Cybersecurity executive management and leadership are a key component to securing an organization’s infrastructure and assets properly. However, many organizations may not be able to afford a full-time cybersecurity executive, commonly positioned as the chief information security officer (CISO). Given that reality, one option is for organizations to essentially purchase a CISO as a service in the form of a virtual CISO.
A fundamental understanding of virtual CISOs and how they can be utilized in different organizations is helpful for organizations to understand their options. Virtual CISOs have different benefits and drawbacks depending on the organization’s size, industry, funding and loyalty. For example, although virtual CISOs can provide many benefits without the hefty cost of a traditional fulltime CISO, organizations need to consider some of the following questions as well:
- Can the virtual CISO be a security leader for the organization, and at times for multiple organizations, if they are operating in a part-time capacity? Or is the experience of being the virtual CISO in multiple organizations simultaneously the factor that makes them excellent security leaders?
- Can a virtual CISO be used as a complement to larger organizations that can afford a fulltime dedicated CISO?
- When hiring a virtual CISO, how are organizational loyalty and quick response time effected?
- Can virtual CISOs be used as trainers to incoming full-time CISOs?
- Is a virtual CISO enough to meet certain compliance requirements, and should they be used solely for that purpose?
These questions have many right answers, and certainly definitive wrong answers. But they are questions that should be asked when deciding if a virtual CISO is the right choice for an organization.
Research in cyberexecutive management and leadership is an active interest and effort of mine. To do effective research in this area, I continually need access to cyberexecutives, leaders and direct reports to those individuals for interview and survey purposes. If you have the time and interest in helping me out on these research efforts, please feel free to reach out to me at bngac@gmu.edu.
Editor’s note: For further insights on this topic, read Brian K. Ngac’s recent Journal article, “Virtual CISOs: Security Leader or Security Risk?” ISACA Journal, volume 5, 2021.
Don't forget—Members can earn free CPE from ISACA Journal quizzes!
