What is a vCISO and how do I Hire One?

What is a vCISO and how do I Hire One?

Cybersecurity defense is a specialized topic that requires both deep subject knowledge and real-world experience. There is a shortage of skilled professionals within the cybersecurity sector, and people who have skills and experience are in high demand.

To design, implement, and maintain a robust cybersecurity strategy in an organization requires the presence of a senior-level expert who fills the role of Chief Information Security Officer (CISO). The CISO is responsible for all aspects of cybersecurity strategy and policy within an organization. This includes regulatory compliance, cyber insurance procurement, threat activity reporting, incident response planning, attack recovery planning, and more. Many organizations struggle to find a suitably qualified individual to fill this role. Plus, they often don't have the resources to attract top-caliber professionals for a full-time position.

Managed Security Service Providers (MSSPs) have identified that there is a gap in security provision for the essential strategic CISO role in many organizations. The MSSP virtual CISO (vCISO) service offering plugs this gap and provides organizations of all sizes with access to suitably experienced and qualified cybersecurity professionals to fill the CISO role.

What is a vCISO?

A vCISO is a highly-trained cybersecurity expert contracted by an organization to handle its IT security and compliance programs.

A vCISO brings years of cybersecurity experience gained from working with multiple organizations and across all areas of the economy. Get a vCISO by emailing info@criticalinsight.com. The vCISO learns the technology organizations have deployed, and builds relationships with the C-suite, other executives, and the IT team. The vCISO combines this client knowledge with their industry experience to provide the best cybersecurity advice and build a strategy to deliver protection, governance, compliance, reporting, and a roadmap for any changes needed.

A vCISO becomes a trusted member of each organization's management team and helps them deliver the core cybersecurity protection that every organization needs. In addition to providing technical guidance, the vCISO also ensures that the paperwork and other requirements necessary for regulatory requirements are met and maintained over time.

Critical Insight vCISO Options

Each organization is different, and therefore each organization has differing requirements. To provide options at an appropriate level, Critical Insight offers two levels of vCISO service.

vCISO level - the core vCISO role offered the following:

  • A virtual Chief Information Security Officer provides executive-level advisory and consulting services on retainer.
  • Priced as a set number of hours (usually 280) for an annual program consisting of periodic occurrences and deliverables.
  • Engagements occur using practices appropriate for an overall security program agenda.

The tables below outline the periodic occurrences and deliverables that form part of the vCISO role.

Table 1 - vCISO Occurrences.

Occurrence 

Scope 

WEEKLY 

  • Weekly Reporting 
  • Recordkeeping (e.g., security testing results for products) 
  • Meetings  
  • Change control 
  • Ad hoc  
  • Planning for upcoming monthly, quarterly, or annual requirements  

MONTHLY 

  • Meetings  
  • Infosec/IT Steering  
  • Governance  

QUARTERLY 

  • Conduct Risk Governance Committee meeting  
  • Review / update IR Plan  

ANNUALLY 

  • Participate in annual planning and budget development  
  • Policy Review 

Table 2 - vCISO Deliverables.

Name of Deliverable

Description of Deliverable

Weekly Report

A written status report sent monthly, including:

  • Status of previous or currently open activities and deliverables
  • New questions or emerging needs

Monthly Status Reports

A written status report sent monthly, including:

  • Status of previous or currently open activities and deliverables
  • Number of project hours remaining
  • New questions or emerging needs

Annual Policy Review

A set of updated information security and data protection policies that are required for compliance and to increase the level of security at Customer

vCISO Lite level - a lite version of the vCISO service that includes the following:

  • A virtual Chief Information Security Officer provides executive-level advisory and consulting services on retainer.
  • The "Lite" offering supports a subset of best practices for an overall security program agenda in a less expensive package than the vCISO offering.

The tables below outline the activities and deliverables included in the Lite service.

Table 3 - vCISO Lite Activities.

Activity or Focus

Scope & Delivery Requirements

Phone, Email, and In-Person Consulting Services

  • Set number of hours (usually 100) of general information security, cyber security, and GRC consulting and advisory services, provided by phone, email, and/or in-person.

Table 4 - vCISO Lite Deliverables.

Name of Deliverable

Description of Deliverable

Monthly Status Reports

A written status report sent monthly, including:

  • Status of previous or currently open activities and deliverables
  • Number of project hours remaining
  • New questions or emerging needs

Annual Policy Review

A set of updated information security and data protection policies that are required for compliance and to increase the level of security at Customer

Critical Insight oCISO Service

Critical Insight also offers an Office of the CISO (oCISO) service that builds on the foundational offerings provided in the vCISO service.

oCISO is coupled with vCISO to deliver additional detailed oversight and also has execution deliverables. The oCISO service offering adds weekly project and incident management, monthly vulnerability assessments, and other necessary reviews. This also includes annual audit assistance, including Security Risk Assessments, Tabletop Exercises, and Penetration Tests.

The table below outlines the complete list of deliverables included in the oCISO service offering.

Table 5 - oCISO Deliverables.

Name of Deliverable

Description of Deliverable

Weekly Report

A short status report sent weekly, including:

  • •Status of previous or currently open activities and deliverables
  • •New questions or emerging needs

Monthly Status Reports

A written status report sent monthly, including:

  • •Status of previous or currently open activities and deliverables
  • •Number of project hours remaining
  • •New questions or emerging needs

Quarterly Vulnerability Assessment Reports

A tabulated and prioritized report of the findings and identified vulnerabilities from the monthly VA scans.

Quarterly Access Authorization Management and Reviews Report

A brief summary report to be used as an audit artifact.

Quarterly Firewall rules review Report

A short report detailing the review findings such as new issues, progress from previous reviews, and remediation activities.

Quarterly Review/update IR Plan

Apply an IR Plan updates once a quarter.

Annual Policy Review

A set of updated information security and data protection policies that are required for compliance and to increase the level of security at MIE

Annual Security Risk Assessment

A report describing the activities performed, the findings and risk identified along with a set of prioritized recommendations and next steps to mitigate the risks and increase the security posture of your organization

Annual Penetration Test

A report detailing the penetration testing methodology as well as the findings and recommendations for remediation identified during the testing.

  • •Discovered vulnerabilities and weaknesses
  • •Exploited vulnerabilities and weaknesses
  • •Remediation and mitigation recommendations

Annual IR Plan Tabletop Exercise

One (1) day onsite exercise designed to identify any weaknesses in the IR Program and to familiarize the staff with their responsibilities in the event of an incident

TTE Report with Table of Findings and Recommendations: A written report summarizing the results of the TTE that will include a Table of Findings and Recommendations for improving the Incident Management Program

Annual Security Awareness Training Materials and Training Session

  • •A set of Security Awareness Training materials that can be used in whole or integrated into your existing content.
  • •Up to 2 training sessions.
Critical Insight contact background

Talk to one of our cybersecurity experts

245 4th St Ste 405Bremerton, WA 98337

Looking for careers?

View all job openings