The vCISO: Executive Cybersecurity Leadership for SMBs

A vCISO is a Virtual Chief Information Security Officer who has the credentials, knowledge, and expertise as traditional CISOs but works with a company at the scale its size requires.

Surging cyber crime rates and the evolution of advanced persistent threats have compelled CEOs and industry experts to acknowledge the growing need for executive cybersecurity leadership. Unfortunately, qualified candidates are rare, leading to a dramatic spike in salary expectations unfeasible for many small and medium-sized businesses (SMBs). However, there is an affordable option when it comes to comprehensive cybersecurity guidance: the Virtual Chief Information Security Officer (vCISO). vCISOs have the same credentials, knowledge, and expertise as traditional CISOs but work with several companies at once, scaling their efforts to fit the needs and budgets of individual organizations.


vCISO by the numbers

500,000 unfilled positions in the U.S.— The market for cybersecurity professionals is growing so rapidly that is difficult to find highly qualified employees. Recent graduates can fill entry-level positions, but it takes years of experience to align cybersecurity and business goals or foster a culture of security within an organization.

30-40 percent less than a CISO per year— CISO salaries are on the rise, averaging $172,000 and, in some cases, exceeding $1 million. SMBs face a difficult choice: forgo the benefits of a CISO or hire someone with less leadership experience willing to work for less money. The smarter option is to partner with a vCISO whose starting rates are 30-40 percent less per year. As an added benefit, a vCISO can’t be sniped by competing organizations, removing the stress of retaining talent.

500 workstations— vCISOs are best suited to organizations with no more than 500 workstations and two data centers. Technical infrastructure that exceeds this limit requires a full-time CISO, as the time and services required from a vCISO would not be cost-effective.

20 years of experience— A vCISO should be as qualified as a traditional, in-house CISO. Fully vet candidates and firms, looking for at least 20 years of experience, extensive business, financial, and technical skills, and proper certifications, including CISSP and CISA.

1 team— The vCISO is a member of the team, not an outside consultant. They should work in close collaboration with other decision-makers and report directly to the CEO, as much as possible. This level of integration is essential to maximize ROI, drive organizational change, and create a culture of cybersecurity within the organization.


Learn More

In this technological climate, executive cybersecurity leadership just makes sense. To learn more about how vCISOs are helping SMBs transform their cybersecurity programs, download our white paper: The Emergence of the Virtual Chief Information Security Officer.