More than Checking a Box
In today’s world, it’s very common for startups to outsource key roles that are essential for business operations but don’t justify a permanent spot on the org chart. For many organizations, a vCISO (virtual Chief Information Security Officer) is a more cost-effective way to provide cybersecurity leadership. vCISOs are great because they can work in various ways: independently (as a consultant), through a vCISO services firm or managed security provider (MSSP) or on a retainer/project basis.
In today’s environment, there seems to be a constant stream of risks and regulations to keep up with. With CISO salaries ranging from $250K–$400K annually, it’s no wonder many companies turn to virtual CISOs as a cost-effective alternative.
vCISOs play a critical role in securing the supply chain and proving trust to your customers. If you bring one in simply to check a box for SOC 2 or ISO 27001, you’re missing the point. Also, if you think your local MSP with general IT experience can handle it, think again. vCISOs should be able to do more than handle daily IT operations and tasks. Organizations that are benefitting the most are leveraging their true domain expertise to design and execute their cybersecurity and risk management program. The right vCISO doesn’t just pass audits, but rather works to uphold the integrity of your people, your reputation, and your bottom line.
The Difference Between Compliance and Resilience
Before getting into key tenets to look out for when evaluating a potential vCISO, it’s important to address the difference between a compliance-driven approach and a risk-management approach.
Compliance, while not bad in and of itself, is a reactive way to run a business. You want to maintain compliance with the latest industry standards and frameworks. However, if that is all you’re focused on, you are missing the maturity and stability that comes with a well-run cybersecurity program. The goal for organizations should be for compliance to serve as a byproduct of their cybersecurity program.
An Evaluation Checklist
In order to find a vCISO who can help your organization meet its goals and build a resilience-oriented approach, it is important to look beyond pricing or service menus. Instead, focus on the long-term partnership potential. The items below are in no way meant to be an exhaustive list, but rather a starting point for your organization’s future discussions.
- Business Ownership: Ask who owns the vCISO firm. Is it privately held or backed by venture capital? VC-funded firms often prioritize short-term growth and valuation over long-term service quality, while privately held firms are more likely to take a ‘people-first’ approach. Because the firm is focused purely on growth, their teams are often overworked and are juggling too much.
- Technical Expertise: Clarify what technical expertise is included in your contract and what’s not. Are services purely advisory, or do they include tactical execution such as vulnerability assessments, risk management, or incident response? Do the individual team members actually know how to secure the systems you use? Have they actually been responsible for cybersecurity programs internally at companies in the past?
- AI is not a vCISO: Using AI to improve efficiency is an excellent place to start, however it should be paired with a healthy dose of human oversight. AI cannot reason on your edge case or use judgement honed over decades of being in the trenches. Use it, but it doesn’t replace human expertise.
- Looking Ahead: Ask prospective firms about their two- to three-year roadmap. A strong vCISO relationship should be able to show you measurable progress, meeting the items on your checklist while also bringing you new ways of innovation that you might not have considered.
- Culture Fit and Team Continuity: You want a partner who acts as an extension of your internal team. If the human relationships aren’t great, the cybersecurity program will suffer. At the end of the day, partnerships are human connections that drive mutually beneficial outcomes. If you combine great human relationships with top-notch technical skills, you will win everytime. Consider how stable their team is. If there is a high degree of turnover at the vCISO firm, institutional knowledge will leave, and relationships will not build. One final thought on this point, make sure that you will work with the same people consistently and not just a revolving door of low level analysts.
Partnership over Price Tag
Selecting a vCISO can provide short term benefits, but the real returns show up when the partnership is truly a strategic investment in your organization’s future. Having the right firm in your corner will help you not only achieve compliance goals but also build a cybersecurity culture that stands the test of time. There are cheap providers, low cost providers, reasonably priced providers, and providers that are way too expensive. While budget matters to everyone, don’t be penny-wise and dollar-foolish.
The best partnerships go beyond protection, and they build trust across every level of the organization as well as among customers and prospects. In a world of constant change, a strong vCISO ensures your security foundation never wavers.
Let us help you take your cybersecurity program to the next level.