When it comes to maximizing cybersecurity efforts, companies face trade-offs between quality and cost. To prioritize quality, companies must hire competent personnel, then offer incentives to retain them. Unfortunately, this quickly skyrockets the security budget, especially when considering high-ranking positions like the chief information security officer (CISO). A CISO ensures your cybersecurity is operating effectively. However, this position also comes with one of the largest price tags.
A virtual CISO, or vCISO, can be the cost-effective option that doesn’t sacrifice quality. Read on for a vCISO definition and more.
What is a vCISO?
In the simplest terms, a vCISO is the virtual, outsourced equivalent of a conventional CISO. This position offers several benefits in cost savings and greater security, but companies should also consider the pros and cons of a vCISO’s external positioning. In this blog, we’ll provide:
- A baseline definition of what conventional, full-time (typically C-suite) CISOs are and do
- A comparative guide to what an outsourced vCISO can do, including the pros and cons
- A more detailed explanation of what to expect from the best vCISO partners or solutions
By the end, you’ll be well prepared to make decisions about what’s suitable for your company moving forward.
Conventional (Staff) CISO Definition
CISOs are top-level security executives responsible for the cybersecurity functionality of an entire company. Of course, not all companies have them, but the majority do—per one 2020 study of cybersecurity priorities, about 61 percent of companies had a CISO or some equivalent security executive. That figure shoots up to about 80 percent for the most prominent companies surveyed, suggesting that the role becomes more critical the bigger the scale and stakes of company-wide IT.
CISOs are typically among the highest-ranking individuals for companies with them, regularly occupying a position on the C-suite. In some configurations, companies will employ a chief information officer (CIO) to whom the CISO reports directly. In others, however, the CISO and CIO roles may be the same, or the CISO may report to the CEO directly instead.
Security Architecture and Oversight
The primary responsibility of a CISO is ensuring that a company’s cybersecurity architecture implementation is seamless and fully protects all sensitive information processed, stored, or transmitted on company infrastructure. This includes physical hardware and software on the premises, along with measures for WiFi protection and specific safeguards for cloud computing.
The CISO is responsible for ensuring all protections are correctly installed and then maintained.
But overseeing the actual hardware and software is only half the battle; the other half involves the integrity of practices and behaviors across the staff. Thus, another important responsibility for a CISO is overseeing all security awareness training programs that make personnel active participants in company-wide security culture. Most importantly, these should be integrated into all other training and retention efforts, with regular live drills and rigorous assessments tied to incentives.
Legal and Regulatory Compliance
Finally, one more major pillar of cybersecurity for which CISOs are typically responsible is the realm of regulatory compliance. Depending on your company’s industries, you may need to follow one or more regulatory frameworks. Some common examples include:
- PCI / PA-DSS – Companies that process payments via credit card or payment platforms must follow the Data Security Standards (DSS) or Payment Application DSS (PA-DSS), respectively, of the Payment Card Industry (PCI) Security Standards Council (SSC).
- HIPAA / HITECH – Companies in or adjacent to the healthcare industry must follow the Health Insurance Portability and Accountability Act’s (HIPAA’s) Privacy, Security, and Breach Notification Rules, enforced by the Dept. of Health and Human Services (HHS).
The CISO will determine strategies and resources needed for compliance implementation and maintenance, both internally and with the help of external, third-party assessors and advisors.
The Costs of Hiring a Full-time CISO
Because CISOs have business-critical responsibilities, they typically carry years of expertise and are paid relatively high salaries. For example, consider current data on CISO compensation:
- The median base salary for CISOs in the US is $224,305 dollars. Those in the bottom 10th percentile earn $169,967 dollars, and those in the 90th earn $290,694 dollars annually.
- These are only base salaries. Factoring in bonuses and benefits adds another $48,843 dollars (bonus) and $84,247 dollars (benefits) for a total annual cost of $357,395 dollars.
High as they are, these salary figures may underestimate the cost of employing a CISO. For example, they do not factor in the costs of lengthy interviewing and onboarding processes necessary to hire and integrate a CISO, nor the retention programs to keep them long-term.
vCISO Definition and Comparison
Compared to a conventional CISO, what is a vCISO? There is much more in common than is different between them. The actual roles and responsibilities are nearly identical, with the same oversight and management capacities. A vCISO, even as a contracted third-party, will typically be expected to manage and oversee all aspects of cybersecurity architecture implementation and maintenance. They’ll also lead training for the whole staff and compliance requirements.
The most significant difference by far lies in the cost factor; vCISOs are significantly more affordable on average than traditional CISOs. Other differences have to do with the potential for greater and more complex protections with a vCISO and the positionality of a vCISO outside the company, which has its advantages. Let’s take a look at these factors.
Cost Savings of a Virtual CISO Solution
Compared to the figures provided above, the sticker price of an outsourced vCISO is significantly lower than that of a conventional, full-time executive CISO. Companies can expect to pay as low as 30 percent to 40 percent for a virtual solution. This amounts to an annual base cost of $67,291 to $89,722, on average.
