I recently responded to a chat on VCISO, and felt my insights may prove useful to others.

A virtual CISO is a solution.

This solution is for a business that lacks leadership of a security program, or has no security program or staff. I would go as far as stating most folks whom hire a VCISO are in a compliance mindset rather than a risk management/reduction approach.

The VCISO’s goal should be to demonstrate to the business the need to properly invest in technology, tools, training, and staff.

In short, a VCISO doing their job properly, should either work them self out of the job or become the full time CISO.

The company should gain new policies, strategies, understanding, and maturity in a security program. The VCISO then finds their next contract.

There may be instances where a VCISO remains a viable long term option, but in my mind the company would have built the team and program, and simply can not afford a full time CISO, or does not have an internal senior/executive level security leader or candidate to fill the role.

I look forward to your comments.

If you have questions on VCISO services or would like to discuss VCISO services please use the contact page.