Cybersecurity is a multi-faceted problem that challenges every enterprise, large or small. There are critical vulnerabilities in software and hardware that need patching. Cybercrime cost victims over $10 billion in 2022, the FBI reports. Threat groups affiliated with nation-states deploy powerful malware capable of inflicting severe damage.
There’s also the question of risk: How much of it is an organization willing to take on, and who can best calculate the consequences these decisions will have on the infrastructure, networks and, most importantly, data that companies collect and store?
In many large organizations, the responsibility for cybersecurity falls to the CISO, and these companies can afford to hire the talent for that demanding position.
For other organizations, finding the right security leader and meeting the salary requirements these types of senior executives command are their own challenges. In addition, CISO burnout is real and growing, with Gartner estimating that at least half of security leaders will leave their jobs by 2025—putting additional pressure on the talent pool.
As an alternative, many midsized enterprises and small organizations are turning toward virtual CISOs (vCISOs) as an alternative to hiring a full-time CISO. This security leader, who can work for a consulting firm or function as an independent contractor for hire, helps develop, organize and implement a company’s cybersecurity plans. At the same time, the vCISO can oversee an internal security team during a crisis and present details of an incident or risk to the executive suite and board.
What Is a vCISO and Which Organizations Need One?
“A vCISO is a security professional with extensive ‘in-the-trenches’ experience who provides guidance and advice on various aspects of cybersecurity. It is an outsourced position and typically works on a temporary or ongoing contract basis for multiple organizations,” said Darryl MacLeod, who is himself a vCISO at LARES Consulting, a security firm based in Denver.
For reasons ranging from security concerns to budgets, MacLeod sees a growing market for vCISOs, as well as a path for security and tech pros looking to move into more management and leadership positions.
“The market for vCISOs is growing as more organizations realize the need for cybersecurity expertise but can’t afford to hire a full-time CISO, especially in the current economic climate,” MacLeod told Dice. “vCISOs are the best fit for larger small-to-medium sized businesses.”
Other factors have also made vCISOs an attractive alternative for many companies, said Joseph Carson, chief security scientist and Advisory CISO at security firm Delinea.
“The vCISO position became popular when many small and medium organizations needed to comply with many different regulations and compliances, as well as the COVID-19 pandemic [resulting] in many CISOs working remotely and offering their skills, experience and services to multiple organizations,” Carson said. “This environment accelerated the need for the vCISO.”
And while a full-time CISO can command an average total pay package of $215,000, according to Glassdoor, a vCISO still averages $134,000 in annual pay or about $65 per hour, ZipRecruiter noted.
vCISO: What Skills Are Needed?
To start along the path toward becoming a vCISO, tech and cybersecurity pros need to brush up on business and communication skills, especially knowing how organizations need to meet various regulatory and compliance obligations at a time when major security breaches can bring investigations from various government agencies.
In this role, business skills are equally as important as any tech skills, noted Carson.
“Some of the skills a vCISO needs are strong listening skills, wide communications experience and quick understanding of the business needs,” Carson told Dice. “Typically, a CISO would have in-depth knowledge of the business they serve… they must have strong cybersecurity knowledge across a wide range of cybersecurity strategies and frameworks. So, a strong vCISO has worked for multiple organizations or the clients they serve are similar to the industry they have experience with.”
MacLeod, who has worked as a vCISO for many organizations, agrees that business skills matter a good deal for those who see vCISO as a good career path. “You should be able to assess and improve an organization’s security posture, ensure compliance with relevant laws and regulations, and advise executives on security initiatives or issues. In short, you need to be able to adapt and learn quickly,” MacLeod added.
Erik Gaston, vice president for global executive engagement at Tanium, added that since a vCISO is likely going to engage with more than one company in potentially more than one industry, they need to be solid generalists with knowledge of the overall security landscape and how to effect change and establish programs.
“A vCISO is going to need to be a natural leader, as they are coming in from the outside and will need to drive the overall thought leadership and direction,” Gaston told Dice. “This requires them to be able to bring people along on their security journey and collaborate well with constituents across the business, IT, risk, compliance and security operations at the same time.”
vCISO: Ultimate WFH Position?
Another appealing part of a vCISO career is the ability to work remotely while still influencing the company’s operations and cybersecurity policies. “While this role existed previously, WFH and virtual work has made the role more accessible in a pandemic and post-pandemic environment,” Gaston added. “Also, with a limited talent pool and reduced internal budgets to hire and maintain this role full-time, having a vCISO in some capacity makes sense for a lot of firms, particularly in the small and midsize business market.”
Other experts noted that, while the ability to source remote candidates from across the country is appealing to organizations, other factors ultimately drive the need for vCISOs. “The vCISO certainly exploded as COVID hit. But, as compliance drivers like [President Joe Biden’s] cybersecurity executive orders drive smaller organizations to focus on security, these organizations look to the vCISO as a way to address regulation without the cost, focus, and weight of a full-time hire,” John Steven, CTO at ThreatModeler, told Dice. “Ultimately, for these firms, their engineering and operations executives don’t have the bandwidth to absorb security change mandated by a full-time CISO.”