ukncsa.orgNational Cyber Security Association

UKNCSA Articles

Do We Need A CISO? - Part Two: Rise of the Virtual CISO

Do We Need A CISO? - Part Two: Rise of the Virtual CISO

Solutions and Alternatives When Hiring a CISO

In the first article in this mini-series we looked at the role of the Chief Information Security Officer (CISO). We discovered that the role is very extensive, requiring a high degree of expertise. The role also brings a great deal of value to organisations that invest in appointing a CISO.


As a result, those with the expertise and experience are in high demand and command some of the highest salaries. In addition, the average tenure of a CISO is only 18 to 24 months which not only causes programme continuity difficulties but requires that the whole recruitment process with all its attendant costs repeats with an alarming frequency. What are the solutions to this?

If budgetary constraints are not a problem, then the best way to keep your CISO and lengthen the duration of employment is to remunerate well and support the CISO with their continued training. Companies that offer a generous training budget benefit at least four ways:

  • Having more highly skilled personnel, thus gaining competitive advantage

  • Retain these employees longer, reducing disruption

  • Save on recruitment costs which will outweigh the training budget allocation

  • Increased kudos in the market place, therefore attracting the best staff

The Practical Alternative: Rise of the Virtual CISO

Organisations that have tighter budget limitations may be tempted to merge the CISO role into the role of CIO. This rarely works because there are too many conflicting issues.

A better alternative is to hire a fully qualified and experienced CISO on a shared-basis. The CISO will use his expertise while helping several clients. This is sometimes called a fractional CISO or more often now, a Virtual CISO. This term reflects that much of the work, after the initial getting-to-know period can be performed remotely. This is a little different from an Interim CISO who is expected to work as a temporary position. The Virtual CISO, on the other hand, can be the best long term solution.

Rather than an hourly rate, work is usually specified and an appropriate monthly amount is agreed to complete the work. The vCISO concentrates on making all the stated improvements, whether on site or remotely, including keeping the management and Board of Directors up-to-date on progress.

Having a professional CISO working for the company is a business differentiator which the client company should capitalize on by letting their customers and suppliers know.

A Virtual CISO (vCISO) helps organizations to protect their infrastructure, data, people and customers. The vCISO will work closely with the existing management and technical teams to build the client organisation’s cyber security programme.

The vCISO can really help when a company is struggling to comply with regulations and implement security by providing sound guidance and direction that makes measurable impact the results of the client’s cyber security program.

Benefits of Using a Virtual CISO

There are, in fact, many benefits of hiring a vCISO over the traditional full-time in house CISO. Firstly, of course, it’s the cost. A Virtual CISO will typically cost between 30 percent and 40 percent of a full-time CISO. In addition you will not normally pay for any training costs.
Having a professional CISO working for the company is a business differentiator which the client company should capitalize on by letting their customers and suppliers know.

The benefits go much further than just cost. Virtual CISOs, because they are fully trained and up-to-date, can hit the ground running. They are very much use to adapting to new situations and can apply the many lessons they have learned from multiple engagements. A full-time hired CISO may have only seen one or two large corporate situations and will take much longer to “settle-in”.

The Virtual CISO will usually operate more efficiently because he/she is not hampered by office politics, the job is get results. Finally, if the vCISO works in a team then the client company has the expertise of the whole team, not just the single CISO appointed to them.

The UK National Cyber Security Association service:

The UKNCSA Virtual CISO Services are available and we pride themselves on:
  • Expert knowledgeable and qualified consultants
  • Cost-effective services tailored to your business needs
  • Building long term relationships with our member-clients

Typical Working Methods

When we begin working with you, we want to quickly understand your business objectives, its culture and environment. It is vital to fully understand the business's methods and to build trust relationships with key personnel. This is central to ensuring a successful cyber security programme.

To accomplish this a typical engagement will involve being on-site during the first two to three weeks. Thereafter continue with a mixture of remote working and site visits depending on your preference and requirements.

We make use of the Unified Cyber Security Framework to ensure that all fundamental areas are properly protected. Following the UCSF enables us to methodically and efficiently apply controls to the major domains while building up information for the cyber risk assessment.

The efficient work flow includes:
  • Ensure all fundamental security operations
  • Prepare a cyber risk assessment based on your specific business assets
  • Map out the optimum cyber security strategy with key stakeholders
  • Prepare a Gap Analysis report and establish the Cyber Security Road Map
  • Build out the Governance, Risk and Compliance (GRC) programme
  • Look to consolidate and get best value from contractors and vendors
  • Build a Cyber Awareness Training Strategy
  • Incident Response Procedures
  • Business Continuity Plan
  • Third Part Management

This list is not exhaustive and will depend very much on the individual client company. While our templates and methodologies make our work efficient, we implement them in a very adaptable and customised fashion.

Other Circumstances Appropriate to Using a vCISO

As well as the situation described above where a CISO is shared there other situations where a vCISO could provide valuable servcies.

1) Board Advisor
Your company may have a cyber security lead who has been with the organisation for many years and understands the business very well. However, there is often a communications gap between that role and the top executive. A vCISO can fill the gap by and provide understanding to the board members and communicate business objectives to the cyber lead.

2) Coach and Mentor to a Newly Established CISO.
If your company has selected an employee as the cyber lead, someone who is enthusiastic about securing the company, but who lacks the training and experience, the a vCISO could be the ideal solution to provide the initial leadership that is lacking. This may be the case with a “Start-up” or “Scaling” company.

3) Part-time Deputy or Assistant to the CISO.
Supporting an over-stretched CISO. There are times, for example, during a merger or acquisition, that an additional experienced CISO need to be added to the team. In this case a vCISO may be the best choice to provide that extra expertise. This may be as an interim arrangement or as a permanent “best solution”. The vCISO may take on a specific specific function such as third part contract management or business continuity planning. Or possibly the board relationship management while full-time CISO handles other duties.


As more and more companies realise the importance of having a CISO role, there will be an increasing requirement for fractional or Virtual CISO service providers. This is a practical solution to many circumstances that do not warrant a full-time CISO.

Author: David R. Bird.
MSc Cyber Security, CISSP.
Contact: Please use the form below.

In order to get the Weekly Cyber Bulletin and news of the
new articles in your email ... Sign up for free membership.



First Name: 
Last Name:
Email Address:

A confirmation email will be sent to this address

Company Name:

Membership Type:

Your Requirements:

How many flags do you see in the image above? 

Obviously, we need to communicate with you about your membership; to advise you of changes and improvements to the services. Tick to approve.
YES, send me the UKNCSA Weekly Bulletin.

UKNCSA™ is the National Cyber Security Association™ for the UK.
UKNCSA is administered by UKNCSA Ltd (a non-profit organisation).
Company Reg.11995004
Reg Office. 101 Avondale Road, London N153SR.
Sharing helps our association.