Did you know ransomware perpetrators demand about $850,000 for each attack in 2020? That’s a lot of money, even for the largest enterprises. Framework Security
Best Virtual CISO Companies in 2023: Reviews & Pricing
There is no shortage of companies that offer up vCISO, part-time, or fractional CISO services. It seems as if this is a hot-button item for companies, due to many causes, but primarily due to regulation.
However, not all these services are truly a CISO or someone that has any security leadership experience. It is likely that the vendor is offering up senior consultants at a premium price.
So, what is a vCISO service? It should not be a hands-on engineer or analyst role. There are consultants that can perform those roles at a much lower rate.
A vCISO service is for an organization that is needing to mature their security program or provide additional support to their security leadership.
It provides strategic support to better define and implement security controls in the short and long term. Ultimately, the vCISO service is a powerful tool to help build a security culture within your organization.
Top Virtual CISO Companies List
The Best Virtual CISO Companies in the US
For vCISO services strictly based out of the US, here are some of the current rankings.
FRSecure offers up a strong and deep bench of virtual CISOs for your organization’s needs. They have two offices, one on the east coast and one in the Midwest. As part of their service, they are known to offer up assessment services to gain a base understanding of your security program. Further, they have a mature delivery approach that will provide value to your organization regardless of maturity level.
Optiv has been providing services across many verticals for numerous years. Optiv has become deep and well-respected in regard to providing vCISO services. Optiv has developed services that are tailored to your organization's industry and requirements. Further, they work closely with the organization's leadership to fully determine and define the scope and requirements of the engagement.
Once it is defined, they can pull additional consultants from their other service lines to assist with the completion of the project, if necessary.
Kroll provides a vCISO service designed for both executive and security leaders. As part of their service offering, they have designed and built multiple pre-formed engagements. These engagements include services like assessments, cloud security, and incident response. By leveraging seasoned security leaders, Kroll can truly augment the internal leadership team.
The Best International Virtual CISO Companies
There are many reasons to consider an international vCISO company as a service provider. The most straightforward reason is that your organization is located outside of the US.
However, another valid reason may be that the leadership team needs additional assistance with navigating regulatory, legal, and cultural expectations for cybersecurity. In these instances, it may be worthwhile to engage an international vCISO.
Deloitte has a large presence, both in the US and globally, so it is placed in the international category. One of the biggest benefits of this company is its ability to provide this service, regardless of the company location. This further increases their value, as they can assist with regional CISO services to address local or regional regulatory requirements, such as GDPR.
Accenture also has a strong presence in the US and internationally. Due to this, they can provide vCISO services in the region that your organization needs, with the expertise that is required to meet your engagement requirements.
Accenture has a strong track record across many disciplines and has grown its security services organically and through acquisitions over the years. They offer an experienced set of offerings to assist internal security leaders and executives to help mature and implement controls required for regional and international regulatory requirements.
BSI has a strong reputation as a testing, inspection, and certification company. Due to their background and being considered a leader in the security certification space, BSI has positioned itself to assist with meeting regulatory requirements through its vCISO services.
Their service is intended to help a company that does not currently have a CISO to design and implement the core components of a cybersecurity program. Further, they have designed their service to transition to an advisor after a hire is made. Overall, they provide a strong advisory service that can assist with region-specific requirements.
Best Boutique Virtual CISO Companies
For smaller companies that specialize in Virtual CISO, the following options are worth a look.
SideChannel is made up of previous CISOs and senior leaders that provide services tailored to start-ups and small, rapidly growing companies. Their primary focus is to assist with designing and implementing the early stage of a security program, sometimes before security leadership has been hired.
With this expertise, they are very adept at managing the nuances of small budgets and rapidly growing businesses. This is a bit more of a niche offering, but it fits well within the size and type of service that SideChannel offers.
Clearwater is a small security outfit that offers up a few services, including a vCISO. Their services are tailored to the customer’s requirements and needs with a highly seasoned security practitioner to help lead the project.
