• 1350 W. Grenshaw St. Chicago, IL 60607

What Does a CISO or Virtual CISO Cost?

Publications

Stout Article

COMPANIES ARE UNDER ATTACK. News headlines warn about hijacked email, ransomware, and hacked databases,1 while regulators, laws and professional standards make it increasingly clear that businesses must protect their critical information and operations, with executives responsible for any breaches. The risks are real. Unfortunately, many organizations lack the expertise to implement an effective security program. In particular, many board members and senior executives lack familiarity with the key issues to supervise a security strategy. This paper presents several elements of information and cyber security, including how Chief Information Security Offi cers (CISOs) and virtual CISOs can provide advisory expertise to companies.

Regulations, Guidelines, and Risks

Business requirements for information and cybersecurity are changing rapidly. Regulations; international, U.S., and state laws; and accepted best practice security standards all demand attention. As examples of these new requirements, in 2017 both the Securities and Exchange Commission (SEC) and the National Association of Corporate Directors (NACD) issued enhanced guidelines for information and cybersecurity.

SECURITIES AND EXCHANGE COMMISSION

SEC rules and guidelines drive management controls for public companies and the securities industry. In September 2017, SEC Chairman Jay Clayton stated, “The scope and severity of risks that cyber threats present have increased dramatically, and constant vigilance is required to protect against intrusions.”2 The SEC specifi es that cybersecurity efforts cover assessment, prevention, mitigation, resilience, and recovery, and that in cases of a breach, companies may be required to disclose an attack, including its costs and other business impacts.3

NATIONAL ASSOCIATION OF CORPORATE DIRECTORS

The NACD sets standards for board behavior and responsibilities, and their 2017 Handbook on Cyber- Risk Oversight4 emphasizes the direct responsibilities of board members to review, approve, and monitor their company’s cybersecurity strategy. Boards are required to have direct access to information and cybersecurity expertise, and are being held responsible for the effectiveness of their organizations’ information and cybersecurity programs.

RISKS

There are many threats to protect against, all of which are trying to gain unauthorized access to companies’ information or systems. In addition to revenue hits, short-term costs to a security breach include immediate management distraction, lost or damaged data and systems, and degraded operational effectiveness with urgent system recoveries and upgrades. Long-term impacts include lawsuits, reputation damage, possible losses of customers, and potential job losses for some employees, executives, and board members.
Faced with these risks, companies need to develop and implement a security program appropriate for their business, balancing regulations (which need to be followed), professional standards (which should be followed), and effective protections against expected threats.

Regulations, Guidelines, and Risks

Companies need to identify and support their business priorities through the protections of their security program. Through choice or inaction, some companies wait for audit fi ndings or a breach to drive their security improvements. Other companies want to be proactive but lack an expert to lead their program. The good news is that while security expertise is necessary, the core elements of an effective security program build on general management skills.

RISK ASSESSMENT

A risk assessment is an early task in any security process, encompassing all current operations and outsourced relationships. Organizations can and should do internal assessments, but regulators and auditors place higher value on (and sometimes require) independent external risk evaluations.

The FBI reports that some 90% of company security exploits result from employees clicking on an email link or opening a web
page with embedded malware.5 All it takes is one click and a fi rm’s systems can be attacked from the inside.

Risk assessments usually start by conducting or verifying an inventory of all hardware devices, systems infrastructure, applications, and data. If you do not know what you have, you cannot know what to protect or what threats to protect against.
Next, these assets are linked to critical business functions, identifying those which are most important and most vulnerable. This linking of assets, business activities, and business priorities allows risk assessments and security plans to focus on what most needs protection.
A risk assessment broadly covers these steps:
  • ● Identify what needs to be protected, plausible threats, and known vulnerabilities
  • ● Estimate the business risks if vulnerabilities are exploited (considering probability and potential severity)
  • ● Prioritize these risks and identified protective gaps
  • ● Document and agree to a plan to address these gaps
  • ● Track progress of the plan, with executive and board updates
  • ● Monitor the effectiveness of these protections
  • ● Periodically and regularly repeat the above steps
Although specifi c threats and vulnerabilities may be unfamiliar to executives, the security process applies general management actions: prioritizing critical business functions, deciding which risks to accept or mitigate, allocating resources, delegating responsibility, approving plans, monitoring effectiveness, and intervening when necessary.

PENETRATION TESTS

A penetration test is a controlled attempt to break into an organization’s systems or data. These tests often identify misconfi gured infrastructure, manufacturer default passwords still in use, and software that allows unfi ltered database access. Penetration tests also may target employees or subcontractors (e.g., social engineering), or physical security protections. Specialist fi rms generally conduct these reviews, leveraging their knowledge of frequent confi guration mistakes, common software and organizational risks, and popular attack vectors.6 Penetration test results are documented, and prioritized and become part of the risk assessment and plan.

