Chapter 2: Who can be a vCISO?

Will Birchett
“There is no single path to becoming a vCISO”
William Birchett, President of Logo Systems

Necessary skills and qualifications

This course is based on the premise that you don’t necessarily need to hire a CISO to start offering basic vCISO services.

A vCISO needs a diverse skill set that combines technical expertise, business acumen, and strong communication abilities. Key skills and qualifications include:

Technical Expertise

 

  • Cybersecurity knowledge: Deep understanding of cybersecurity principles, including threat modeling, risk management, incident response, and compliance.
  • IT infrastructure: Proficiency in network security, cloud security, and various IT systems.
  • Security technologies: Familiarity with firewalls, intrusion detection/prevention systems, antivirus software, and encryption technologies.
Academy-Lesson-1-Image-4.6
Management
Strategic Thinking

Professional backgrounds suitable for vCISO roles

There is no single “correct” path to becoming a vCISO. Professionals from diverse backgrounds can successfully transition into this role. Some common pathways include:

  • Traditional CISOs
  • IT and cybersecurity professionals
  • Consultants and advisors
  • Risk and compliance experts
Traditional CISOs transitioning to a virtual role
LinkedIn Sales Solutions
IT Managers, Security Analysts, and Network Administrators often transition into vCISO roles after gaining significant experience in cybersecurity operations.
Developers collaborating
Cybersecurity consultants and advisors who have worked on multiple projects across different industries bring valuable insights and a broad perspective to the vCISO role.
Woman sitting at laptop
Professionals with a background in risk management, compliance, and auditing are well-suited for vCISO roles due to their focus on regulatory requirements and risk mitigation.
office-v3

Comparison between IT, vCISO, and traditional CISO roles

The roles of IT professionals and CISOs (or vCISOs) are fundamentally different, yet they are both crucial to the overall success and security of an organization. Understanding these differences in responsibilities, approaches, and mindsets is essential for effectively integrating cybersecurity with IT operations.

Cybersecurity maintains checks and balances. For every IT action, there is a corresponding cybersecurity action to ensure security standards are met. 

For example, IT deploys firewalls, performs backups, and monitors computer health, whereas cybersecurity tests, audits, and documents firewalls, plans for business continuity, and ensures authorized access. CISOs also understand how to audit, check, document, and test systems to ensure compliance with security standards.

Goals:

  • IT/MSP: Enable the business vision through technology, ensuring operational efficiency and technical support.
  • Security/MSSP: Protect business revenue by ensuring robust cybersecurity measures, managing risks, and maintaining regulatory compliance.

Understanding these distinctions helps clarify the complementary roles of IT professionals and CISOs, ensuring both technology and security work together to support and protect the organization’s objectives.

ITvCISOCISO
ApproachHands-on tactical approach. Focusing on:

• Technology implementation
• Operational efficiency
• Heavy tool utilization
Advisory focused. Does not include tactical execution. Focusing on:

• Strategic risk management
• Holistic security
• Regulatory compliance
Advisory focused and hands-on tactical approach ingrained in tactical day to day operations. Focusing on:

• Strategic risk management
• Holistic security
• Regulatory compliance
RoleFull-time, salaried or part-time/contract-basedPart-time or contract-based consultant working with multiple clientsFull-time, salaried executive within an organization
GoalBusiness vision through technologyProtect business revenue, including new lines of businessProtect business revenue, including new lines of business
ScopeDay-to-day technical operations and supportStrategic cybersecurity
Encompasses the entire cybersecurity strategy, from development to execution and oversight
MindsetPrimarily technical, focusing on immediate technical solutions (tools).
Advisory: predominantly business-focused, with a strong understanding of cybersecurity risks and strategies.Advisory and hands-on: predominantly business-focused, with a strong understanding of cybersecurity risks and strategies
Expertise levelGeneral IT knowledgeRange in knowledge sets: IT knowledge with security/compliance experience to senior security professionalCISO: Advanced cybersecurity and leadership skills
Cost to clientsRegular salaried employee or contractor ($20-100/hour)More cost-effective; paid based on hours worked or on a retainer basis ($100-500/hour)Higher cost due to full-time salary and benefits ($100,000-350,000/year)
Who is it for?Every organization• Small to mid-sized organizations seeking strategic security guidance
• Companies needing flexible, on-demand expertise
• Organizations looking to enhance their security posture without committing to a full-time salary
• Large organizations with complex and extensive security needs
• Companies in highly regulated industries
• Businesses with the budget to support a full-time executive role
Responsibilities• Network management
• Server management
• Hardware & system maintenance
• Data backup and recovery
• Technical support
• Software updates
• Communicating with company staff
• Proactive monitoring
Advising on:

