A chief information security officer (CISO) holds immense responsibility and power in today’s workforce. That’s why one of the most important considerations when building your company’s cyberdefense infrastructure is whether there’s a significant return on investment (ROI) in comparatively low vCISO pricing rather than full-time, executive-level staffing. In the sections below, we’ll help you understand the trade-off so you can decide if it’s right for your enterprise.
How to Interpret Virtual CISO Pricing
Recruiting, hiring, and retaining a traditional CISO can be prohibitively expensive, especially for small- to medium-sized companies. If your IT and overhead budgets are already stretched thin, it might not be feasible to hire another C-suite level executive.
In comparison, contracting a vCISO can be significantly more affordable. But do you sacrifice any of the role’s functionality in doing so? In this article, we’ll break down the three critical elements of understanding vCISO pricing:
- Actual costs of internal and virtual CISOs
- Which factors impact the cost of a virtual CISO
- What qualities to look for in an ideal vCISO partner
By the end, you’ll be well informed on how to fill your CISO role (whether to hire in-house or outsource). But first, let’s take a quick look at what exactly a vCISO is, compared to a traditional CISO.
Virtual CISO vs. CISO: What’s the Difference?
Understanding the role of a virtual CISO requires an understanding of a traditional, internal CISO’s functionality. Per CSO Online’s definition of the role and responsibilities of the CISO, adapted from the pioneer of the role, Stephen Katz, there are eight main functions to expect of a CISO:
- Real-time security operations
- Cyber risk intelligence and analysis
- Prevention of data loss and fraud
- Security architecture implementation
- Identity and authorization management
- Cyberdefense program management
- Cybersecurity forensic investigation
- Overall IT and security governance
Ultimately, there is very little to no difference between the function of a vCISO and an internal, traditional CISO. The vCISO will typically deliver all of the same security benefits to your company, only from a remote and on-demand basis rather than being a full-time employee.
Internal vs. Virtual CISO Costs
The most significant difference between a traditional CISO and a virtual CISO, by far, is the functional cost of each. The most immediate metric to measure this difference is in the salary paid to a CISO, compared to on-demand fees paid to a vCISO.
Consider these figures:
- Per GlassDoor’s conservative estimates, the average CISO makes $99 thousand dollars per year in base pay, with the average range between $73 and $130 thousand dollars.
- Per more moderate PayScale data, the average CISO salary is over $165 thousand dollars per year, with a middle range between $105 and $229 thousand dollars.
- However, per Salary.com’s estimates, the median CISO salary is over $222 thousand dollars per year, and the average range is between $168 and $288 thousand dollars.
Averages across these figures net out at $162 thousand dollars at the median, with a range of $115 to $215 thousand dollars at the low and high ends. Needless to say, this is a high paying position.
Much fewer aggregate data is available on vCISO earnings, as they are contracted on a part-time or as-needed basis. However, vCISOs are estimated to cost as little as 30 percent of these figures per year (under $30 thousand dollars, using the lowest model), per CSO Online.
VCISO Savings Beyond Sticker Price
Another complicating factor when comparing the costs of traditional CISOs and vCISOs is that the base salary paid to a CISO is far from the only expense they incur. Beyond the salary, full-time executives also typically command robust bonuses and benefits. Returning to Salary.com’s data, these break down as follows:
- Accounting for CISOs’ salary and bonuses, the average annual pay is $270 thousand dollars, ranging from $181 to $377 dollars at the low and high ends.
- Accounting for the entire benefits package, including retirement and other niche costs, the total median compensation of a CISO is over $354 thousand dollars per year.
Furthermore, these figures don’t account for the cost of recruiting a CISO, nor retaining one once hired. A traditional CISO is also likely to command a large budget and staffing.
With a vCISO, there’s no need to pay for additional staff—the individual or team will leverage the resources already available on their end (and in your company) to execute their work.
Main Factors Impacting vCISO Pricing
As the above sections illustrate, you can expect major savings when deciding to opt for a vCISO instead of a traditional CISO. But not every company should expect to save 70 percent by default. The most significant factors impacting what a vCISO will cost you include:
- Governance and IT staffing – The bigger and more skilled a company’s existing IT department or dedicated personnel group, the less a vCISO contract may cost.
- The current state of cyberdefenses – The existing architecture a company has in place determines how much work the vCISO has to do, with the price adjusting accordingly.
- Regulatory compliance needs – If your company needs to abide by one or more regulatory frameworks, such as HIPAA, a vCISO contract may be more expensive.
- History of cybersecurity events – Finally, a company that has been a frequent target of hackers and cybercrime may expect to pay more for vCISO (and other) services.
Importantly, the cost isn’t the only factor you should consider when shopping around for a CISO. There are also some basic requirements you should expect.
What to Expect from a Quality vCISO
Given the trade-off in cost, it must be said that a vCISO is not exactly the same as a traditional, internal option. To update the definitional requirements for a CISO from Stephen Katz (touched on above), you can expect six main functions from a quality virtual CISO team:
- Architecture implementation, from planning through design and execution
- Governance and compliance, across all required regulatory frameworks
- Ongoing security operations, including everyday monitoring and mitigation of risks
- Identity and access management, tightly restricting access to sensitive information
- Data breach and loss prevention, including reaction and recovery when attacks happen
- Cybersecurity risk analysis, to proactively identify and prevent future data breaches
As you can see, these six requirements overlap almost entirely with the eight above. As long as these functions are delivered, a vCISO offers immense value over a traditional CISO.
RSI Security: Your Ideal vCISO Partner
Here at RSI Security, we know exactly how important it is for companies to find the right fit for their CISO role. When you contract with us, your CISO isn’t just one individual; it’s a talented team of experts that have helped companies of all sizes for over a decade.
RSI Security’s dedicated suite of virtual CISO services delivers all of the six functions above (and any other solutions you may need) across three distinct channels:
- A security advisory team to design, implement, and oversee controls
- Robust security awareness, including powerful analytics to prevent attacks
- Comprehensive incident response, mitigating impact of attacks that do happen
Most importantly, our vCISO suite integrates seamlessly with countless other cyberdefense services and solutions we provide, from data center security through technical writing. Whatever managed IT and security services your company may need, we’re at the ready. To take advantage of competitive vCISO pricing and optimal functionality, contact RSI Security today!