VENDOR REVIEWS

Operationally, many business functions and services that used to be done in-house now are outsourced. Systems once built by internal information technology (IT) departments now are purchased, leased, or used as software services, with data and systems in a remote and vendor-controlled cloud.
These externally developed or provided systems still must be checked for appropriate security standards, and should be validated through vendor statements or third-party certifi cates such as SSAE18 or ISO audits, which are designed for service-providing organizations.
Companies should conduct annual due diligence reviews of their critical vendors and should expect to provide statements to their own customers.

WRITTEN POLICIES

There are two approaches to documenting security policies and standards. One is to research and document best practices, making those the offi cial policy and using the policy to force organizational changes: an “idealist” approach. The other, an “incrementalist” approach, is to document current practices, testing for protection effectiveness, and prioritizing and targeting required changes, thus, making improvements over time. An organization’s resources, business priorities, current protections, and risk tolerance will guide where it belongs on this spectrum. A reality check is that regulators and many customers require fi rms to test and verify that their documented policies are followed, so regulated or service- providing organizations without policies need to move quickly to establish them.

TRAINING PROGRAMS

Many employees analyze customer or fi nancial data on spreadsheets, removing that data from a controlled systems environment if it is copied to a laptop or work is done from home. This is an example of basic activities with risks that all employees should understand. More important, these are as much human and behavioral issues as they are technological. Information security awareness training programs are a common way to educate people to better recognize security risks and to modify their behavior to be safer.
Some fi rms focus on “Do Not” policies rather than recognizing that many potentially risky behaviors refl ect people’s work habits. Studies suggest that the best way to change a behavior is to change expectations around that behavior. With information security awareness training, if people believe they will bring malware into their organization by clicking on links, then eventually they will stop clicking on links – though habits can be slow to change. Experienced Chief Information Security Offi cers (CISOs) often can identify ways to mitigate risks to a manageable level so that people can get their jobs done with limited modifi cations or Constraints.
Returning to the spreadsheet example, password- protecting spreadsheets containing critical data, providing secure remote access to fi les, and automatically encrypting laptop hard drives could provide suffi cient data protection while supporting a mobile or distributed workforce.
Security training for technologists is also essential. System builders and operators have special responsibilities for safety, but too often security is handled by a separate team or considered an afterthought. As an example of early consideration, defensive programming is the technique of designing, building, and testing systems with the assumption that unexpected events will happen, including security attacks. All developers should be familiar with the inherent vulnerabilities of the languages they use as well as the common risks in specifi c functions (such as database queries). Security has been appropriately considered before new systems or procedures are implemented. Security should be considered a core design or purchase requirement, and proper training teaches how and why security can be applied throughout the life cycle of a system.

INCIDENT RESPONSE PLAN

Organizations need to monitor if their protections have been broken. This includes setting warnings on fi rewalls, reviewing activity logs and investigating unusual events. Unusual events include those when customers or vendors may have detected a problem at your business, as about half of breaches are reported from outside and not discovered internally. It is diffi cult to plan during an emergency, so companies should have pre-established incident response plans (IRPs) for how to respond to and recover from different breaches. These plans can be viewed as an extension of other business continuity or disaster recovery preparations.
A general IRP will include steps to detect, investigate, respond/mitigate, recover, and remediate. If a computer crime has been committed, care is needed to avoid destroying or contaminating evidence. Thus, a good plan has pre-identifi ed experts to assist as needed, who also can coordinate with the police, FBI, or Secret Service, and who can require vendors to preserve incident-related data.
A written IRP is a fundamental business and security requirement, as is having a pre-established incident response team to carry out that plan.7 According to the Ponemon Institute, in 2016 it took fi rms an average of 191 days to discover a security breach and then another 66 days to contain it.

Important Questions and Considerations

BEST PRACTICES VERSUS GOOD ENOUGH

Security standards such as NIST9 and ISO10 specify best practice protections. These standards evolve over time and refl ect the cumulative experience of security leaders from around the world. Standards are an excellent starting point for a security program, and they all offer some fl exibility to be adapted as appropriate. Companies can decide that best practice protections are not necessary or even appropriate for parts of their business. Limited controls often are acceptable for systems or data that are not business-critical. An effective risk policy can state, “We understand there are risks to not doing xxx, but have decided to accept these risks and instead will protect and monitor that protection by yyy and zzz.” Expert guidance on the prevalence and severity of different risks can guide effi cient decisions on the benefi ts, cost, effort, and complexity of different protections.

