is IT-focused or not, internal teams and executives should research to determine requirements so the virtual CISO service request can be defined clearly in terms of roles and responsibilities.⁴⁶
• Define the roles and responsibilities—Organizations can ask peers in their industry for suggestions and past experiences. Keep in mind that virtual CISOs’ qualifications are similar to those of full-time CISOs in terms of experience in information security, leadership, strategy and communications. Therefore, organizations can start defining roles and responsibilities by looking at current open CISO job ads. Defining the role is important because when organizations do not clearly define their expectations or do not effectively manage those expectations after the hire, the benefits and value of virtual CISO services may not be properly realized.⁴⁷
• Get buy-in from executive management, the BoD, and internal IT and security team leads—Without buy-in from these groups, the probability that the virtual CISO will have the necessary budget allocation, level of autonomy and authority to operate is slim.⁴⁸ This could result in a low probability of success for the virtual CISO and the organization’s security.
• Establish and maintain constant and clear communication—Communication should be clear between the virtual CISO, executive management, board members, and internal IT and security teams to fully benefit from the services.⁴⁹ This includes asking questions, requesting business and technical metrics, and verifying results as defined in the contract.
• Appoint an internal individual in a security management or leadership role—The virtual CISO primarily operates in an advisory role to the organization. This is because they are not accountable for the organization’s security at the end of their contract and they are in the organization temporarily. Therefore, an internal leader is needed who can champion the security strategy and effort recommended by the virtual CISO.⁵⁰ In certain situations, virtual CISOs can be hired to perform their services for an organization full-time. But often, this is not recommended because the virtual CISO can have other commitments and clients.⁵¹ Therefore, it is important that the organization ensures that the virtual CISO provides sufficient turnover documentation upon the conclusion of their contract. This helps ensure a smooth transition.⁵²

ULTIMATELY, AN ORGANIZATION IS BETTER OFF USING A VIRTUAL CISO THAN NOT HAVING ANY SECURITY VOICE OR ADVICE.

Conclusion

While larger organizations are generally able to hire and pay top dollar for a full-time CISO, smaller organizations may not be able to afford a full-time CISO due to salary requirements and availability. The virtual CISO alternative can be just as successful and, at times better, for smaller organizations. The Howard County, Maryland, USA, virtual CISO program is a great example of success using virtual CISOs. Organizations who are part of the Howard Tech Council can request free virtual CISO services if they do not have their own CISO. The virtual CISO volunteers in the Howard County program include individuals from organizations such as AT&T and the US Department of the Interior and have a substantial amount of executive security experience.⁵³ Ultimately, an organization is better off using a virtual CISO than not having any security voice or advice. The virtual CISO may not be the organization’s security leader—and should not be— but the organization does need an experienced and strategic voice to help its leadership understand and conduct business securely. It is better to have a virtual CISO than no CISO to properly advise the organization’s executives and board members to make good business decisions based on security and risk management best practices. Organizations should avoid being part of the list of enterprises that create a CISO role only after they experience a major security compromise.

Author’s Note

If you are a practicing CISO or virtual CISO and would like to be interviewed for future research endeavors in cybersecurity executive management, please email bngac@gmu.edu.

