Every company starts its cybersecurity journey somewhere, some can jump right in and hire a full-time CISO; while others need to grow before being ready for that leadership role.
Fortunately, some services are available to assist with this transition, or maturing process, in the form of a virtual CISO (vCISO). While everyone has spent some time in a full-time remote role over the last few years, this was remote before current events forced companies into such a posture. A vCISO can be full-time to part-time, can entail a hybrid technical and leadership skill set, or a purely non-technical leadership skill set. That is why this service is utilized by so many companies. It provides the flexibility to meet the senior leadership role skills that are needed, while still addressing the information security program needs.
But Virtual CISO costs can vary widely because the nature of the service is not “one size fits all”.
Before you can estimate whether the return on a vCISO will be worth the investment, you have to know whether you’re paying the right amount for the kind of service you’re getting. This is a guide to how vCISO costs are determined, and how much you’ll likely have to spend, depending on the status of your current security program and your organization’s goals moving forward.
(IMPORTANT: This free PDF report shows pricing data from 10 real vCISO contracts so your firm can gauge costs and avoid overpaying for your own vCISO in future.)
- Scope for Virtual CISO services
- Virtual CISO Cost Benchmarking
- How Much do Costs Vary from One Vendor to The Next?
- How Much do Virtual CISO Services Vary from One Industry to the Next?
- Costs of Virtual CISO Vs Hiring a CISO
- Costs of Virtual CISO Vs Benefits
Scope for Virtual CISO services
Unlike many consultancy services, a vCISO service is dependent on what the business is wanting to accomplish from this service. In most cases, this is a dedicated resource for an allocated amount of time a month. Some of the typical scopes for vCISO services involve:
- Policy development: Develop, refine, and/or update policies to reflect security requirements for the business
- Sales support: Assist the sales team in developing material to support opportunities and conversations with clients
- Compliance: Develop a short and long-term roadmap to attain and maintain compliance with standards like ISO 27001, PCI, and SOC2.
- Executive and Board Support: Develop KPIs, metrics, and reporting structure to convey security posture to executives and board
- Training and Development: Training or coaching a new CISO in how to lead an enterprise security program
- Recruiting: Defining roles, responsibilities, and compensation for additional security resources
- Interim CISO: Fill in while recruiting a full-time CISO to replace an exiting CISO
- Other typical information security practitioner functionalities like risk assessment, physical security, vulnerability assessment and management program, or building threat management
Virtual CISO Cost Benchmarking
Due to the varying factors, expertise, and desired capacity, the total cost for a vCISO service can vary greatly. In this section, we will evaluate some of the factors that can influence to the total cost of contracting for a virtual CISO resource.
A Virtual CISO could range in cost from $20,000 to well over $250,000 per year, which would equate to $1,667 to $20,833 per month.
With such a large range, it is important to understand the drivers or factors in how these services are priced. Below we will evaluate four factors that may be considered when looking to price a virtual CISO service.
Cost Factor #1: Cybersecurity Program Maturity
One of the first factors that will impact the cost is the overall information security program maturity. Quite simply, it requires more hands-on skills, coupled with strong executive leadership to define information security goals and execute them.
An information security program that is immature or in the early stages of having a roadmap, policies, and controls defined will require more time to understand the security needs and require deep experience to help with aligning security policies and controls to the business goals.
This requires an investment in understanding the internal capabilities and key concerns of executives to provide appropriate guidance. Further, this requires a large effort in defining the controls, frameworks, and policies that will support the program in the short and long term.
Initial security initiatives may concentrate on meeting regulatory and compliance requirements, but longer-term initiatives will involve defining secure-by-design architectures and controls.
Cost Factor #2: Monthly Capacity
This factor may seem obvious; however, it needs to be considered. Requiring a service that only contributes ten hours a month vs a service that contributes 80 hours a month is vastly different in cost. While this is simple math, the reality is that based on the maturity, compliance requirements, or contractual requirements, simply cutting back hours monthly may not be the appropriate choice to lower the overall cost.
Every vendor or consultant will have a minimum set of hours that are required to perform the role as your virtual chief information security officer. Clearly defining the organization’s strategy, whether it be protecting against data security breaches or simply providing clear communication to the organization’s board, will help in defining the investment of time required from the virtual CISO team.
Cost Factor #3: Contract Structure
Similarly, the contract structure has a direct impact on the cost of the virtual CISO. Engaging a company that offers a CISO as a service, essentially an on-demand month-to-month contract, will likely have a premium on the monthly cost versus contracting yearly.
Just like any service you engage, an additional cost is associated with the convenience of not committing to a long-term spend. This may work for some organizations that have a short project that requires more executive leadership, but, if the organization is needing to build a more robust security program, contracting for the longer term will have more benefits.
A multi-year contract may see the yearly cost decrease as the service is consumed or renewed. This is usually a result of moving from a build state to a maintenance state, which requires fewer hours on a monthly basis going forward in running the program.
Cost Factor #4: Security Expertise
While this is not the final factor related to the cost of virtual CISO services, understanding a vCISO’s responsibilities and how they relate to the security expertise required can have a large impact on the cost.
Working in a highly regulated industry, like finance or government, will require previous experience and expertise to help properly guide the business in the investments and information security program requirements. For instance, a business working to become FEDRAMP certified, even if they have a full-time CISO, will need to engage a virtual CISO that has extensive knowledge in this certification.
The level of knowledge will greatly assist with lowering internal teams’ efforts in designing and deploying controls to meet the control requirements. In a nutshell, FEDRAMP is one of the most intensive cybersecurity frameworks that an organization would need to be certified against, and is an example of when many organizations may hire a vCISO or CISO as a service to support a full-time CISO.