SECURITY TECHNOLOGY SOLUTIONS

A traditional view of cybersecurity was to build a network wall (fi rewall) to keep dangers out and then assume all was safe within the protected environment. Among other challenges with this approach, the distinction between ‘outside’ and ‘inside’ can be blurry. Technology is part of many people’s jobs, and mobile devices, remote access, and web interfaces makes perimeters hard to defi ne and therefore harder to protect, especially because vendors and clients also may be connected. As a result, effective security is better achieved through multiple layers of protection and compartmentalization. Users, systems, and data should be tightly managed for those who need access, and technologies should be implemented to help monitor for and protect against unusual or risky activities.
There are thousands of vendors selling security-related hardware, software, and services. Products include network management, anti-virus, encryption, and other tools. Services include code evaluation and security operations centers. However, integrating security tools into an operational business can be complicated, and poorly chosen or poorly implemented technologies can hide or even create security problems. Well-integrated tools will help make safer behavior a default (e.g., restricting and/ or checking software installations for malware, and fl agging the CEO’s email request for an urgent vendor payment as actually coming from an external email system). An experienced CISO can evaluate security technology products and guide an organization toward those that are most effective and appropriate. Effective security requires an understanding of how to identify and manage risks and secure behavior. Tools help, but they are not the solution.

FOR BOARDS AND SENIOR EXECUTIVES

Recent standards set by the NACD11 include an update that the association’s affi liated boards are required to have direct access to information and cybersecurity expertise, as they are now being held responsible for the effectiveness of information and cybersecurity programs and strategy. These responsibilities include board review of identifi ed information and cyber risks, – including legal implications, board approval of an enterprise-wide security strategy, ensuring that responsibilities and resources are appropriately allocated, and monitoring the effectiveness of these programs, including timely updates on critical incidents. There is no such thing as perfect protection, so boards and executives need to identify which risks they are willing to accept and which they want to mitigate or avoid, a decision process that combines business, legal, operational, technical, and security knowledge. Unfortunately, there is a signifi cant gap in security expertise at the executive and board level in most organizations. There are not enough CISOs to go around.

CISOS AND VIRTUAL CISOS

A Chief Information Security Offi cer (CISO) is a senior-level executive responsible for establishing the information and cybersecurity strategy for an organization.
This individual has access and responsibilities to the board and senior executives, works closely with senior managers in all departments, and has the responsibility to integrate security considerations and protections throughout the company. Note, while a CISO can establish, lead, and supervise a security program, it requires the entire organization to execute it.
Regulations may require a company to designate a CISO; however, some individuals are assigned these responsibilities without the necessary experience and skills, which usually take 10-plus years to acquire. Hiring and keeping an expert may also be diffi cult, as there is a global shortage of qualifi ed CISOs.
There is currently a shortage of qualifi ed CISOs. The Rand Corporation reported global demand as 10x to 30x higher than the estimated 1,000 top- level security experts,12 with over 100,000 unfi lled information security positions in the United States.
For companies and boards facing this expertise gap there is an alternative, which is to contract or outsource the CISO function on a part-time or advisory basis while retaining executive responsibilities within the fi rm. These part-time advisors are known as virtual CISOs, and they help companies leverage a combination of business, regulatory, technology, and security expertise. The NACD explicitly recognizes the benefi ts of virtual CISOs.14 Experienced virtual CISOs can provide a range of supporting roles, including:
A Chief Information Security Offi cer (CISO) is a senior-level executive responsible for establishing the information and cybersecurity strategy for an organization.
  • ● Advising boards and senior executives on their information and cybersecurity responsibilities, presenting security risks and choices in a prioritized business context, and supporting the development, implementation, and monitoring of an enterprise security strategy.
  • ● Mentoring internal security officers, accelerating their professional development, and providing guidance on priorities, projects, and purchases
  • ● Advising or leading specific projects such as vendor selections, purchase decisions, and reviews of security plans, or prioritizing audit findings and coordinating their remediation (as it is sometimes easier for an outside expert to bridge internal hierarchies).
  • ● While most of the above work can be scheduled in advance, virtual CISOs also can provide emergency support, such as for breach evaluation and recovery efforts. Ideally your organization has a ransomware plan already prepared, but getting external advice in a crisis still helps.

SECURITY PROCEDURES COME FROM THE TOP

As cyber risks increase, organizations that understand and implement effective security will be in stronger positions to protect their operations, data and customers against potential breaches, while meeting regulatory and best practice standards.
As with any corporate priority, security strategy needs to be set and supported from the top of the organization. With expert CISO or virtual CISO advice, board members and executives can appropriately incorporate security into their company’s activities. For those that don’t, the lack of preparation could be catastrophic.

