Every company starts its cybersecurity journey somewhere, and some can jump right in and hire a full-time CISO. For many, this is not the right choice.
A virtual CISO (or vCISO) can be a full-time or a part-time engagement, entailing skills that transition through governance, compliance, legal, and leadership. Some vCISOs, especially the older vCISOs, also have strong technical skills. That is why so many companies utilise this service. A vCISO service provides flexibility to meet the senior leadership role skills while addressing information security program needs in an ever-changing and increasingly connected world.
The cost of a Virtual CISO service varies widely because the nature of the service is not “one size fits all”. Before estimating whether the return on investment in a vCISO engagement is viable for your business, you must know your options.
The scope of a Virtual CISO service
Unlike many consultancy services within the cyber and information security spheres, a vCISO service largely depends on what the business wants to accomplish from this service. A vCISO is a dedicated resource to your business or organisation for an allocated time per month. There are many permutations of scope that you may want vCISOs assistance with. Still, some of the typical scopes for vCISO services include:
Policy Framework Development
Develop, refine, update and maintain security policies to reflect security requirements for the business. A good vCISO will also be able to contribute to the ongoing development of your Information Management system. The Information Management System should embed security into the IMS of Quality, Environmental and other international standards.
Sales and Marketing Support
A vCISO works very closely with the sales and marketing functions, assisting the teams in developing the required collateral to support opportunities and conversations with clients.
Compliance and Regulatory Control Management
One of the essential functions of the vCISO is within the compliance realm. A vCISO will work tirelessly to develop short and long-term roadmaps to improve the security within the business and demonstrate this in tangible forms to clients, partners, regulators and Suppliers. Compliance is demonstrated by attaining and maintaining compliance with ISO 27001, PCI, Cyber Essentials and SOC2.
Executive and Board Support
Your business needs to know where it is on the security journey. A vCISO will create, refine and improve KPIs, metrics, and reporting structures. These outputs from your security program will convey the organisation’s security posture to executives and the board on a regular, ideally monthly, schedule.
Training and Development
The most common vCISO engagement is for the training and development of a new CISO on how to lead and perform the day to day management of an enterprise security program. Ongoing coaching of a CISO is imperative for a continued strong information security program.
The second most common vCISO engagement is to backfill the CISO role while an organisation is recruiting a full-time CISO.
Day to Day Security Operations Management
A good vCISO will also perform or oversee and manage numerous other tasks in their day to day work. These include internal penetration testing, risk assessment, physical security, vulnerability assessment and management program, or building a threat management framework.
Virtual CISO Cost Benchmarking
Engaging with a vCISO service has varying factors, expertise, and desired capacity that needs consideration. These variants mean that the total cost for a vCISO service can vary greatly. This section will evaluate factors that can influence the total cost of contracting for a virtual CISO resource.
The first factor to consider is the full-time salary range of a CISO. The salary range goes from £75,000 for a new, 2-year experience CISO up to £350,000 for a fully qualified CISO with 27 years of experience and strong skills in almost all Cyber / Information Security domains.
A Virtual CISO can be incredibly cost-effective, with a cost range from £24,000 to well over £300,000 per year, which would equate to £1,666 to £25,000 per month.
It is understanding the drivers or factors that affect the price with such an extensive range. We will evaluate four factors for consideration when looking to price a virtual CISO service.
Where is your Security Program on the Maturity Scale?
The first and most significant factor to consider when engaging with a vCISO is your overall information security program maturity. Organisations starting with a blank slate and no current security team require more time, hands-on skills, and strong leadership to define and execute information security goals.
An information security program in its early stages will need much work. A security roadmap along with organisational policies and controls need defining. These will require more time to understand the security needs and require deep experience to help align policies and security controls to the business’s objectives.
Starting from scratch or with a very new and immature Cyber Security program requires time investing in understanding executives’ internal capabilities and their critical concerns to provide the most appropriate guidance. A senior vCISO pays dividends here and enhances your return on investment by defining controls and frameworks within your organisation. Also, refining policies and processes will support your security program in the short and long terms.
Initial security initiatives may concentrate on meeting regulatory and compliance requirements. Still, longer-term initiatives will involve defining secure-by-design architectures and controls.
How much Monthly Time is needed?
While this is an obvious question, the answer is often “I don’t know” for many.
There is a big difference in cost and in deliverables between a service that only contributes ten hours a month versus a service that contributes 80 hours.
The reality of the time needed for a vCISO engagement should be based on maturity, compliance, or contractual requirements. By cutting back the monthly hours, the cost will reduce. But this is often purely artificial as it costs more over the program’s lifetime. When engagement time is reduced, the overall time needed to achieve the board’s goals is extended significantly.
Every vCISO provider has a minimum set of hours to perform professionally as your virtual chief information security officer. Since the conception of the vCISO role in 2008, we at Hedgehog have defined this as 16 hours a month. That is what we need to deliver your vCISO service professionally.