Risk management: Tracking, monitoring and advising on risk
Compliance: Ensure systems meet regulatory and compliance requirements
Security strategy: Develop and implement cybersecurity strategies aligned with business goals
Incident response: Lead the response to security breaches and incidents
Security audits: Audit, check, document, and test systems to ensure they meet security standards
Access control: Ensure that only authorized personnel can access sensitive systems and data
Regular communication: With all stakeholders including company executives and board members
All of vCISO responsibilities as well as:

Executing/overseeing entire security program
Managing security teams  

AdvantagesBusiness running smoothlyCost efficiency: Offers high-level expertise without the financial burden of a full-time salary.

Flexibility: Services can be scaled up or down based on organizational needs.

Quick deployment: Can be brought on board rapidly to address urgent security needs or gaps (regular CISO won’t provide real value for 90 days) – much quicker engagement
Deep integration: Embedded within the organization, leading the security team and initiatives.

Continuous oversight: Provides ongoing, day-to-day management and strategic direction.

Resource availability: Dedicated resource for addressing immediate and long-term security challenges.
Regulatory complianceMinimal compliance – often focus too much on technical details and miss the main goal of compliance Understand and advise on specific compliance needs and requirementsOversee overall regulatory compliance
Decision makingOperational decisionsAdvisory and no decision-making authorityDecision-making authority 
Communication with executivesRarely interacts with executives, primarily communicates with company staff. 

*With exception of CIO who does communicate with executives
Regularly briefs and updates company executives and the board – at least monthly.Continuous and direct communication with executive leadership.

IT Staff overview

The roles and responsibilities of an IT professional or Managed Service Provider (MSP) primarily involve maintaining and managing an organization’s IT infrastructure to ensure smooth and efficient operations. 

This includes setting up, managing, and troubleshooting network systems, servers, and hardware, as well as installing and updating software applications. IT professionals are responsible for data backup and recovery, ensuring data integrity and availability, and implementing security measures to protect against cyber threats. They also provide technical support to end-users, addressing issues related to hardware, software, and connectivity. 

Additionally, MSPs offer proactive monitoring and maintenance services to prevent potential IT problems, optimize system performance, and reduce downtime, ensuring that the organization’s technology infrastructure supports its business objectives effectively.

Key responsibilities of IT professionals

Click the magnify icons to learn more about each term.
Key-responsibilities

Network Management:

  • Setting up, configuring, and maintaining network systems.
  • Monitoring network performance and troubleshooting connectivity issues.

Server Management:

  • Installing, configuring, and maintaining servers.
  • Managing server performance and ensuring uptime.

Hardware Maintenance:

  • Setting up and maintaining computer hardware and peripherals.
  • Diagnosing and repairing hardware issues.

Software Management:

  • Installing and updating software applications.
  • Managing software licenses and ensuring compliance.

Data Backup and Recovery:

  • Implementing data backup solutions.
  • Performing data recovery operations to ensure data integrity and availability.

Cybersecurity:

  • Implementing security measures to protect against cyber threats.
  • Monitoring for security breaches and responding to incidents.

Technical Support:

  • Providing technical support to end-users.
  • Addressing hardware, software, and connectivity issues.

Proactive Monitoring:

  • Continuously monitoring IT systems to prevent potential problems.
  • Optimizing system performance and reducing downtime.

System Administration:

  • Managing user accounts and access controls.
  • Ensuring system updates and patches are applied regularly.

Vendor Management:

  • Coordinating with vendors for hardware and software procurement.
  • Managing relationships with external service providers.

Documentation:

  • Maintaining accurate documentation of IT systems and procedures.
  • Creating user manuals and training materials.

