What is vCISO and Who Needs CISSP Expertise?


September 24, 2021

A Chief Information Security Officer (CISO) is a hot commodity.
CISOs have Certified Information Systems Security Professional (CISSP) accreditation, making these IT superstars some of the most in-demand security resources in today’s 24/7/365 digital economy.
Rigorous training, testing, and career tenure requirements give CISOs expertise across eight interrelated domains: Security and Risk Management, Asset Security, Architecture and Engineering, Communication and Network Security, Identity and Access Management, Security Assessment and Testing, Operations, and Software Development Security.
Learn More: CISSP Certification
With 50,000 CISO job openings at any given time, it’s no wonder CISOs command between $110,000.00 and $125,000 per year, according to ZipRecruiter and PayScale.
If that price tag creates any pause for you, read further for illustrations of ways you can take advantage of this expertise on a fractional basis, at a fraction of the cost.

Who needs a vCISO?

  • Companies with fewer than 1,000 employees who want to avoid the cost of a full-time CISO hire
  • Companies with in-house IT departments who need augmentation
  • Companies with MSPs that want third-party objectivity and have concerns about “chickens guarding the henhouse”
  • Companies that need an MSP who offers everything, including a vCISO offering

What problems and initiatives do vCISO services address?

In today’s world of growing cybersecurity regulations, it’s not enough to install a firewall and have your employees take a training course on phishing emails.
HIPAA, NYDFS, GDPR, PCI, and an alphabet list of others have minimum guidelines that are becoming more and more sophisticated every day.
To remain compliant, your business needs policies and procedures in place that go way beyond the scope of hardware and software products.
A Chief Information Security Officer understands these requirements and how the associated regulations apply to your business and technology infrastructure. They blend big picture thinking with attention to detail.
Your vCIO assesses your current state of compliance, makes recommendations that balance your budget with your risk tolerance, and conducts testing to ensure success.
They also assist with vendor and client evaluations to make sure everyone who touches your network is operating under the same high standards.
CISOs drive thought leadership to create information security policies that include but are not limited to:

  • Breach notification
  • Contingency planning
  • Cybersecurity programs
  • Email solutions
  • Encryption
  • Information disclosure
  • Mobile devices
  • Remote access
  • Security event reporting

Do You Review Your Cybersecurity Standing Regularly?

No business is bulletproof. Security goalposts are constantly moving. That’s why you need regular risk assessments and evaluations. Quarterly audits of your environment ensure your business is compliant and secure.

What Security Policies And Procedures Do You Have In Place?

Every business has unique cybersecurity needs that require implementing customized programs, policies, procedures, and technical safeguards.

Do You Know Your Industry’s Security Regulations?

Technology and regulations change rapidly, making it challenging to stay on top of your industry’s security standards, including ISO27000, PCI DSS, HIPAA/HITECH, and more.

How Do You Manage Compliance With Your Network?

It’s one thing to know all of the policies and procedures for regulatory compliance within your industry. It’s an entirely different task to manage and maintain them in concert with your corporate IT systems on a daily basis.

How are vCISO services sold?

vCISO “as a service” is available in three varieties:

  • A line item in your Managed IT Services MSA
  • A stand-alone service billed as a retainer over 12 months
  • A one-time project engagement

What are the most common vCISO services and projects?

Data Mapping

A requirement for GDPR, data mapping exercises help to identify the location of your data and how it is protected.

Security Awareness Training

The best firewall is the “human firewall.” CISOs provide and manage online training for your employees.

Third-Party Vendor Review

CISOs ensure vendor contracts and services comply with necessary security standards to reduce risks and vulnerabilities.

Industry Standard Assessments

Whether ISO 27001/2 gap analysis or FFIEC’s cyber security assessment tool, CISOs help navigate all aspects of any security standards.

Business Continuity Planning

Interruptions happen. CISOs implement strategies to prevent data loss to keep your business going, even in the worst-case scenario.

What’s Next?

Improving your security posture requires a cybersecurity partner who knows your business, knows the regulations, and understands all of the risks on the table.
vCISO gives you access to a full arsenal of information security policies and programs developed by CISSP engineers to manage and assess risk, measure vulnerabilities, including ongoing network testing with certified ethical hackers.
Can you afford to do this in-house? Most businesses with under 1,000 employees cannot. There are other hurdles related to ongoing certification, headcount, and professional development.
An MSP with CISO personnel keeps everyone up to date on their certifications. They have a team of CISOs, and the team works within several different industries. Exposure to other IT environments brings fresh perspectives and new ideas.
For a deeper dive on CISO and CISSP, please see: CISSP Tutorial

Jed is a Solution Advisor at Integris who has specialized in MSP solution development, sales, and marketing communications since 2003.

Keep reading

How to Develop a Network Security Policy

How to Develop a Network Security Policy

Developing a network security policy (and its companion network security policies) begins with establishing guidelines for creating, reviewing, revising, and retaining your information security policies and procedures. Since information is accessed and stored on your...

10 Best Practices from the Top Cybersecurity Training Companies

10 Best Practices from the Top Cybersecurity Training Companies

Why would an MSP publish an article sharing ten best practices from the top cybersecurity training companies? Because we partner with most of the computer-based educational providers quoted in this article or help administer their cyber training services for clients....