How to Choose a Virtual CISO

Two Employees Interacting with a Tablet

Quality cybersecurity team members are hard to find in today’s market, which has led many organizations to consider engaging a virtual chief information security officer (vCISO) to lead their strategy. Engaging a fractional vCISO solves many of issues that accompany hiring a full-time employee, by letting you sidestep soaring salaries, high turnover and competition for the best talent.

But just as with any professional service, the market is full of people who market themselves as a vCISO without having the qualifications you want in an executive-level leader guiding your cybersecurity program. In this blog, we summarize key traits to look for to ensure that you choose a vCISO qualified to set a strategy that’s cost-effective, efficient and in line with relevant compliance frameworks.

Business Mindset

Cybersecurity strategy must align with your overall business goals. So you’ll want a vCISO who truly understands how your organization makes money, what makes it different from competitors and where leadership wants to go. Benchmarking your status against other organizations within your industry can be beneficial. But if you get the sense that a vCISO candidate delivers the same templated advice to every client, keep shopping.

History of Hands-on Work

Certifications are meaningful and a good differentiator among candidates. But hands-on experience trumps training among two similar-sounding vCISOs. If a vCISO has worked on an in-house security team before, they have firsthand knowledge of selling ideas to executives, working within budgets and getting team members to catch the security vision.

Communication Skills

Nearly every job listing throws this requirement in at the end. But with a vCISO, it’s mission-critical. A vCISO typically serves as the liaison between the IT leaders and the C-suite and sometimes the board of directors. They need to be able to make the business case for security investments in plain English. The vCISO will also represent you with auditors and regulators, so your success often rides on their ability to build relationships and persuasively explain your position.

Varied Experience

No single company or industry has a monopoly on best practices for cybersecurity. So the best vCISOs have worked in multiple areas, giving them broad exposure to ideas they can apply to your situation.

Background with Incident Response

Much of your cybersecurity strategy will focus on preparing an incident response plan and effectively dealing with breaches when they happen. Find out how much your potential vCISO has worked in this area. Ask for specific examples of when they’ve handled a breach.

Expertise with Multiple Frameworks

A vCISO will help you choose one core information security framework to guide your strategy. NIST 800-171 is one of the most popular, for example. But your specific business and industry may point you to another framework. Your vCISO should have broad expertise in following several widely accepted frameworks.

Regulatory Background

Some industries, such as healthcare and banking/finance, have significant requirements under regulations such as HIPAA or Sarbanes-Oxley. And nearly every organization has to understand its obligations for laws governing handling of personally identifiable information (PII) or credit card information (covered by PCI-DSS). Your vCISO should be able to accurately determine your requirements and help you meet them.

Current Knowledge

Hackers change tactics constantly, and lawmakers pass new information security regulations every year. Your vCISO should be on top of an ever-changing industry. If they only talk about threats and tactics from 10 years ago, that’s a red flag.

Package of Annual Services

The fee for quality vCISO service should include staples such as an annual risk assessment; an annual tabletop exercise; regular meetings with your team; and more. The vCISO isn’t just on call when you need them. They set the agenda and manage annual milestones in your program. Part of a Team – A one-person vCISO operation can bring a wealth of insight—but they’re still just one person. If you choose a vCISO who works within a larger organization, they can tap the knowledge of other vCISOs around them. And in a dedicated information security firm like HBS, vCISOs have access to experts from the digital forensics team and SOC team when they need it.

HBS's team of vCISOs are ready to talk about their work in all of the areas covered in this blog.

If you need help with your cybersecurity strategy, contact us today.

author avatar
Nate Freidhoff