Tony Asher, owner of Asher Security, discusses the differences between hiring a virtual CISO and a traditional CISO. Virtual CISOs are more expensive but offer significant expertise and can be engaged part-time, which is cost-effective for companies at operational milestones. They focus on cybersecurity program maturity and risk visibility. Traditional CISOs, costing $210,000 to $340,000 annually, manage both cybersecurity and staff, which is beneficial for companies with high-touch client interactions or preparing for IPOs. The choice between the two depends on the company’s goals, maturity, and the specific needs of its industry.

Action Items

• [ ] Consider company mission and goals to determine CISO needs.
• [ ] If no existing security program, hire virtual CISO initially to develop roadmap and gain risk visibility. Rethink traditional CISO once goals are clearer.

Outline

Differences Between Virtual and Traditional CISOs

• Tony Asher, owner of Asher Security, introduces the topic of hiring a virtual CISO versus a traditional CISO, emphasizing the importance of making the right decision for a company’s life cycle.
• Virtual CISOs are more expensive but offer significant value, often being experts with decades of experience who can quickly ramp up a program.
• Traditional CISOs may be more cost-effective if the company is already at a mature stage and only needs to maintain governance or acquire attestations like SOC 2 Type 2.
• Virtual CISOs typically work remotely and are disciplined, focusing on cybersecurity program maturity and risk visibility, while traditional CISOs also manage staff and handle more high-touch interactions.

1. Cost and Availability Considerations

• Virtual CISOs offer flexibility in engagement levels, such as full-time or half-time, depending on the client’s goals and maturity level.
• Traditional CISOs are more expensive, with an average salary of $210,000 to $340,000 per year according to Glassdoor.
• Virtual CISOs have multiple clients and are not always available for immediate engagement, while traditional CISOs are more likely to be office-based and available for high-touch interactions.
• The choice between a virtual and traditional CISO depends on the company’s goals, such as preparing for an IPO or selling a product that requires a high level of security oversight.

2. Focus and Value Position

• Virtual CISOs focus on cybersecurity program maturity, risk visibility, and reporting, while traditional CISOs also manage staff and handle more operational responsibilities.
• Companies looking to go public benefit from virtual CISOs, as they can build value and provide a good return on investment.
• Companies selling products or services that involve sensitive data may benefit from traditional CISOs, as they provide full oversight and can improve the sales process by reassuring clients about security.
• The choice between a virtual and traditional CISO should be based on the company’s goals and the current phase of its life cycle, with virtual CISOs being more suitable for initial risk assessments and building a security program.

3. Goal Alignment and Decision-Making

• Companies should align their cybersecurity and IT programs with their overall mission and goals to determine the best fit for a virtual or traditional CISO.
• Short-term goals, such as acquiring a SOC 2 Type 2 or satisfying vendor requirements, may require a virtual CISO to enable the team to build security milestones.
• The choice between a virtual and traditional CISO should be reevaluated as goals and company phases change, ensuring the right fit for the company’s needs.
• Tony Asher emphasizes the importance of considering the company’s current phase and goals when deciding between a virtual and traditional CISO to maximize the value and effectiveness of the cybersecurity program.

 

Full Article: Virtual CISO versus a traditional CISO.

What are the differences?

Today, I outline four differences between hiring a virtual CISO and a traditional CISO so that you can be enabled to make the right decision at this phase in your company’s growth.

My name is Tony Asher. I’m the owner and operator of Asher security. We’re a cybersecurity consulting company. I’ve been a virtual CISO for over five years now. I’ve been able to see the space and work in over 10 different industries. This is a topic I’m very familiar with. Let’s review the differences between hiring a virtual CISO and a traditional CISO.

Price

One of the main things that comes to mind is pay so let’s start with the elephant in the room. Virtual CISOs are expensive, but with that, you’re getting a tremendous amount of value. You’re often getting someone who’s an expert, is certified, has decades of experience, and can go from that zero to 60 very fast.

When you’re thinking of a traditional CISO, sometimes companies have to make a decision, depending on their company culture, to whether hire someone within or hire someone outside. If you’re promoting someone from within the program, that’s a great way to support the culture of the company. But with that also comes that learning curve and that lack of knowledge that you do have to absorb. So, if you can afford that, it can improve the company culture, but it will slow down traditionally, with some exceptions, the maturity of your program if you hire outside. Typically, this is a field that we see using recruiters. Definitely some great recruiters out there, but that does add to the overall and when we talk about price, you know, I can only think of myself and the business that we do.

