Hiring a Virtual CISO Verses a Full Time CISO Comparison

Virtual CISO

Most of us are aware that there is a huge gap of qualified cyber security talent available to hire. A study by the Center of Cyber Safety and Education identified that there may be close to 100,000 unfilled UK cyber security jobs by 2022. With this staggering statistic, it’s no wonder why many organisations battle to fill the Chief Information Security Officer (CISO) role.

For those that do struggle with this problem, stay calm – there is an easier way to fill this role. Read on to explore the options, benefits, and cost-effectiveness of hiring a virtual CISO vs a Full-Time Equivalent (FTE) that may be the right alternative to meet your organisational needs. Let’s start by explaining what an outsourced virtual CISO’s role covers.

What is virtual CISO?

The definition of a virtual Chief Information Security Officer (vCISO) is an independent resource that acts as a trusted advisor who provides the knowledge and skills needed to ensure that it meets the business’s Information Security Governance, Risk and Compliance Management objectives.

A good vCISO’s responsibilities will first start with identifying the specific strategic and tactical assistance you need. Depending on your requirements they may perform tasks such as setting objectives, procuring solutions, creating or implementing security policies, guidelines and standards, deploying awareness training, conducting vendor risk assessments, code reviews, vulnerability scanning, security penetration testing or remediation activities. They may also design, implement and manage a framework to ensure your business compliance with standards to include ISO 27001, PCI DSS, SOC 2 or DPA.

Virtual CISO benefits

Flexibility – The service can be utilised as a short or medium-term fix until you can recruit a permanent qualified and experienced CISO for your business.

Efficiency – vCISOs can be deployed immediately. Their expert knowledge enables faster and easier implementation of required action in a practice-oriented way – specific to your business requirements.

Synergy – External vCISOs can make use of their experience from other organisations for your benefit by providing both a benchmark and validation for your compliance. Also, they can tap into their company’s internal resources for added knowledge.

Instant deployment – vCISOs require no training, can hit the ground running, and make a real difference from the very first day.

Cost-effective – The vCISO service may well be more price-effective than the long-term costs of hiring an FTE. Saving you on hiring, salary and benefit costs.

Hiring a vCISO vs a Full-Time Equivalent (FTE)

On-boarding any employee requires investment and adds to your overhead. Although you may find a well-qualified CISO that seems to be perfect – there can be some downfalls. This is a comparison, so we must look at the good and bad of employing an FTE vs. hiring a vCISO.

virtual ciso

The answer to why hiring an external CISO may be a good option will differ slightly depending on the size of your business. However, all businesses find three things in common when looking to fill a permanent CISO role: 1. There is a skills shortage. 2. CISOs seldom stay in the role for more than two years. 3. Recruitment time can take between 9-12 months. Given the skills shortage in the market today, the vCISO delivers an exceptional return on investment.

How long does the onboarding process take?

The time it takes for a Virtual CISO to get onboard is broken into three simple steps:

Step 1: Onboarding: In this first step, the vCISO shall: interview stakeholders to identify and confirm the business risk appetite, tolerance, capacity and specific goals and objectives. Verify existing resources and capabilities. Confirm assets, asset owners, sensitivity and location; and business governance and compliance requirements. Review the current information security policies, procedures, controls, control objectives, key performance indicators, key risk indicators, evidence and testing activities— select a sample of (random) employees for interviews to benchmark the current information and cyber risk awareness culture.

Step 2: Roadmap: Next, the vCISO will draft a proposed 12-month activity roadmap for implementation in the business. The roadmap shall document annual and quarterly goals, objectives and key performance indicators to measure performance against targets. The roadmap shall also specify reporting subjects, frequency and formatting, and any stand-alone deliverables and target dates required by the business.

Step 3: Engagement: Upon confirming the activities roadmap, the vCISO shall get to work implementing the agreed actions. Completed and additional added activities shall be confirmed with the business. The roadmap shall be maintained throughout the life of the engagement.

How much does a virtual CISO cost?

Now that you have seen all the benefits, I bet you wonder how much outsourcing costs. Unfortunately, this is hard to answer as every organisation’s risk and compliance requirements will differ.

On average, a vCISO could cost as little as £15,000 and as high as £350,000 a year – based on an annual retainer. So if you can’t afford the full-time financial burden of employing a CISO, then the virtual option may be the best option for you.

How to choose a CISO service provider

Many companies offer a virtual CISO outsourcing service, so you will have a lot to choose from. When making your selection, Risk Crew recommends that you look for the following traits:

  • Years of experience
  • Knowledge in compliance applicable to your requirement (ISO 27001, PCI compliance, SOC 2 Type 2, DPA / GDPR)
  • Experience in your business industry or similar industry
  • Ability to work with employees across all levels and segments of the organisation
  • Reviews and recommendations from other professionals
  • Can they meet all the information security requirements of your business needs?
  • Do they provide measurable results?

Due to the security responsibilities of vCISO, the programme is only as strong as its consultant. Therefore, it is important to find a resource that is suited for your unique company culture.

Risk Crew’s CISOs have 25 years of experience advising security across various industries and types of businesses. Our service is an extremely flexible solution created to fit any business model, ensuring you get the expertise you need – when you need it. Nothing more. Nothing less.

Learn more about the vCISO service or contact us for a free assessment to get an overview of what your organisation’s bespoke service would encompass – to provide measurable results for your risk management programme.


Risk Crew