Page 120 - Cyber Defense eMagazine January 2024
P. 120
Virtual CISO, on the other hand, is a bit more ephemeral and implies someone who can work full-time,
but remotely. The implication being that this virtual person is the only security expert working for that
company which in turn means the company is relatively small or has an immature security program.
I like this distinction that she made but I am not convinced that the industry has adopted it. In my more
recent conversations with vCISOs, some of them expressed an opinion that they originally called
themselves vCISO only to now switch to fractional CISO. I picked up that the term vCISO has been
degraded. I see on social media posts that “anyone can call themselves a vCISO” without requiring the
corresponding experience or credentials, which further gives evidence that the community is becoming
skeptical of the term.
And that list bit is an interesting point because even though there are several certifications and credentials
in the cybersecurity space, most of them are younger than the cybersecurity professionals. Therefore,
not everyone is credentialed. Regardless of that debate, I see the movement to “fractional CISO” more
and more, so if you are launching your own firm, choose which term you want to use on your website
with full knowledge that the line, while still fuzzy, is getting drawn.
Mapping Your Path: Finding Your Niche
The vCISO market is diverse, offering a range of client needs and engagement models. Identify your
sweet spot. Will you specialize in specific industries? Focus on project-based work? Or do you charge
hourly? Or maybe you prefer to cater to long-term engagements for larger enterprises? Choose your path
wisely, honing your expertise and value proposition to become the go-to vCISO for your chosen niche.
As I explained in the previous section, vCISO has varying meaning. Some vCISOs I have spoken to only
focus on pre-audit readiness. These are limited engagements, varying from 6 months to a year, where
the vCISO builds the security program for the client, maintains it during the audit period and coordinates
with the auditor during the audit. This type of vCISO then terminates their contract at the audit conclusion.
Another practice focus for vCISOs is the fractional cybersecurity professional who charges a flat fee,
monthly, to their clients for building and maintaining a security program. With this work, the vCISO
conducts a gap analysis, builds an action plan for the client that is customized and mapped to a specific
framework and then works with the client on implementation, all the while helping with responses to
security questionnaires and insurance assessments on the client’s behalf. Sometimes the vCISO charges
an hourly fee instead of a flat fee and I usually see this type of billing when the vCISO is early in the life
of the firm and trying to establish that initial client base (because hourly earns them less money). These
services are usually referred to as “Advisory Services” and MSPs and MSSPs are also offering them.
Finally, the third most common vCISO offering is what I refer to as a secondment. The vCISO works full-
time, but for a temporary period of time, within the client’s business. In this work, either the client lost their
in-house CISO and needs someone to cover for a period, or they have never hired a CISO and need
coverage while they conduct their search. With the dearth of high level, c-suite talent (and the fears over
liability since Joe Sullivan of Uber was prosecuted), a CISO search can take up to a year, so these
vCISOs cover the gap. Usually, these vCISOs also have a whole separate engine built for discovering
and training new talent so that when they receive the client call, they have a pool of aspiring CISOs to
Cyber Defense eMagazine – January 2024 Edition 120
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