Endnotes

¹ Fruhlinger, J., “What Is a CISO? Responsibilities and Requirements for This Vital Leadership Role,” CSO, 14 January 2019, https://www.csoonline.com/article/3332026/what-is-a-ciso-responsibilities-and-requirements-for-this-vital-leadership-role.html
² Ibid.
³ Tittel, E.; E. Follis; “How to Become a Chief Information Security Officer (CISO),” Business News Daily, 31 July 2019, https://www.businessnewsdaily.com/10814-become-a-chief-information-security-officer.html
⁴ Aiello, M.; P. Schneidermeyer, “Four Mistakes to Avoid When Hiring Your Next Information Security Chief,” China Business Review, 9 December 2016, https://www.chinabusinessreview.com/four-mistakes-to-avoid-when-hiring-your-next-information-security-chief/
⁵ Nandikotkur, G; “The Business Case for Virtual CISOs,” Bank Info Security, 7 August 2015, https://www.bankinfosecurity.asia/business-case-for-virtual-cisos-a-8459
⁶ Op cit Tittel
⁷ Op cit Fruhlinger
⁸ Op cit Nadikotkur
⁹ Drolet, M.; “Hired Guns: The Rise of the Virtual CISO,” CSO, 5 August 2016, https://www.csoonline.com/article/3104645/hired-guns-the-rise-of-the-virtual-ciso.html
¹⁰ Ibid.
¹¹ Op cit Nandikotkur
¹² Ibid.
¹³ Drinkwater, D.; “Are Virtual CISOs the Answer to Your Security Problems?” CSO, 3 March 2017, https://www.csoonline.com/article/3174808/are-virtual-cisos-the-answer-to-your-security-problems.html
¹⁴ Ibid.
¹⁵ Ibid.
¹⁶ Ibid.
¹⁷ Drinkwater, D.; “What Is a Virtual CISO? When and How to Hire One,” CSO, 9 March 2018, https://www.csoonline.com/article/3259926/what-is-a-virtual-ciso-when-and-how-to-hire-one.html
¹⁸ Ibid.
¹⁹ Ibid.
²⁰ Townsend, K.; “The Rise of the Virtual Security Officer,” Security Week, 23 October 2018, https://www.securityweek.com/rise-virtual-security-officer
²¹ Op cit Nandikotkur
²² Drolet, M.; “Secure Your Future With a Virtual CISO,” Infosecurity Magazine, 1 April 2015, www.infosecurity-magazine.com/opinions/secure-your-future-with-a-virtual/
²³ King, W. B.; “Why More Credit Unions Are Opting for Virtual CISOs,” American Banker, 16 April 2018, https://www.americanbanker.com/creditunions/news/why-more-and-more-credit-unions-are-opting-for-virtual-cisos#
²⁴ Op cit Nandikotkur
²⁵ Hatchimonji, G.; “HOCO CISO Program Breaking Ground With ‘Virtual’ CISOs,” CSO, 24 March 2014, www.csoonline.com/article/2134523/hoco-ciso-program-breaking-ground-with--virtual--cisos
²⁶ Op cit Nandikotkur
²⁷ Op cit King
²⁸ Ibid.
²⁹ Drolet, M.; “New Cyber Regulations Highlight Need for Virtual CISOs,” CSO, 5 September 2017, https://www.csoonline.com/article/3207540/new-cyber-regulations-highlight-need-for-virtual-cisos.html
³⁰ Op cit Nandikotkur
³¹ Op cit Drolet 2017
³² Op cit Townsend
³³ Op cit Drinkwater 2018
³⁴ Op cit King
³⁵ Op cit Drinkwater 2017
³⁶ Op cit Townsend
³⁷ Op cit Nandikotkur
³⁸ Op cit Drinkwater 2018
³⁹ Op cit King
⁴⁰ Op cit Drinkwater 2017
⁴¹ Op cit Hatchimonji
⁴² Op cit Townsend
⁴³ Op cit Drinkwater 2017
⁴⁴ Op cit Townsend
⁴⁵ Op cit Drinkwater 2017
⁴⁶ Op cit Drinkwater 2018
⁴⁷ Ibid.
⁴⁸ Ibid.
⁴⁹ Op cit King
⁵⁰ Op cit Drinkwater 2018
⁵¹ Op cit Townsend
⁵² Op cit Drinkwater 2018
⁵³ Op cit Hatchimonji

Brian Ngac, CRISC, CISM, CGEIT, CCISO, CISSP-ISSAP, ISSEP, ISSMP, PMP

Is an instructor of information systems and operations management at the George Mason University’s School of Business (Fairfax, Virginia, USA). His research interests are in the areas of cybersecurity executive management, the human factor in cybersecurity implementation and cybersecurity education. Ngac primarily focuses on teaching senior undergraduate and honors students. He also teaches technology management in the school’s Executive Master’s program. He can be contacted at bngac@gmu.edu.