About Virtual CISO (vCISO)

The term "vCISO" is commonly used to describe all the outsourced functions of a security program, but this can be misleading.

Generally, a CISO is only meant to lead the information security program in an organization. CISOs can also be called the manager, deputy director, director or vice president of information security.

A true virtual CISO (vCISO) is only an outsourced CISO function, not the rest of your security program.

Your security program is a combination of policies, standards, processes, and security technologies. A successful program will also need other specific roles or people to perform those processes and configure the security technology, to align to those standards and meet the policies. Even if your organization is small, there's a good chance you'll need more than just a CISO to run security in your organization.

A standalone CISO can't be the only one implementing and maintaining a repeatable program — it's unreasonable to think that one person can build a security program's different processes and run all of them at the same time.

So, in order to develop a repeatable security program, a virtual CISO can be a great option.

The use of a virtual CISO can be a great option in that they often have more access to the additional resources that are generally required to meet all program requirements.

Hiring a vCISO from a managed security organization with the additional resources can help you build or strengthen your security program in an efficient and cost-effective manner.

Step 1: Educate Yourself

• Understand the business goals of your security program, what types of information you handle, and any regulations you have to adhere to.
• Know what goes into a security program, including the scope of your program, business requirements, and other specifics for your industry.
• Research available vCISO and managed security providers with a budget in mind.

 
Step 2: Understand Your Current State

• Check your program's alignment to best practices, regulations, documentation, maturity, architecture, and resource capability.
• Understand different ways to measure your current state (using internal resources, with a paid assessment with an external company, using recent customer assessments, etc).

 
Step 3: Flesh Out Your Options

• Start getting ready to share what you've found with upstream decision-makers and other members of your organization.
• Choose 3 - 4 options for implementing a vCISO or other managed service option into your organization.
• Besides pros and cons, include annual costs, resource and technology elements, as well as impact on your current state.

 
Step 4: Tell the Story

• Consolidate your findings and new information into a concise deck or presentation.
• Share information in regular meetings with decision-makers and program stakeholders.
• If you're engaging external service providers, share what you've found out about your program and business requirements with them.

 
Step 5: Make a Decision

• Choose a plan to go forward and start improving your security program!