IT Strategy:

  • Aligning IT infrastructure with business objectives.
  • Planning and implementing IT projects to support organizational goals.

vCISO: Overview

A vCISO (virtual Chief Information Security Officer) provides outsourced, flexible security leadership to organizations that may not have the resources for a full-time CISO. vCISOs assess risks, develop security strategies, ensure compliance, and oversee incident response on a part-time or contract basis. 

Unlike a CISO, who is a permanent and integral part of an organization’s executive team, a vCISO offers their expertise as needed, providing tailored security solutions without the overhead costs of a full-time executive. This allows smaller organizations to access high-level security guidance affordably and efficiently.

The key differences between a vCISO and a CISO typically include:

Note: This is completely dependent on how vCISOs choose and develop their services. 

  • Scope: A vCISO works fewer hours and provides services to multiple clients while a a CISO is a full-time employee of one client.
  • Function: A vCISO typically provides advisory services, while a CISO is responsible for both planning and executing security strategies. However, some vCISOs may choose to also execute. 
  • Management: A vCISO typically collaborates with an MSP or the company’s internal tech and security teams, whereas a CISO manages their own dedicated in-house team.
  • Volume and complexity: vCISOs generally handle the same tasks and compliance requirements as CISOs, but they manage a smaller volume of systems and face less complexity.

Key responsibilities include:

  • Risk management: Tracking, monitoring and advising on risk. 
  • Compliance: Ensure systems meet regulatory and compliance requirements.
  • Security strategy: Develop and implement cybersecurity strategies aligned with business goals.
  • Incident response: Lead the response to security breaches and incidents.
  • Security audits: Audit, check, document, and test systems to ensure they meet security standards.
  • Policy creation: For example, ensuring that only authorized personnel can access sensitive systems and data.
  • Regular communication: With all stakeholders including company executives and board members.

Traditional CISO: Overview

A traditional Chief Information Security Officer (CISO) is a full-time executive responsible for overseeing and managing an organization’s information security program. Their primary focus is on safeguarding the company’s data, infrastructure, and assets from cyber threats. Key responsibilities include risk management, compliance with cybersecurity regulations, and the creation of security policies and procedures. 

CISOs oversee incident response efforts, ensuring that the organization can effectively handle security breaches. They also work closely with other executives to align security initiatives with business goals, balancing security needs with operational efficiency and business growth. The CISO’s role is integral to maintaining the organization’s overall security posture and ensuring resilience against evolving cyber threats.

While technology, like antivirus software, is part of this role, a CISO’s responsibilities extend beyond just cybersecurity. They encompass all aspects of information security, including printed documents, HR records, and physical security.

Key responsibilities include advising, overseeing and executing:

  • Risk management: Tracking, monitoring and advising on risk. 
  • Compliance: Ensure systems meet regulatory and compliance requirements.
  • Security strategy: Develop and implement cybersecurity strategies aligned with business goals.
  • Incident response: Lead the response to security breaches and incidents.
  • Security audits: Audit, check, document, and test systems to ensure they meet security standards.
  • Policy creation: For example, ensuring that only authorized personnel can access access sensitive systems and data.
  • Regular communication: With all stakeholders including company executives and board members
  • Manage security team: Lead and manage security teams effectively.
Chapter 2 Key Takeaways

  • IT vs CISO vs vCISO Role differentiation:
    • IT focuses on enabling business through technology and operational efficiency.
    • vCISOs provide part-time, strategic cybersecurity guidance.
    • Traditional CISOs offer full-time, comprehensive security leadership.
  • Approach and mindset:
    • IT is hands-on and tool-focused.
    • vCISOs are advisory, business-oriented, and risk-management focused.
    • Traditional CISOs combine advisory and hands-on approaches with a business and risk management focus.
  • Scope and responsibilities:
    • IT manages day-to-day technical operations and support.
    • vCISOs advise on risk management, compliance, and security strategy.
    • Traditional CISOs oversee the entire security program, from strategy to execution.
  • Cost and suitability:
    • IT professionals are regular salaried employees or contractors.
    • vCISOs offer cost-effective, flexible expertise for small to mid-sized organizations.
    • Traditional CISOs are higher-cost, full-time executives suited for large organizations or highly regulated industries.
  • Communication and decision-making:
    • IT rarely interacts with executives, focusing on staff communication.
    • vCISOs regularly brief executives but lack decision-making authority.
    • Traditional CISOs have continuous executive communication and decision-making power.