Wipfli logo
Insights - Articles, Blogs and on-demand webcasts

Articles & E-Books


Top benefits of a virtual chief information security officer — and what to look for

Dec 04, 2019

Who is responsible for information security management in your organization? 

Chances are, it’s your IT department. Many businesses and organizations do not have a formal chief information security officer (CISO) or another dedicated security staff member. Often that’s due to budget constraints, an inability to find a CISO or a lack of leadership support in dedicating further resources to security.

But what about a virtual CISO (vCISO)? A vCISO can be an excellent resource for any organization that wants to put a greater emphasis on security and protecting their data, assets and customers but cannot hire an in-house, full-time CISO.

What is a virtual CISO?

One thing we should make clear is that a vCISO is not an outsourced CISO. An outsourced CISO is a third-party who acts as the security leader for the organization, making important decisions and leading the direction and implementation of the organization’s security efforts. 

A vCISO is more like an advisor and mentor. They are not the final decision-maker. Rather, the vCISO advises and provides insight to an organization based on their years of experience in the profession and having been a full-time CISO. Their mentorship of one or more employees in your organization can help you develop the internal security resources you need to protect your business.

As for their duties, a vCISO will often:

  • Participate in security project meetings, leadership meetings and board meetings.
  • Assist organizations with assessment/audit remediation.
  • Review contracts related to security projects, vendors, etc.
  • Perform vendor risk assessments.
  • Review and/or assist with the development of policies, procedures, standards, guidelines and supporting processes.
  • Perform compliance-based assessments of various security functions.
  • Provide expertise on regulatory and statutory requirements as they relate to security.
  • Assist with the development and implementation of security education, training and awareness activities.
  • Act as an advisor for incident response and breach management.
  • Assist and advise on matters related to security risk management.
  • Perform security research-related activities.
  • Assist with tactical and strategic planning.

What are the pros of a virtual CISO?

Those duties sound great, but maybe you’re concerned that they’re not going to be leading your security like a traditional CISO. So let’s go over the big pros of hiring a vCISO.

Today, experienced information/cybersecurity professionals are highly sought-after individuals. They often demand six-figure salaries and a VP or C-suite title — which means one big pro of hiring a vCISO is that costs are often 30-40% less than hiring a full-time experienced CISO.

And, because the vCISO is a consultant/contractor hired by your organization to provide advice and expertise on a variety of security-related issues, they are not an employee of your organization and as such don’t receive employee benefits. This is another significant source of cost-savings.

Then there’s the mentor benefit. If your organization has a person filling the security leadership role who isn’t that experienced, the vCISO becomes an invaluable resource and mentor. The vCISO may also act as a mentor or resource to the leadership team and board of directors, helping them understand the full implications of their current security and where they need to invest resources to further protect the organization.

Lastly, vCISOs are typically individuals who have 10 and upwards of 40 years of experience, have worked in a variety of industries as a security leader and usually hold a number of industry-recognized certifications. They bring much of the experience and expertise you need to the table.

Plus, if the vCISO has experience with HITRUST and SOC assessments/audits, they can be an invaluable resource in helping you prepare for and remediate findings of the assessment/audit. You could also utilize a vCISO to assist your internal resources when the actual assessment/audit is occurring, similar to leading the effort or acting as a project manager.

What should organizations look for in a virtual CISO?

A vCISO should be vetted no differently a normal employee. Specifically, your organization should:

  1. Verify their credentials, education, work experience, etc.
  2. Perform a background check
  3. Validate their industry experience
  4. Verify their breadth of experience (in other words, you should be hiring an experienced security generalist/leader, not an IT support, security administrator or firewall expert).

The most important piece of advice we can give is to fully lay out expectations for the vCISO in a contract.

For example, avCISO is typically a part-time resource working remotely and is not necessarily meant to be on-call. There may times — like an incident needing an immediate response — when the vCISO is be required sooner rather than later, but generally a reasonable response time to a phone call or email from your organization should be 24 hours and under. It’s important, though, to spell out in the contract things like time requirements and any onsite, face-to-face requirements.

Learn more about vCISO services

Because of the costs associated with finding a qualified security leader, small to medium-sized businesses and startups have the most to gain from hiring a vCISO. 

Plus, there may be regulatory requirements in your industry driving the need for greater security and a defined security risk management program. You don’t want security being a secondary job for someone on your staff who lacks the experience or even time to manage the security program — putting you at risk for data breaches, fines and litigation. A vCISO could be just what you need.

For information on Wipfli’s vCISO services, contact us. Or continue reading on about security:

Why security risk management isn't a once-a-year event

Why measuring needs to be a standard of your information security program

Insider threats: Are You ignoring the human risk in your information security program?


Director, Risk Advisory Services
View Profile