Skip Navigation
BlackBerry Blog

What You Need to Know About Virtual CISOs

FEATURE / 04.25.18 / Aaron Bryson

What is a Virtual CISO?

Virtual Chief Information Security Officers (vCISOs) are top-tier security experts available to organizations who require security and privacy strategy and expertise. They are responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected.

Generally, this is accomplished by building information security management programs that align with business objectives and show measurable improvement in your security posture.

The Chief Information Security Officer (CISO) is the most senior decision maker for information/cybersecurity and is pivotal to protecting the business from damaging attacks resulting in data loss. The CISO should be heavily involved in formulating regulatory and compliance plans, as he/she is central to some of the regulatory changes around data breaches and data privacy.

vCISO is effectively a special form of Security-as-a-Service (SECaaS) [pronounced sek-ass…we seriously need a better acronym, am I right?]

Why Do We Need a Virtual CISO?

Security threats are rapidly evolving. Budgets are slim. Skills are at a premium. And business imperatives like mobility, social media, web applications and big data can pose risks as well as inefficiencies if they're not properly managed. Regulations are numerous and spanning across seas to affect businesses in other countries.

Budget Concerns

SMBs may have a hard time justifying the salary and overhead of another full-time, permanent executive. Since these companies may just need part-time consulting, a vCISO can satisfy their needs and budget limitations.


It is very difficult for smaller companies to compete for high-level tech and full-time positions. They cannot compete with the big firms with deep pockets and that have stronger network relationships.

Skill Gaps

There is a significant gap in skills between increasingly sophisticated hackers and tech employees. An experienced and skilled executive is required to identify what those gaps are and address them. Arguably, one of the greatest advantages about bringing in consultants is that they possess varied experience and exposure from working with different companies. A vCISO can share lessons learned from other engagements to help your organization avoid the same peril.

Governance, Risk Management and Compliance (GRC)

Many organizations mistakenly appoint “security officers” that do not have sufficient formal security experience and skills. This is not recommended because it can have very serious consequences. Various regulations and compliance drivers necessitate hiring a Chief Information Security Officer.

Some examples include but are not limited to:

  • New York Department of Financial Services Cyber Security Regulations
  • European Commission’s General Data Protection Regulation (GDPR)
  • Financial Industry Regulatory Authority (FINRA) Contact System (FCS)

FINRA has added a new voluntary role, the Chief Information Security Officer (CISO). FINRA makes clear that member firms are clearly responsible for establishing and maintaining standards and operating procedures to ensure information assets and technologies are adequately protected.

FINRA maintains contact information records of all Executive Representatives, Chief Compliance Officers, Chief Information Security Officers, and other contacts under FINRA rules and By-Laws.

Companies face increasing pressure to comply with regulations that are meant to ensure customer's privacy and security. A vCISO can help establish standards and keep businesses from incurring penalties, lawsuits, bad press, or worse.

They Bring a Wealth of Experience and Knowledge

vCISOs bring immediate value to their security and privacy skills and experience, in addition to powerful business acumen skills. They are strategists who are adaptive to your needs and learn quickly. They will provide a sensible roadmap of security objectives and a schedule to achieve goals.

They are objective because they are not technically part of the organization which allows them to operate relatively free from corporate bureaucracy. Their only agenda is to advance your organization’s security and privacy objectives while letting the business focus on what it does best.

The Cost of a CISO

According to, the median annual Chief Information Security Officer salary is $215,273, as of March 01, 2018. Pay typically ranges between $188,105 - $248,527, however, this can vary widely depending on a variety of factors. shows many CISO positions currently open with their known salary ranges provided by the community as high as $258,000, as of March 16, 2018.

However, in metro areas like New York City or Bay Area, salary can top $300,000+. These salaries are commensurate with the demand for this position, knowledge and skills, and the severe shortage of talent. Not every organization can afford or even needs a full-time CISO, therefore, a virtual CISO who does not require benefits or an arduous on-boarding process can save both time and money. In essence, you only pay for what you need. Many vCISOs typically consult on a per-hour retainer basis.

vCISO retainer services can cost as little as $35k per year and as much as $250k per year. Typically, vCISO costs decrease over time as their client’s security programs go into “maintenance mode,” where the continuous consulting effort is no longer required.

vCISOs Are Elastic

vCISOs are typically on-call and available on an as-needed basis. They can work on-site or remotely to suit your needs. It is a flexible term relationship with limited risk. Generally, vCISOs are also well connected and can provide additional resources, objective and honest recommendations, and connections to suit your needs. Because vCISOs often have their own resources they tap into, they reduce the burden on yours.

How to Work with a vCISO

The vCISO is there to augment your team and enhance existing capabilities. Having proper expectations is important because not everything can be accomplished overnight. The change will take time and resources.

Cultures resistant to change and/or lacking proper resourcing and budget will impede progress and prevent the vCISO and related teams from accomplishing their mission. Furthermore, having a lack of governance, organization, and a basic understanding of how a vCISO fits into the organization can be problematic with respect to authority and can be disempowering.

An appropriate level of authority is necessary to enable the vCISO to affect positive change. Office politics can also reduce the efficacy of a vCISO if they are overbearing. While vCISOs are no stronger to politics, organizations must realize that the more time they spend battling politics the more money they are spending on it.

In order to ensure the best use of everyone’s time and money, it is recommended to choose your battles wisely to allow the vCISO to focus on what he/she was hired to do.

Aaron Bryson

About Aaron Bryson

Red Team Director at Cylance

Aaron Bryson has worked in the information cybersecurity field in startup companies, Fortune companies, and the DOD. He has led red and blue teams, risk and fraud teams, development and engineering teams. His positions have ranged from penetration tester to CISO. Aaron has a passion for software security because software runs the world.