Aspire Profile

Securing cyberspace is unquestionably one of the most pressing issues confronting businesses today. The aggregate of businesses transforming digitally has grown exponentially in the past decade. While information technology has proved a blessing for many business sectors, it also created risks for the security of organizations’ systems and digital data. These systems and data are the biggest asset for many companies, which makes their entire businesses vulnerable to cybercriminals and cyber-attacks.
To alleviate the vulnerabilities of various organizations, vSEC LLC—a Chicago-based cybersecurity consulting firm, leverages its business and security knowledge to help clients identify and better manage their cybersecurity priorities. Founding Partners Mike Phillips and John Falck first came up with the idea for the firm in 2017. Over the years, Mike, John, and their CISO (Chief Information Security Officers) peers had recognized that the demand for experienced CISOs greatly exceeded the supply, and that gap would continue to grow. Virtual CISO consulting allows CISOs to help many companies. Mike had over 25 years of experience as a Chief Information Security Officer whilst John had similar experience as a Business/Technology Executive before they jointly founded the firm with a goal to approach security needs in the context of business priorities

MAXIMISING SECURITY

vSEC introduced its specialized cybersecurity consulting with a focus to provide executive-level guidance to businesses. Serving as a ‘virtual CISO’, or vCISO, vSEC helps firms assess their current security posture, to identify key risks, and to develop and execute a security strategy and roadmap that implements prioritized controls. ese implementations involve a combination of policies, plans, and procedures, as well as supporting security tools. “For many larger firms it is a complex process to understand what security tools they already own and how to get those (and other tools) integrated so they work as desired,” asserts John.
vSEC clients are in the financial or financial-technology industries, healthcare, energy, regulatory compliance, and manufacturing. e company admires clients who are motivated to be secure rather than merely to document security compliance. It believes that security is not purely dependent on technology but does require adapting technology to securely support business activities. is business-focus approach to helping clients is the factor makes vSEC a frontrunner in the cybersecurity space. Its special skill is to combine cybersecurity and business understanding to help clients prioritize and implement a security program that is appropriate for their organization. is approach includes establishing security monitoring and reporting structures so executives and boards have insight into the effectiveness, risks and maturity of their security program.
As a virtual CISO business, vSEC states that while it performs some projectbased contracts, the majority of clients hire it on a retainer basis, meeting on a fixed weekly schedule over multiple months to develop and execute a cybersecurity strategy and roadmap, whilst still being available to respond to urgent security questions as needed. vSEC is product and technology agnostic, so clients oen approach it for advice when they want to review or select security tools or vended services.
vSEC developed the security policies that a start-up required for rapid regulatory approval for their off-shore digital currency exchange and clearing business. Because of the timing of their launch, security policies and controls had to be developed before many people were hired or operations established.client recognized that project requirements would change significantly, but also wanted to maintain the same regulatory approval and business launch dates for competitive reasons.
vSEC structured the project on a timematerials basis and coordinated with other security and technology specialists to ensure a quick response to changes during the project. Fortunately, with vSEC’s combination of security, financial industry, and regulatory experience, it was able to anticipate and guide many project requirements. “project was a success – the security element of the regulatory review was perfect, and the business met its regulatory approval date,” says John.

ADAPTION IS THE KEY TO BE SECURE

Cybersecurity is both professionally challenging and rewarding. “As security consultants, our work makes people and companies safer, both decreasing the probability and impact of security problems and improving firms’ abilities to detect and respond to security incidents that do occur,” says John. As partners, they believe that security is not a problem to be solved once. “Companies develop new business technologies over time, new threats emerge to attack those, and therefore new security controls are needed in response,” explains Mike. MAXIMISING
This constant evolution is exciting and requires a commitment to professional improvement and collaboration for CISOs and vCISOS to stay on top of their responsibilities. In the cybersecurity sphere, companies constantly face external risks such as ‘ransomware’ and ‘false payment’ scams. However, the biggest security risks oen are internal, coming from vulnerabilities in how companies operate, i.e., how they manage users, technology, and data. To address both external and internal risks, cybersecurity needs to offer protection through implementing and monitoring tools including anti-virus and firewall systems, and also needs operational controls such as limiting system access of users, restricting administrative system privileges, encrypting confidential data and testing backups.
As a member of the cybersecurity ecosystem, vSEC has established and maintained collaborative relationships with multiple specialist cybersecurity firms. It also has advisory relationships with some venture capital and private equity groups, which gives vSEC access to early-stage security companies and technologies. For example, one of its favourite start-ups developed a proprietary system to secure applications and data from attack even on compromised devices. “