Clearly defining the organisation’s strategy, whether it be protecting against data security breaches or simply providing clear communication to the organisation’s board, will help determine the time required from the virtual CISO team.
The contract structure of the vCISO engagement directly impacts the cost of the virtual CISO. With an on-demand monthly service, the premium is significantly higher than the cost of a year contract. For example, the lowest level vCISO engagement is £1666.00 per month on an annual contract, contrasting with £3450.00 for the same month of work performed on a single month engagement.
With any service offering you engage with, there is always an additional cost associated with not committing to a long-term spend. A short contract engagement will work for some organisations with a small project requiring a CISO’s assistance. However, if the organisation needs a robust security program designing and building, contracting for the longer term will benefit them more. And it will cost less overall.
A multi-year contract often decreases the annual cost of the vCISO engagement as the service is consumed or renewed.
Exactly how much Security Expertise to you need?
The last factor we are looking at is understanding a vCISO’s responsibilities and how they relate to the required security expertise. Do you need a 27 year time served vCISO that sat on the CISO board at Microsoft, §or do you need someone with ten years experience? The answer to this question dramatically impacts the monthly or annual cost.
Working in a highly regulated industry such as financial services, gaming or healthcare requires previous experience and expertise to professionally and adequately guide the business in the investments and information security program requirements.
An excellent example is working with sensitive information like consumer data in e-commerce. Working with consumer data has direct implications for data privacy. It entails a deep understanding of various regulatory laws, like the Data Protection Act, Distance Selling Laws and GDPR. While understanding these laws for the organisation is essential, they must also be considered for other countries. It is impossible to know where all sales will occur within the digital world, so multiple country laws need consideration. Issues arising from them will need to be addressed rather than dealing with fines.
Security expertise is the final factor for you to consider in your business operation footprint. Does your business operate mainly in one jurisdiction, such as the United Kingdom or Europe, or is it a global organisation? Does the business deal with employee data in one country or multiple? There are various laws for how and what employee data can be collected and used. Having a vCISO who understands these points and has the right expertise helps to advise and guide the client in designing and implementing controls to meet specific requirements and avoid exposing the organisation to litigation.
Does a Virtual CISO Service Vary from One Industry to the Next?
The difference in security needs in various industry verticals impacts the cost of the service and the duration of the service. Hiring a vCISO with experience in your industry vertical is the best approach, as the requirements for security in manufacturing, e-commerce, logistics, and gaming is all vastly different. Understanding the need for security controls in the appropriate industry is a core requirement when engaging with a vCISO. Having good previous experience can leverage prior expertise to streamline the work and planning to meet the business objectives.
The Cost of a Virtual CISO against Hiring a Permanent CISO
Before looking at the salary costs of a full-time CISO and a vCISO, we should look at the differences in the output.
There is no tangible difference in the work product in nearly every case of engaging a CISO or vCISO. In both cases, interviews should be conducted to understand the organisation’s skills, experience, and cultural fit as part of the engagement. Suppose your organisation has selected the right candidate that matches the job requirements. In that case, the impact on the organisation should be nearly identical if working on the same project with the same time constraints. The only significant difference would be the calendar time it may take to complete the project. A vCISO works on a time assigned commitment each month.
The cost of a full-time CISO can be as low as £75,000 a year. However, base compensation is broad; most are in the £120,000 to £400,000 range.
In-house CISO salaries are continuously increasing. They have one of the fastest rates in the IT-sphere. Often making employing an internal full-time CISO cost-prohibitive. The escalating wages are due to the increased emphasis on security for organisations and the specialised skill set required to perform the role.
So, suppose your organisation is not ready for a full-time CISO. Your best choice might very well be to initially engage with a virtual CISO for around £5,000 per month to help build and support the security initiatives within your business. However, if employing a vCISO for a full-time rate, an organisation should expect to pay significantly more, somewhere in 30-60% over most vendors’ full-time direct hire rate.
Costs of Virtual CISO Vs Benefits
You may not have any choice other than to have a CISO. When this happens, the most cost-effective solution is engaging a vCISO to help with meeting contractual or regulatory requirements. For instance, it is becoming mandatory to have a suitably qualified and experienced CISO who reports to the board within some industry verticals. They must ensure compliance with a list of security controls, capabilities, and audits. In this case, the benefit for the organisation is to operate within that vertical without facing fines or suspension of business operations.
While this is an extreme example, there are plenty of other industries where a vCISO will provide additional benefits. Whether you are building a security roadmap or working with clients to create a deeper level of trust, a vCISO helps improve the organisation’s information technology operational efficiency.
The most significant result is lowering actual and theorised risk to the organisation by reducing the impact or likelihood of a security incident and subsequent breach. A committed vCISO working in your business or organisation can take a relatively small monthly investment and save your business from a 10x to 100x cost from a potential incident.