While the consultants tend to be extremely seasoned, and oftentimes with direct CISO experience, they do not have a large number of CISOs on hand. Depending on the project’s requirements, it may be that additional recruiting will take place before being able to staff your project.
When CynergisTek began, its offerings were focused on healthcare and healthcare services, but they have since expanded to include vCISO services. Like Clearwater, they hire very seasoned and experienced consultants to lead their vCISO engagements.
Due to the smaller offering, their services tend to be tailored to the engagement and needs of your company. Like other boutique shops providing these kinds of services, they may require time to recruit the right senior leader to complete your project.
The Best Value Virtual CISO Companies
There are many vendors that can offer up cheaper vCISO services. When reviewing these providers, heed caution, as they may not be offering a true vCISO service but more of a security consultant service.
There is a key difference between the two, as the CISO service should act more as an advisor rather than a hands-on technical engineer or analyst. It is critical to understand the end goal of the contract to properly identify the type of service that is required. After all, paying vCISO rates for engineer contract work is a high price to pay.
The RealCISO provider is a bit unique compared to other companies. It is a platform that offers up services related to compliance and attaining certifications. Because the company leverages a web platform, rather than a direct CISO, it can help cut the overall cost of the engagement. The one downside is that it is focused on compliance and not as robust as a consultant.
While this is not a vendor, independent consultants should not be overlooked. Many senior-level and executive CISOs provide services to small and medium-sized businesses and leaders on the side.
This is a great way to leverage the experience of a CISO that is working for a much larger organization without requiring to pay the full-time rate. This type of engagement is also a great way to provide a mentor to the existing security leadership team within the organization and to grow talent.
(NOTE: See our detailed report on the cost of vCISO services at this link.)
Tips on Choosing Virtual CISO Companies
This article touched on just a few of the vendors that offer vCISO services with many more providing these services. When it comes to selecting a vCISO service provider, there are a few things your organization should consider doing prior to and as part of the search.
Define Expectations or Deliverables
This may be the most impactful pre-engagement work that your organization can do to guarantee success. Understanding the expectations or deliverables for the service can assist your organization with attaining the right vCISO service provider for your requirements. After all, asking for board reporting help vs. attaining a certification are two totally different deliverables.
While they could be completed by the same consultant, it may not always be the case. Providing this information during initial discussions will help to ensure that you’re contracting for the right service and that the vendor can provide the right resources to meet your expectations.
Define Experience Requirements
If you were hiring a CISO directly or if you have someone in the role, you would define the job requirements and experience.
The first tip of defining the job requirements is to define the experience required. Does your organization need someone with expertise in FEDRamp? How about GDPR and United Kingdom operating requirements under GDPR?
Knowing the experience and expertise that is needed will assist with questions and validating that the vendor is able to provide you with a consultant that can perform this role. The required experience may also determine the pricing for the CISO, as a CISO with FEDRamp experience may carry a higher hourly rate than just ISO27001.
Once you have a preferred vendor or two, ask for references from previous clients. Discuss the services provided and how the consultant interacted with the team. This will allow your organization to determine if the engagement management is what you are expecting or require. Additionally, this will provide insight into some of the consultant’s skills and ability to deliver on the work that is scoped and contracted.
Perform Initial Assessment
There is another way to see if the vendor is going to be a fit before contracting for the full vCISO service. As part of a proof-of-concept engagement, ask to have the proposed consultant perform an assessment of your organization and present a set of requirements. This could be a gap assessment if you are looking for help in attaining a certification, or just a maturity assessment.
This type of engagement can usually be done in a fairly short period, especially if time-boxed, with a defined deliverable that will allow you to see written, verbal, and analytical capabilities.
After all, this service is meant to help mature the security program and act as additional senior leadership to the existing staff, so it will be critical to make sure they have the skills required to perform the job.