GUIDANCE IS ESSENTIAL

“For too many firms, cybersecurity still receives a ‘do the least required’ priority,” says John. vSEC anticipates a combination of pressures that may drive reluctant firms to improve and formalize their cybersecurity controls. Likely external forces include more companies reviewing the security policies and controls of their vendors, expansion and enforcement of privacy and data protection laws, and the insurance industry increasingly demanding proof of effective security controls as a condition for cyberinsurance. As another key factor, if boards and executives are held accountable for their firm’s cybersecurity, as they are for supervising other business risks and controls, that may drive a large shit in executive attention to prioritize cybersecurity
A jump in demand for cybersecurity likely will attract more security vendors leveraging and promoting nextgeneration security technology. vSEC expects it will take several years before the hype has settled and a few tools and services become well established. Trough all of these transitions, vSEC expects that experienced cybersecurity advice will remain very valuable in helping companies understand and manage their security risks.
One worrisome issue for Mike and John is the potential professional dilution of the CISO and virtual CISO titles, and a resulting credibility risk to what is a relatively new profession. They both highlight estimates that there are only a couple thousand CISOs globally with 15 to 20+ years’ experience, so many companies are chasing a small pool of cybersecurity experts. Since there is not a formal career path or accreditation to become a CISO, many individuals are getting such titles by taking the role. “Unfortunately, adding “and Security” to someone’s job does not automatically give them necessary security experience,” cautioned John. Some security service providers approach this expertise gap by offering standardized tools or reports, selling services that can be supported and replicated by relatively junior personnel. As a client focused business, Mike and John prefer to start with strategic level guidance and follow that by leading development and execution of cybersecurity plans. Hence, they expect vSEC’s expertise providing advice to executives and boards that combines cybersecurity, business and operational experience will continue to be a competitive differentiator. Mike

What Does a CISO or Virtual CISO Cost?

Per Salary.com, a US-based Chief Information Security Officer (CISO) averages $282,000 in salary and bonus, and total median CISO compensation is $376,000 including annual benefits worth $88,000 (insurance, 401k / pension, paid time off, etc.).

Median CISO total compensation is $376,249 (salary, bonus, benefits)

Glassdoor, as of June 2023, reports US CISO average annual compensation of $288,830: an average salary of $180,000 plus additional compensation of $109,000.

At the high end, Heidrick & Struggles’ 2023 CISO survey reported median total cash compensation for US CISOs of $620,000, with median total compensation of $1,100,000 including equity grants.

vSEC estimates the median salary, bonus and benefits for a CISO with 15 years experience and a masters degree is $400,000, or $33,000 / month.

Note, beyond compensation, total employment costs include expenses and overhead such as office and equipment, allocated IT and HR support, etc., things your CFO also considers. Does a virtual CISO offer a lower cost way to get cybersecurity expertise?

Virtual CISO Costs

A virtual CISO (vCISO) can be thought of as a ‘fractional CISO’, a consulting relationship where a client gets part of a security executive’s time. Some vCISOS are independent CISOs (single-person practitioners), some work in small firms that focus on cybersecurity consulting (such as vSEC), and many general consulting or security service firms also quote vCISO services as an extension of their other offerings.
Virtual CISO advisory services usually are provided under multi-month contracts, and these relationships can last many years. Services often are charged on a fixed retainer basis covering an average or maximum hours per week or month. For many companies, this is an attractive alternative to hiring a full-time CISO, as they get cybersecurity expertise and leadership they need without the cost of a dedicated security executive.

A recent web survey of price quotes for virtual CISO services showed many offerings from $5000 to $20,000 per month, heavily dependent on how much time and support is needed by the client. vSEC virtual CISO services usually range from $6500 to $15,000 a month based on client needs, with $10,000 a month common for long- term support.

The main driver of virtual CISO pricing is the experience and therefore professional cost of the people providing the vCISO services. If calculated as an hourly rate, these monthly prices broadly reflect the fractional fully-loaded hourly cost of a highly experienced full time CISO, with a markup to cover margin and the overhead of a separate company.
You will pay less for a vCISO than a full-time CISO, however, we recommend viewing this as paying for the (part-time) amount of the cybersecurity expertise and leadership you need rather than getting a cheaper replacement from a less experienced person. A key real value comes from working with virtual CISOs who have assisted firms across many industries, which allows customization of established solutions to meet individual client needs, leveraging specialized resources as appropriate.

Sources

For Any Queries Email us on info@vsecllc.com