Organizations are facing ever-increasing challenges related to security and compliance. Security issues are in the news every day with targeted attacks, phishing, malware, and especially ransomware on the increase. A last-minute reaction-based strategy is no longer sufficient, and cyber insurance will not pay for your breach if you have not done due diligence to protect your organization. But where do you start?

Your IT department is already overworked, and the TCO of a security staff is not in the budget. You need a reliable CISO function, but that can be cost-prohibitive in today’s market. says “A vCISO is an outsourced security practitioner or provider who offers their time and insight to an organization on an ongoing basis, usually part-time and remotely”

This definition leaves a lot of room for prescribing the methodology and direction a vCISO engagement could take. There are certainly a lot of functions that can be reasonably assigned to that role, but there are a few basic components to a vCISO framework that are essential and should be the foundation of any vCISO engagement. Let’s take a quick look at those basic functions.

  • Understanding Business Drivers and Direction
  • Initial Risk Assessment
  • Developed Gap Analysis and Prioritized Risk List
  • Understand the Organizational Compliance Requirements
  • Strategic Security and Compliance Plan
  • Tactical Risk Mitigation Plan with Punch List
  • Ongoing Emerging Risk and Threats Analysis
  • Pragmatic guidance on security and compliance issues informed by business needs and objectives

These basic functions should be the foundation of any vCISO engagement and framework. They encompass the functions of a CISO and can be performed by a virtual CISO without the cost of an FTE and the requirement of a full-time onsite person for that role.

Benefits of virtualizing this function can include:

  • Cost savings over an FTE CISO
  • Experienced resources that have seen real risk and threats in a wide variety of industries
  • The benefit of “external” recommendations to leadership
  • Strategies and methodologies already proven in the real world

Cost savings over an FTE CISO

Finding an experienced and successful CISO in today’s market is becoming increasingly difficult. Affording that resource as a Full-Time Employee can be even more difficult and is not always realistic for small to medium-sized organizations. A good vCISO engagement can be far more affordable.

Experienced resources that have seen real risk and threats in a wide variety of industries

Many of the resources available from reputable security providers bring a wide breadth of experience in a variety of settings and industries to the table. This is an enormous asset to organizations due to the resource’s ability to recognize a wide variety of risk and to correctly prioritize and address it.

 The benefit of “external” recommendations to leadership

Leadership often ignores or trivializes recommendations that come from within. Even excellent advice from internal staff often gets minimalized while that same advice often gets traction if the source is an external trusted partner. This is not a good trait of organizational leadership, but it is often the case. The person with the plane ticket is often paid more attention, and their advice often carries more weight. vCISO resources typically have years of meaningful experience communicating risk and strategy to leadership.

Strategies and methodologies already proven in the real world

Due to their experience level, a vCISO resource can bring proven strategies to the engagement and can help the organization to focus on significant strategic initiatives that are within the budget and risk tolerance levels of the organization. This is akin to a medical student who has read many books of surgical process versus a seasoned surgeon who has performed thousands of surgical procedures.


Hiring a CISO function is becoming a more common requirement for organizations and acquiring and keeping a seasoned, experienced person for that role is increasingly difficult and expensive. Utilizing a reliable organization to provide experienced vCISO engagements can be a viable and successful strategy.

Eddie “the Y3t1” Mize is CSO and Director of Information Security for The Pinnacle Group
He has over 36 years’ experience in the Computer Industry as well as over 22 years’ experience in Information Security. He is an integration and security specialist with years of experience building Information Security Programs. He has led numerous PenTest and Red Team events for a wide variety of industries and served on Cisco’s Enterprise Advisory Board for Information Security.

Eddie is a frequent security speaker on real-world information security and compliance, mobile security, red-team/penetration testing techniques, and cloud security. He is a security evangelist, podcast SME, DEFCON speaker & Staff Goon, and is a “Distinguished Speaker” for the CiscoLIVE conferences. Eddie’s work has been published in Network World, Pentest Magazine, and Hakin9 Magazine.