Thought Leadership

‘vCISO’ what does it actually mean? or is it just a buzz word?

Written by Andy Lock | Oct 22, 2019 12:48:48 PM

Savanti sees a Virtual Chief Information Security Officer (vCISO) as an outsourced person who performs the role of a CISO for clients on a part-time basis, typically for discreet activities, via a combination of remote and on-site work.

The role of a vCISO provides leadership and guidance through the security process, it is entirely flexible in order to meet the specific needs of the client, it also needs to evolve with the business need. 

Savanti finds that many businesses struggle to understand how good they need to be when it comes to information security (InfoSec), and there really is no set formula.

Our customer Tomos Walters, CTO, from The Chemistry Group says "We have successfully used a vCISO from the Savanti service for the past year with the requirement of a fixed number of days per month to fill the security expertise gap we currently have.  For us, this has been a virtual position, but our vCISO is now very much part of our team and works both remotely and attends our head office on a regular basis, to work alongside our team"

There is always a start point that dictates where to pitch your approach to InfoSec, it might have been prompted by the customer who needs some assurance that you are taking InfoSec seriously.   The start for you could be a light touch InfoSec maturity assessment which highlights what you need in order to protect your organisation and how to start out on that journey.  You might have already mastered the security foundations but still need to ensure compliance and continuously improve, or you may just need the all important ‘top cover’ for when security incidents occur.

A good example of this process for Savanti was with The Chemistry Group and Tomos also says: “We find the role and service very flexible and responsive, where our vCISO is always on hand and contactable should we require urgent security assistance”  

Our engagement together started with an in-depth maturity assessment and the foundational improvement of InfoSec controls.  After nearly 12 months of providing this service the working relationship evolved into a highly effective collaborative approach to InfoSec management.

Tomos concludes “The Savanti vCISO service has been a great and cost-effective service for us as we occupy that space between a small and medium sized enterprise that does not require a full time CISO.  Our decision to go with a vCISO has been really effective and having someone onboard who is able to leverage the full Savanti team and expertise has been a massive benefit".

As with Chemistry, a vCISO might work for you because you’re a small to medium-sized company, you don’t need a full-time resource but you do need some scheduled and flexible time to look after your day-to-day security requirements.  Maybe you have a decent process in place and you just need someone to consult now and again and front-up stakeholder or governance meetings. Perhaps you’ve got a security/IT resource but need some strategy and/or leadership to complement that?

In conclusion, CISOs are highly sought after, to the point where the good ones are expensive and hard to come by.  This is a challenge for more and more organisations, and perhaps this is why the vCISO is currently so popular and comes into play.