Virtual CISOs (vCISOs) are like a box of chocolates, you never know what you’re gonna get.
That’s at least the opinion among some practicing vCISOs in the industry who feel there is a lack of shared standards or formal accreditions for professionals taking on the title.
vCISOs, consultants who provide security guidance to companies on a part-time or contractual basis, can be a cost-effective option for organizations of all sizes. While these professionals often play a key role for the organizations they serve, SecurityStudio Academy Executive Director Dave Tuckman told IT Brew that there isn’t much of a “vetting process or standardization” of skills associated with the role. SecurityStudio is FRSecure’s sister company.
“If you go and ask 10 people, ‘What is the definition of vCISO?’ you’ll probably get 11 answers,” Tuckman said. “There just isn’t a common understanding, which leads to variances in perception and understanding.”
CEO and founder of Fractional CISO Rob Black added that largely anyone can brand themselves as the outsourced security professional, which has resulted in some of the negative perceptions around the quality of services they can provide.
“You can’t claim you’re a lawyer or a doctor unless you’ve passed a certain set of credentials,” Black said. “For a CISO, you can just say you’re a CISO.”
CvCISO. Some organizations are attempting to crack the ongoing standards problem in the vCISO community. SecurityStudio’s Certified Virtual Chief Information Security Officer (CvCISO) program, for example, aims to create an “industry standard for vCISO quality and qualifications.” Participants in the program, which went to market in 2023, are able to obtain certifications as they advance through the online program.
Tuckman told IT Brew that about 300 students have gone through the program, which takes roughly 10 weeks to complete, to date. Participants range from high school students to existing professionals looking to improve their skills.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“It’s our goal that this becomes the standard [to] which vCISOs adhere to,” Tuckman said.
Greg Schaffer, principal of cybersecurity consulting and advisory firm vCISO Services, added that there are also a few grassroot movements—including the vCISO Catalyst, a community of vCISOs, CISOs, and other seasoned professionals looking to “improve the profession”—within the vCISO industry homing in on solutions to the standards crisis as well.
“We’re trying to figure out ways to better educate…the business consumer base about the differences because of the way that the field has just become so diluted the last few years,” he said.
To each their own. Some professionals have begun to reap the benefits of the industry’s budding movement toward formalizing the vCISO role. Schaffer said he enrolled in SecurityStudio’s CvCISO course for free after having a few concerns about the legitimacy of the course. Today, he is a full supporter of the training and looks out for applicants with the CvCISO credential.
“For my firm, the CvCISO is, at the very least, highly desired as far as who we look for in our staff,” Schaffer said. “If they have prior experience as a CISO, that’s another story. But if they’re a CvCISO [graduate], that’s again very sought after for us.”
Others have different standards. Michael Nouguier, CISO and partner of cybersecurity services at Richey May, said certifications wouldn’t be a deciding factor for him when selecting a vCISO. Instead, Nouguier would seek providers with the “war scars” that come with being a seasoned professional.
“What we see is expertise and experience more so are what make a CISO, a CISO…It would be really hard for me to want to bring somebody on as a virtual CISO because they had a credential,” he said.