However, the most significant savings for a vCISO come from the fact that the only payment they typically receive is this base rate, likely paid as a monthly retainer. They usually won’t expect an annual or performance-based bonus, and you probably won’t have to afford them any additional benefits. You pay strictly for the services conferred, without extra retention costs.
Greater Security, Advanced Approaches
Significantly lower costs are far from the only benefit of choosing a vCISO solution rather than a conventional, executive suite CISO. In contrast with the single individual being paid many times more than a vCISO, the latter also brings an entire team of experts. This adds depth and breadth to the expertise, resulting in access to an array of advanced and effective practices.
For example, a vCISO is an ideal partner to integrate a penetration testing program, such as:
- External testing, where a simulated “ethical hack” begins outside the company to study how cybercriminals would breach your defenses, then patch any identified weaknesses.
- Internal testing, where the simulated attack begins from a position of privilege inside the company to study how quickly a breach can lead to complete control and delay or prevent that.
Rather than tasking your in-house CISO with contracting out to independent pen-testers, using a vCISO enables one contract to handle both duties. You save on expenses without sacrifices.
External Positioning: Hidden Strength
The final difference between a conventional CISO and a vCISO might seem at first to be a weakness or con. A vCISO is, by definition, external to your company. The team fulfilling the role does not occupy a spot in your active roster, much less the c-suite of executives. They will report and answer to these leaders, but otherwise, be considered an outsider.
On its face, this may suggest challenges to integration with your internal personnel. However, vCISOs’ external positionality is another reason they’re so effective at keeping you safe.
With an internal CISO, there are inherent concerns about how office politics may compromise their performance and commitment to the company. A CISO is likely to act in ways that benefit their own career interests, like growth upwards or laterally. So they may have ulterior motives to misrepresent security integrity to hide flaws. This isn’t true of a vCISO.
Optimizing Your vCISO Partnership
The sections above generally focused on providing a comparative CISO and vCISO definition, but one thing not addressed so far is that no two vCISOs are the same. The team at RSI Security offers a robust suite of vCISO services that make us the ideal choice for any company seeking to maximize its security while minimizing costs. The highlights include:
- Benefits of a whole team’s worth of security knowledge imparted to your internal staff
- Powerful analytical tools and insights to help you better understand your vulnerabilities
- Dedicated response teams optimized to reduce the occurrence and severity of attacks
Let’s take a closer look at each of these capacities to identify what qualities you should look for when choosing between a CISO and vCISO or even between contending vCISO candidates.
Bringing on a Security Advisory Team
As noted above, contracting a vCISO means more than adding one individual contractor to your network of vendors, service providers, and other strategic partners. Depending on your needs, it can be just that. But it can also mean adding an entire company’s worth of IT experts to your own, including dedicated experts in different fields. Thus, a vCISO is analogous to the most robust security program advisory teams in that it can augment your staffing resources and capacities.
The benefits of this arrangement reach far beyond the other bodies you can call upon to handle individual security tasks. These experts will also impart their wisdom to your internal personnel, informally through conversation and formally through the most intensive training programs available. For example, vCISOs can run incident response tabletop exercises to assess your staff’s response times in a low-stakes, informative environment to build skills.
Maximizing Overall Security Awareness
Awareness doesn’t come from training alone. The basis of an effective cyberdefense program is its ability to scan for, identify, and mitigate all vulnerabilities, threats, and risks. A robust threat and vulnerability management program overseen by your vCISO is the best way to see attacks coming and prevent them from ever testing your defenses.
Your vCISO will oversee various data gathering and analytics methodologies to do this. They’ll gauge baseline performance to be expected for all hardware, software, users, and information, then compare these against the current status at regular intervals. Teams will also leverage third-party risk management to oversee all vendors, contractors, and other third-parties. Other teams will work to assess the risk environment more broadly, including attacks on similar companies.
All in all, your vCISO will ensure that the fewest possible cyber-attacks happen to your business, and you’re ready for them when they do—which brings us to the last point.
Responding to Cybersecurity Incidents
Awareness and intelligence are invaluable for keeping attacks at bay. But even the most well-protected company is bound to experience an attack at some point. The most critical factor in surviving these and thriving despite them, is a systematic approach to incident management:
- The vCISO will oversee monitoring and immediate identification of incidents in real-time.
- Then, a process of incident logging and analysis will inform appropriate mitigation tactics.
- The vCISO will issue a diagnosis of causes and immediate response protocols.
- Then, the vCISO will assign resources and personnel to identified mitigation strategies.
- Upon complete resolution of the incident, further analysis into root causes will begin.
- Finally, the vCISO will facilitate business continuity and client satisfaction, as needed.
Through these and other robust, flexible services, RSI Security’s vCISO program far exceeds the vCISO definition provided above. So contact RSI Security today to reap the benefits yourself.