I came up with the term on my own in 2015, no one had heard of it at the time and it was a hard sell. Fast forward now to 2022 and vCISO’s are EVERYWHERE! Even in the last 6 months, there has been a 50% increase in vCISO titles on LinkedIN.

So what is a vCISO?

Well, they’re actually a CISO! (Just part-time)

They can also be a:

• Security Architect

• Security Analyst

• Security Project Manager / Coordinator

• Audit Liaison

Hint: 💡 They can be the same person or multiple people. 🤔

See my related post…

A lot of people are actually moving away from the term vCISO and using Fractional CISO instead. I’ve also run into clients not comfortable with the term CISO at all, and prefer to use “Security Advisor”.

Another reason people are moving away from vCISO is because you have inexperienced folks with 1-2 years of experience in security as an engineer or analyst calling themselves vCISO’s. In this case, they would be a Staff Aug Engineer, or at best an MSSP (aka MDR).

So maybe this article should be “What Makes A Good vCISO?”

What Makes A Good vCISO?

One of the most important aspects of a good vCISO is

Understanding The Culture

This post describes this best…

A vCISO is often coming into either one of two scenarios:

• Completely Greenfield - No Security

• Taking over someone else’s work - partial security

So they need to be nimble and understand how to get up to speed quick.

(Shameless Plug: We’ve developed a custom assessment framework to help understand the issues and build a security roadmap quickly. Get in touch 👉🏼: [email protected])

Technical Breadth

Another important aspect for a vCISO, imho, is having some technical breadth, understanding, and alignment with the client organization.

Technical breadth doesn’t mean that you have to be a developer or can do a source code review, but you do need to be able to carry a conversation with Engineering, Legal, and HR. So understanding the lingo of these various departments (at the stage the company is in) is paramount. Knowing the tools and having the experience of workflows of similar company sizes is also part of this.

In a way, Technical Breadth is part of culture.

Consultative, Educational, Empathic, and Creative

This also goes back to culture, but to be more specific a vCISO is typically brought in as an expert. So they are looking for guidance on a difficult topic.

In fact, this has to apply to all security people.

At the end of the day, security people are educators. We are there to help the client with a difficult problem.

We either:

• Have to explain it for them in the simplest terms (see ELI5)

• Walk them through how to do it

• Do it for them but be able to explain why we did it the way we did

The Empathy part means that you understand the difficult situation they are in (trying to gain an enterprise client, or reduce their risk, or ship a product) and are going to be creative in how you solve their problem.

Wait… You Do All That?

Yes, and more. vCISO’s, CISO’s, and many good security people end up doing a lot for an organization to keep it secure and well oiled.

Here is some additional context into what goes on in our world:

I hope this helps paint a clearer picture of what a vCISO is.

Do you have another interpretation of a vCISO? Leave a comment below.