Does your organization use vCISOs or CISOs?




2.5k views2 Upvotes7 Comments

IT Director, Technology Services in Manufacturing, 501 - 1,000 employees
1 1 Reply
Director, Information Security Engineering and Operations in Manufacturing, 5,001 - 10,000 employees

I don't think that it was a yes/no question. Did you mean that your org has no CISO?

VP of Global IT and Cybersecurity in Manufacturing, 501 - 1,000 employees
Depends on the business and how its setup, for most places the CISO reports directly to CEO or board members. VCISO is an outsourced security program which interacts with an internal liaison resource.
1 1 Reply
Assistant Director IT Auditor in Education, 10,001+ employees

Ideally, the CISO should report to the CEO, but many organizations the CISO reports to the CIO. This reporting structure is flawed, because the CIO may control the CISO's budget.

Senior Technology & Management Consultant in Retail, 10,001+ employees
No organization can claim that Security is not important to them. But the same argument holds good for other horizontal concerns such as performance, reliability, privacy, compliance etc. So do we have a separate role for taking care of each of them? Obviously not. All horizontal concerns are the joint responsibility of everyone in the organization and hence a virtual role is mostly preferable. I have seen organizations where the CISO has a parallel ops team, engineering team and testing team. In short he/she runs a parallel organization that is not so closely connected with engineering. I don't think that is desirable.

Having said that, there are organizations where compliance, security et all constitute a full time job. In these organizations it is good to have a full time CISO who also may have other responsibilities such as compliance, regulation, privacy etc. This person may have a band of experts. But it is important that this person is also supplemented by a virtual team of engineers who are schooled in security, privacy etc. Otherwise, they tend to get more "academic" or even worse become policy cops. No one wants that!
Assistant Director IT Auditor in Education, 10,001+ employees
When someone is held accountable, you tend to get better results or service. The vCISO does work for some organizations based on the type of business they do.
VP of IT in Software, 1,001 - 5,000 employees
The challenge with vCISOs or what I equate to CISO-as-a-service is the lack of accountability. It is still a consultancy service by and large.

Content you might like

No plans on undergoing a migration yet34%

Currently deploying SAP S/4HANA27%

Migrating to SAP S/4HANA within the next 1-2 years19%

Migrating to SAP S/4HANA within the next 3-6 years10%

Already have SAP S/4HANA in production9%


31.5k views154 Upvotes32 Comments

Team lead15%

Project lead63%

Domain lead8%




CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
48.7k views133 Upvotes326 Comments