Cybercrime impact on business is real. No business leader should think that their business is immune. But with many providers jumping on the “vCISO” (virtual CISO, Interim CISO, fractional CISO, etc.) bandwagon, it’s hard to discern quality from smoke & mirrors.
But what is a vCISO, and do you need it? Let’s start with basics: WHY it’s needed, WHEN it’s helpful, WHO is the right one, and HOW will they deliver:
Why: Not everyone needs a vCISO. In fact, we hope for a day when every company has a dedicated cybersecurity leader. But that world is far from reality, especially for small and mid-size businesses (SMBs).
All enterprises need help retaining CISOs due to the nature of the role and the job market. In fact, the average CISO tenure is just 18-26 months—much shorter than other C-suite roles. When a CISO leaves, it’s a rush to find a replacement or external support.
When: vCISO leadership is helpful in organizations that can’t justify a full-time leader or experience a leadership transition. vCISO’s also help mature developing programs.
Who: Hiring a vCISO is not like finding a dentist: there aren’t definitive standards for CISOs like in dentistry. Clearly define your needs so you find the right fit. Depth in cyber, proven results, and experience in your industry are all important. Just because a company offers vCISO doesn’t mean they have these attributes.
How: A CISO should be fluent in security, business, and tech. They:
- Define the cyber landscape and a process to stay current with threats and business risks. This is critical. Every cybersecurity initiative needs a business risk connection.
- Align the program with a framework or industry standard, and use it to prioritize.
- Implement policies your organization can understand and use (Not unrealistic, generic policies).
- Communicate and influence broadly to be effective both proactively (building your program) and reactively (during a crisis).
- Deploy the appropriate technology – without bias or commission.
What is NOT a CISO? Fractional leadership is not unique to cyber. It’s used in accounting, finance, and operations (with options for external CXO’s). For cybersecurity, a credible candidate IS NOT:
- A pre-sales role.
- A technician who reads a monthly vulnerability report.
- A “Q&A” person when you encounter cybersecurity challenges.
- A tech writer.
- a “box checker” to tell you everything is OK.
- an inexperienced early career cyber professional.
A good vCISO should be:
- More than a consultant: Integrate with your team, understand your unique threats, goals, and organizational nuance.
- Proactive and strategic: Building a robust security posture, not firefighting.
- Experienced and proven: Deep knowledge and record of success.
- Independent: No product pushers. Be transparent about incentives.
At Reveal Risk, we evaluate, design, and deliver strong processes and results in cyber, privacy, and risk that work efficiently, are fit-for-purpose, and are sustained. If you want assistance building your company’s cyber security strategy, governance, and plan towards desired state maturity, please don’t hesitate to contact us at info@revealrisk.com.
317.759.4453
About the Author
Cody Rivers is a Consulting Director at Reveal Risk. Cody helps lead a consulting practice that specializes in creating and maturing cybersecurity programs that focus on risk reduction while aligning their work to client budget realities.
Prior to joining Reveal Risk, Cody served as Chief Technology Officer (CTO) for a successful Midwest-based IT Managed Services Provider (MSP) with clients that spanned the US and Western Europe. While there, he built the cloud security practice that assisted clients to overcome technical obstacles on their path to security maturity and regulatory compliance.
Cody’s experience spans 15+ years working with local professional sports teams to Fortune 1000 companies in nearly all major industries. He’s worked within such frameworks as SOC, NIST, and SOX. In 2021, Cody was recognized as a CTO of the Year by the Indianapolis Business Journal.