We break down virtual CISO between a full-time engagement or half time engagement, depending on what those client goals are. So sometimes that client has already reached the maturity that they want to be at, and they feel like they’re at an operational milestone. They want to maintain the program, maintain governance, maybe acquire an attestation, like a SOC two type two, or go and try to get a review or an audit for ISO or a NIST 800-171. In that situation, you’re going to need less resources from a CISO versus someone saying, we have other customers that are saying they’re thinking about going public, and they’re going to have more oversight, and they want to speed that program up. Currently, they’re at a low maturity. They don’t really have a formalized program, and they really want to hit that due diligence. They want to hit kind of an industry milestone that’s going to take more of a full, not full time, but full virtual CISO engagement, but even at a full time virtual CISO engagement, roughly, again, I’m talking about myself. You’re going to come in less than half of what you’re going to pay a traditional CISO, traditional CISOs, according to Glassdoor, just pulled up some recent stats. It looks like an average is around $210,000 to $340,000 a year for a traditional CISO. There are some rough numbers for you.

We’ve talked about some of the benefits of hiring a virtual CISO and talked about the differences between that and one of our last videos, if you’re interested, look up the four benefits of hiring a virtual CISO, and then you can weigh some of those benefits between those different roles.

Availability

The second thing is availability. A virtual CISO is going to have multiple clients. They’re not going to be although they’ll be available for meetings and emails and regular engagements. They’re not that office or cubicle just down the hall where you can come to them at any time with any idea. They tend to be very disciplined, especially for me, if I’m focusing on a project, I will actually close my email, close my messaging, and just fully focus on excellence within that so I become unavailable for a period of time where a traditional CISO, if you want more of a high touch, someone who’s available, maybe even someone who’s in the office. Virtual CISOs tend to work remote. Traditional CISOs tend to work in the office. So there’s something to consider, too.

Risk Focus vs. Management Focus

The third thing to consider when you think about a virtual CISO versus a traditional CISO is virtual CISOs will more focus on the cybersecurity program, the maturity, the attestation, measuring where you’re at, where you want to go, trying to get a feel for the risk appetite, building risk visibility, and reporting that a traditional CISO will also do that, but they are also, in my experience, put in charge of management. So, there they do risk and risk visibility, and they also do management. They might have staff of people reporting to them, they’re actually going to spend more time not just managing the expectations of those roles, but maybe educating and training those people to grow in their career.

External Value Position

The fourth, fourth thing I want to bring up is I don’t really have a name for it. I would probably call like, value position or something. If you’re a company and you’re let’s use the old example. You’re looking to go public in the next year and you want to speed up your maturity program, that’s a great opportunity for a virtual C so you’re building value, you’re going to get a great return on investment. You’re going to increase the value of your company when they go to audit you or assess you. You’re going to have a very mature program. If you’re a company that maybe isn’t looking to go public, but you’re actually trying to sell a product you’re developing, maybe a SaaS platform, you’ll have external clients that are sharing data with you, that kind of organization, those clients are going to find more value in having a traditional CISO at that company, that CISO works within that company, they’ve had full oversight. They have more responsibility, and it improves that sales process. For example, if you’ve built a SaaS platform, you’re trying to sell that you’re collecting sensitive data from your clients, and during one of those calls, that client asks you, “Hey, tell us about your security program and how you’re protecting our information. “And you respond, “Well, we’ve hired this virtual CISO.” Sometimes that concerns those clients. So again, it really depends on the type of industry that you’re in and what you’re trying to achieve.

 

Goals

When you’re thinking about a virtual CISO versus a traditional CISO? Think about what your goals are, and goals change. So maybe a good exercise is going all the way up to the top of the company and saying, what is our mission as a company, and what are our goals as a company. And then you think about how cybersecurity, or even the IT program can augment and support that mission and those goals, depending on the life cycle or the current phase of that company you might be looking for that you Know, you’ve never done a risk assessment. You haven’t really paid attention to cybersecurity. If you don’t know what your risks are, then it’s better, in my opinion, to hire a virtual CISO to come in, because you want to get risk visibility, and risk visibility done right is going to enable you to make roadmap decisions, and those roadmap decisions and initiatives are going to be tied to resources. So once you have visibility of what that roadmap looks like, then you can pivot, and then you can ask the question, Hey, is it best to kind of keep a virtual CISO in this position, or is it best and we have a more of an ROI to hire a traditional CISO. So maybe your shirt short term goals are getting that SOC two, type two. Maybe they are satisfying some third-party vendor requirements. Maybe they’re going from no security program to a basic security program. Maybe it this is something I see a lot. It has been assigned the responsibility of cybersecurity, and they don’t have the depth of expertise. That’s a great opportunity to have enable it to go ahead and work with a virtual CISO, to enable that team to build those milestones into that IT program. So really think about the goals of the company at this phase, and again they change, but those are some of the differences of a virtual CISO versus a traditional CISO, and I hope that helps you.

 

I hope that helped you consider the differences between hiring a virtual CSIO (vCISO) and a traditional CISO. If you’d like a free discovery call to explore the advantages more, I’ll try to be as unbiased as possible and help you. Schedule that using our ‘Schedule Call’ https://calendly.com/tony-165.