Another example is working with sensitive information like consumer data. Working with consumer data has direct implications on data privacy and entails a deep understanding of a varied set of regulatory laws, like the California Consumer Privacy Act and GDPR. While the business may think they do not operate in California or the EU, if operating in a digital world, it is impossible to know and will need to be addressed rather than dealing with fines.
The final component of the security expertise factor is the business operation footprint. Does the business mainly operate in the United States, or is it a global organization? Does it deal with employee data in one country or multiple? Much like handling consumer data, there is a varied set of laws for how and which employees’ data can be collected and used; it is vital to have a virtual CISO that has the right expertise to help advise the company in the design and implementation of controls to meet specific requirements and avoid exposing the organization to litigation.
How Much do Costs Vary from One Vendor to The Next?
The vCISO service is still new and has not yet hit commodity services, which create a wide variety of monthly rates for similar skills.
As is the case with nearly every consultancy service, engaging a large, well-known firm can result in a higher rate for the same service as a local or boutique shop. While the virtual CISO service engaged with the large firm may be nearly the same as the smaller shop, the cost could be 1.5 to 2 times as much. The biggest benefit of engaging a larger consultancy is that it will have a wider selection of previous CISO consultants with whom to work. That may allow the organization to engage a different set of skills, depending on what the organization’s strategy is for that quarter or year.
Another option for this line of service is to engage an independent consultant to provide the virtual CISO service. In this case, you can often reach out to current Chief Information Security Officers to solicit recommendations on colleagues that are currently offering a virtual CISO service on a part-time basis. Often, this will result in a significant discount over a consultancy firm and is a great way to engage a current CISO, without needing to hire full time.
Whether engaging a consultancy or an independent consultant, the final component that will affect the cost from vendor to vendor is onsite vs. fully remote. Unless the virtual CISO lives near the organization’s headquarters, travel costs will be added to the contract. Some vendors will charge a flat rate as part of the contract for travel and others will only charge the pass-through cost for travel. The biggest impact on the cost of travel is where the consultant is traveling from and how often the virtual CISO is needed to be onsite. Most part-time virtual CISO are not on site but for board meetings or executive briefings.
How Much do Virtual CISO Services Vary from One Industry to the Next?
As previously discussed in Factor 4: Security Expertise in the industry can have a large impact on the cost of the service or the required vendor to engage for a virtual CISO.
Simply stated, hiring a virtual CISO that has experience in your industry is the ideal approach, as what is required for security in manufacturing vs. consumer SaaS vs. Government contracts are vastly different.
Understanding the requirements for security controls in the appropriate industry should be a core requirement when choosing a vendor or vCISO to engage. This provides the ability to leverage previous expertise to streamline the work and planning that will be required to meet the business objectives.
It is hard to say exactly how much the cost would differ for a FEDRAMP experienced virtual CISO vs. a manufacturing vCISO, as there is already such a large range in pricing for this service. The best correlation or reference point would be to utilize full-time Chief Information Security Officer salaries within your industry to get a reference on potential cost. Even these roles vary greatly, depending on the industry.
Costs of Virtual CISO Vs Hiring a CISO
Before discussing the salary of a full-time CISO vs. the cost of contracting for a virtual CISO, let’s look at the difference in work quality or benefit to the organization.
In nearly every case of engaging a CISO or vCISO, there should be no tangible difference in the work product. In both cases, as part of the engagement, interviews should be conducted to understand skills, experience, and cultural fit with the organization.
If the organization has selected the right candidate that matches the job requirements, the impact on the organization should be nearly identical, if working on the same project with the same time constraints. The only major difference would be the calendar time it may take to complete the project, as a vCISO is typically working on a limited-hour commitment in any given month.
As a reference, a full-time dedicated CISO can be found for as low as $150,000 a year. However, base compensation has a broad range with most in the $200,000 to $500,000 base salary range.
With this current range, in-house CISO salaries are increasing at one of the fastest rates which can make this cost-prohibitive. The escalating salaries are due to the increased emphasis on security for organizations and the specialized skill set required to perform the role.
So, if the organization is not ready for a full-time CISO, it may very well be the right choice to engage a virtual CISO for $5,000 per month to help build and support the security initiatives within the business.
However, if engaging a vCISO from a vendor for a full-time rate, an organization should expect to pay significantly more, somewhere in the order of 30-60% over the full-time direct hire rate. This is the typical markup for a vendor to sell the services, seeing as the product from a vCISO and full-time direct hire CISO is likely to be nearly identical.
Costs of Virtual CISO Vs Benefits
In some cases, the organization may not have any choice other than to engage a vCISO to help with meeting contractual or regulatory requirements. For instance, the NY DFS requires that all financial, investment, or insurance agencies licensed in the state of New York have a CISO that reports to the board, along with a list of security controls, capabilities, and audits that must take place. In this case, the benefit for the organization is to be able to be cleared to operate in New York, without facing fines or suspension of business operations.
While this is a drastic example, there are plenty of other industries where a vCISO will provide additional benefits. However, the core of what a vCISO can provide to an organization is the relief of weight for executives of operation and a security program in a modern environment.
Whether building a security roadmap that focuses on strategic spending and investment, implementing threat monitoring to provide an additional layer of analysis, or interfacing with customers to build a deeper level of trust, a virtual CISO can help improve the organization’s information technology and operational efficiency. In the end, the biggest result is the lowering of actual and theorized risk to the organization through the reduction in impact or likelihood of a security breach.
A committed executive team to engage in the development and deployment of the security program could take a relatively small investment and save the company 10x or 100x that investment from a potential incident.
DON’T FORGET: For more details download your free PDF report showing pricing data from 10 real vCISO contracts so your firm can gauge costs and avoid overpaying for your own vCISO in future.