A vCISO, or Virtual CISO (Chief Information Security Officer) is an individual who provides Cyber Security Governance services on a contractual basis.
Typically they would have years of experience managing the Information Security program in a large enterprise, and bring that knowlege and experience to the practice.
Consider a law firm or Accounting firm. It may not be reasonable to have a lawyer or accountant, with their associated employees on staff, but you would have them on retainer for when required.
The Virtual CISO role is similar. They would come in initially and provide an assessment of your current Cyber Security "Posture", or how secure your network and processes are overall compared to others in your industry. And like a lawyer or accountant, the vCISO is not typically a "one person shop". They would have security analysts and an admin team that provide a holistic approach to delivery.
They would then develop a roadmap to shore up any deficiencies found. Theis could range from implementing policies and procedures, to scanning your network for vulnerabilities, and documenting missing patches, to working with your team on a Breach Response plan.
Once the assessment phase is done, typically the vCISO is only required periodically. From a few hours per week to a few hours per month, depending on your business and what other help you have to manage/monitor security controls.
On a regular basis, the vCISO and team would provide guidance and "Security Intelligence" to ensure that your business is continually protected.
Not every organization is ready for the investment and commitment of a full time #CISO.
According to CSO Online, salary.com’s and glassdoor salaries, most recent data, CISO’s in the United States command six-figure salary ranges, averaging arounf $200k plus.
In contrast vCISOs are estimated to cost much less, at between 30-40% of the full-time CISO averages.
Here are some (mostly) unbiased articles on the role of the Virtual CISO from respected journals.
