Industry insights

Hiring a virtual chief information security officer

November 1, 2022 by Drew Robb

As detailed in the previous story, chief information security officers (CISOs) are both expensive to hire and difficult to find. This also holds true, to a somewhat lesser degree, to other C-level IT positions such as chief information officer (CIO) and chief technical officer (CTO).

A solution that is taking root is to hire a virtual executive — someone who works for a managed service provider or executive services firm and who is contracted by an organization to provide X hours per week of C-level services (alternatively, it might be on a retainer with no specified number of hours). 

Where to find virtual CISOs

Companies such as Fortium Partners, Ntiva and IT Support Guys provide C-level and other personnel. The terms of service vary considerably among providers. Some are available to give strategic input or advice when needed. They operate more like a sounding board on ideas, strategies and existing issues. Others take on a broader advisory role that extends to product selection, candidate vetting and final contract negotiation with other IT vendors. 

But increasingly, the tendency is to have the person function as a C-level exec as though they worked as a full-time employee. Perhaps the person is available on mornings, Mondays or Wednesdays to fulfill those functions. 

In this era of remote work, this approach has more appeal as employees increasingly don’t interact much in an office environment. Almost everyone is virtual, so another virtual executive is easy to bring into the fold. 

The vCISO: Ready to work & in demand

In particular, the virtual CISO (vCISO) market is showing the greatest traction within the C-level virtual executive market. Providers are emerging that specialize solely in this space. vCISO specialists include H2Cyber, Thrive and VARS.

Organizations in need of CISOs are gravitating to this market due to the sharp rise in cyberattacks, such as ransomware and the salary escalation trend for these executives. They offer C-level assistance in devising and implementing strategies to prevent breaches, reduce risk and mitigate the consequences of attacks. 

“Regulators will be looking to make sure you have basic cybersecurity measures in place to reduce the risk of a cyberattack as well as having required safeguards in place to protect client and customer information,” said Paul Horn, founder and CEO of H2Cyber. “A vCISO allows the organization to navigate through the increasing number of cybersecurity regulations by building a comprehensive cybersecurity program accounting for compliance and security.” 

Employing virtual CISO services? What to expect.

Bringing in a virtually-based outsider, though, can be challenging. On the one hand, it introduces a fresh perspective and one that can provide more expert direction on cybersecurity and strategy. But the person may be unfamiliar with your company’s business model, the market, overall corporate strategy and ongoing trends.

Therefore, a good first step is to ensure that the vCISO is familiar with your business and market. Without this, strategies and advice could be too generic and may miss the mark. 

Be aware that the emphasis placed on experience in a specific vertical or geography can be overemphasized. Some organizations just need a thorough overhaul on the cybersecurity front. 

What will my vCISO do?

A good vCISO can quickly become familiar with the business environment during the engagement’s early stages. They can do this as part of a thorough risk assessment that extends from one end of the cybersecurity landscape to the other. During this phase, you can anticipate your virtual CISO will: 

  • Get up to speed on regulations that apply to your company’s vertical or geography 
  • Isolate areas of high vulnerability
  • Identify critical patches that are needed 
  • Diagnose major security weaknesses 
  • Form overall impressions into a risk profile of your organization

These assessments are the bread and butter of the CISO function. Yet they are nowhere to be found in many organizations. Hence, someone coming in and doing this fills a void compensating for any lack of experience in a specific market. 

The next big job of the CISO is to use the risk assessments that they’ve built to formulate a plan that will minimize risk. This plan encompasses: 

  • Setting and revising security policy
  • Steps to shore up cybersecurity weaknesses 
  • Direction on technology purchases
  • Devising an overall cybersecurity strategy 

This will set the course for the organization to follow on the security front and guide all actions below the CISO level that permeate all IT zones. Such plans are not static affairs. They must be continually revised and updated. The vCISO stays abreast of shifts in the risk profile and keeps plans current. The vCISO also appraises top management and the board of the cybersecurity picture and has the duty of enforcement and compliance. 

“A vCISO allows organizations to navigate the increasing number of cybersecurity regulations by building a comprehensive cybersecurity program accounting for compliance and security,” said Horn. 

Is artificial intelligence qualified to be your next CISO?

Suppose there is an Achilles heel of the vCISO function — beyond blatantly unqualified people carrying it out. Many of the service providers operating in this space possess skilled cybersecurity veterans, but they can only address a small number of clients. Beyond that, they either must cut corners or hand things off to less experienced resources who may not do as thorough a job. 

To help service providers scale vCISO services and to assist managed service providers (MSPs) in offering them even though they may not possess even CISO-caliber people, platforms are emerging that take care of much of the groundwork that consumes the bulk of any CISO’s time.

“The scaling of vCISO services is best accomplished by introducing software to take care of assessment and general planning automatically and by harnessing Artificial Intelligence (AI) to take into account the many variables introduced by vulnerabilities, exploits, regulations, standards and overall risk,” said Roy Azoulay, co-founder and COO of Cynomi.

“AI is required to automate risk and compliance assessments, auto-generate tailored policies and provide actional remediation plans with prioritized detailed tasks, task management tools, progress tracking and customer-facing reports.”  

What will an articificially intelligent CISO do?

This is accomplished by modeling AI algorithms on the best practices adopted by the world’s top CISOs. Such AI engines continuously parse cyber profiles against relevant resources such as: 

  • NIST or ISO frameworks
  • Industry standards and benchmarks
  • External threat intelligence tools
  • Compliance requirements

Vendors like Cynomi and others are now releasing these platforms to ease the vCISO scaling burden on service providers. They enable MSPs to set up vCISO services more easily while reducing operational costs and filling professional knowledge gaps

Tailor-made cybersecurity policies generate cybersecurity policies on the fly. Based on benchmarks for every sector, MSPs and managed security service providers (MSSPs) can inform their clients how they measure up on risk posture against their peers. 

“vCISOs can immediately view the vulnerabilities their clients are exposed to refer to prioritized actions that lay out what to do next,” said Azoulay. “This makes it easier for vCISOs to create a structured plan for compliance with policies that are mapped to any framework.”

Posted: November 1, 2022
Drew Robb
View Profile

Drew Robb is a writer from the Tampa Bay Area specializing in IT and engineering.