Five Qualities That Make for a Great vCISO

Originally published by CXO REvolutionaries.

Written by Brad Schaufenbuel, VP and CISO, Paychex.

The chief information security officer is typically the apex of a career in cybersecurity. Some hold the same title as they move from one company to the next. Other CISOs find their way to different roles in the C-suite, such as CSO, CTrO (chief trust officer), or CIO, CDO, etc. Outside the C-level, many seasoned CISOs branch out to more business-centric fields, becoming advisors, board members, and even leaders in private equity.

The point is that there is no clear path once you’ve reached the top as a cybersecurity leader. Your arsenal of executive acumen, deep experience, and values will guide your journey wherever it takes you.

But if cybersecurity is a way of life and you are looking for more variety and independence, the virtual CISO option may be the next logical step. Being a vCISO means you are an independent or contracted employee that carries out the role of a CISO for companies that may not have a case or budget for a full-time equivalent. Part-time, outsourced professionals help organizations to fill in for a specific period or a project, like achieving SOC 2 or ISO 27001 compliance.

As a fractional CISO, as it’s also called, you can advise, typically from home, several organizations simultaneously, or just one at a time.

Intrigued? Here are five signs you may be ready to step into the role of a vCISO:

1. You enjoy everything about being a full-time CISO but prefer not to shoulder the same stress and responsibility

If you love what you do but prefer to trade in burnout for autonomy and being on call 24/7 for flexibility, then stepping into the world of the vCISO could be right for you. Those in mid-career or twilight years have a toolbox with certifications, skills, and other badges that serve well across various contexts and industries. Much of what you’d expect to do is par for the course but skewed to toward strategy. You’d participate in and often lead meetings, events, operations, and strategic planning. You’d manage roadmaps, cyber architecture, and policy, conduct risk assessments, review RFP responses, and inform overall business risk management. Importantly, you’d coach and advise in-house infosec staff and groom leaders to step up.

2. You can adjust from being on the inside to being outside and looking in

Shifting from an in-house full-time employee to an independent freelancer or working for an IT consulting firm is a significant leap for anyone. A self-assessment examining priorities, personal and financial goals, and other work-life changes is a prerequisite. Circumstances and opportunities change as fast as the industry itself, so many pros take turns being a CISO and a vCISO.

The critical point of differentiation regarding day-to-day activities is that if you are working for yourself or an independent IT consulting service, you are looking in from the outside. This perspective can be more influential when critiquing budgetary spending, performing unbiased evaluations, and mediating between IT and the business. Conversely, as an outsider, you may not have all the “inside baseball,” including the history and context influencing the organization. For many, the way they communicate, manage time, give feedback, work under pressure, and approach their duties can be heavily influenced by this difference and, therefore, their effectiveness and success.

3. You understand the cybersecurity needs of small-to-medium-sized businesses

The experience of being an in-house CISO at a multinational does not equate to being a part-time vCISO for two or three 1000-person companies. Some independent CISOs carry out a specialized deliverable in which they have made a name for themselves, like the world’s best IR planner, and all their clients are in the same industry. That’s very different than a full-time head of cybersecurity responsible for the strategy and execution in a large organization.

Consider the change in focus, attack surface, and crown jewels in scope. Large enterprises hire in-house CISOs (many have deputies as well). They have the payroll resources and the recruiting teams to find the right talent. Smaller firms typically turn to vCISOs. It’s not just because of cost. A full-time CISO could be overkill, especially if an organization has an MSSP or MDR in place. They could forgo an operational security staff but not a strategic thinker at the helm to help them develop and deliver a security program.

If you understand SMBs, which typically means limited resources, but less complexity, you’ll be more at home juggling them.

4. You can choose clients that understand what they can get and not get with a vCISO

You can have more control over your workload and effectiveness if you are independent rather than an employee at a staffing or consulting firm. Regardless, partnering or getting assigned to a client that has good security hygiene and only needs you to help run a program or handle some aspect that is your sweet spot is a win-win for the fractional CISO. Many (like SMBs) choose outsourcing options because of a skill shortage but also value the benefit of working with someone who can leverage the experience gained from working across many organizations.

5. You are committed to professional development

Going solo means you must be more proactive with keeping your best foot forward as you move from client to client. In addition to the ability to sell yourself and convey continual relevance to changing needs, there are endless opportunities to upskill across risk management, governance, IT, and other relevant domains seeing rapid transformation due to advances in AI, data science, and related fields.

A virtual CISO may one day mean something entirely different, given the accelerating pace of progress. Today, it is a viable option for in-house CISOs looking for a change and, increasingly, not the road less traveled.