What IS A vCISO???
It means so many things to many people... let's go over it.
I came up with the term on my own in 2015, no one had heard of it at the time and it was a hard sell. Fast forward now to 2022 and vCISO’s are EVERYWHERE! Even in the last 6 months, there has been a 50% increase in vCISO titles on LinkedIN.
So what is a vCISO?
Well, they’re actually a CISO! (Just part-time)
They can also be a:
Security Architect
Security Analyst
Security Project Manager / Coordinator
Audit Liaison
Hint: 💡 They can be the same person or multiple people. 🤔
See my related post…
A lot of people are actually moving away from the term vCISO and using Fractional CISO instead. I’ve also run into clients not comfortable with the term CISO at all, and prefer to use “Security Advisor”.
Another reason people are moving away from vCISO is because you have inexperienced folks with 1-2 years of experience in security as an engineer or analyst calling themselves vCISO’s. In this case, they would be a Staff Aug Engineer, or at best an MSSP (aka MDR).
So maybe this article should be “What Makes A Good vCISO?”
What Makes A Good vCISO?
One of the most important aspects of a good vCISO is
Understanding The Culture
This post describes this best…
A vCISO is often coming into either one of two scenarios:
Completely Greenfield - No Security
Taking over someone else’s work - partial security
So they need to be nimble and understand how to get up to speed quick.
(Shameless Plug: We’ve developed a custom assessment framework to help understand the issues and build a security roadmap quickly. Get in touch 👉🏼: [email protected])
Technical Breadth
Another important aspect for a vCISO, imho, is having some technical breadth, understanding, and alignment with the client organization.
Technical breadth doesn’t mean that you have to be a developer or can do a source code review, but you do need to be able to carry a conversation with Engineering, Legal, and HR. So understanding the lingo of these various departments (at the stage the company is in) is paramount. Knowing the tools and having the experience of workflows of similar company sizes is also part of this.
In a way, Technical Breadth is part of culture.
Consultative, Educational, Empathic, and Creative
This also goes back to culture, but to be more specific a vCISO is typically brought in as an expert. So they are looking for guidance on a difficult topic.
In fact, this has to apply to all security people.
At the end of the day, security people are educators. We are there to help the client with a difficult problem.
We either:
Have to explain it for them in the simplest terms (see ELI5)
Walk them through how to do it
Do it for them but be able to explain why we did it the way we did
The Empathy part means that you understand the difficult situation they are in (trying to gain an enterprise client, or reduce their risk, or ship a product) and are going to be creative in how you solve their problem.
Wait… You Do All That?
Yes, and more. vCISO’s, CISO’s, and many good security people end up doing a lot for an organization to keep it secure and well oiled.
Here is some additional context into what goes on in our world:
I hope this helps paint a clearer picture of what a vCISO is.
Do you have another interpretation of a vCISO? Leave a comment below.