What do I need to know if I want to be a virtual CISO?

3.4k views2 Upvotes12 Comments

Director, Information Security Engineering and Operations in Manufacturing, 5,001 - 10,000 employees
Plenty on the topic online: https://www.reddit.com/r/cybersecurity/comments/m1y256/ama_series_ask_a_ciso_anything/
CIO in Software, 51 - 200 employees
Lot of literature in it. I was part of a team recently to hire CISO. Key things we agreed to look for was solid understanding of technology, common social engg / devOps/ developer laxity gap plug knowhow, general understanding of devsecOps and general passion for keeping things secure. Few thing we detested were managers in architecture role, or worse a misplaced sales guy
CIO/CISO in Healthcare and Biotech, 11 - 50 employees
You should be able to structure your work product and schedule just like a consultant, as you will be handling multiple organizations' needs.
CIO in Education, 501 - 1,000 employees
A virtual CISO is very much operating in the same fashion as any consultant.  They need to be extremely well organized and technical to be capable of  bouncing between different organizations. Unlike a consultant there is a lot riding on the decisions and oversight  so each client would need to be as top of mind as if  it were your only customer. 
CIO in Services (non-Government), 201 - 500 employees
It's very much a consultant-like position.  You have to be extraordinarily organized, make sure you know what resources are available to you at each of your vCISO clients (oe jut at whichever single client you are working for presently.)  You will need a broad range of tested and well researched tools, such as for penetration testing, vulnerability scanning and whatever other areas you are selling your expertise in.  You need to become expert in each of those tools and be able to produce concise, actionable reports for your client, with tiered recommendations as to which actions need to be implemented first.

I suggest you look at the profiles of other vCISOs to see what their areas of expertise and specializations are, and try to connect with them, to have one on one conversations with them if possible.  Network and learn.
CIO in Consumer Goods, 1,001 - 5,000 employees
You need to be clear on your responsibilities.  Are the company you will work on just expecting to offload the risk/ownership of issues on you as a virtual CISO?  If so, the relationship role will be destined to fail.  Part of what you need to know is being clear on the stakeholders.
CIO in Consumer Goods, 11 - 50 employees
Other than domain skills, important is focus on solving problem statements and strategy. Vciso roles are typically for defined term and planning the desired impact is important.
CISO in Healthcare and Biotech, 2 - 10 employees
A good strategic sense of direction, a base set of security requirements and the ability to make solid, informed decisions.
VP of IT/CTO/CISO in Healthcare and Biotech, 5,001 - 10,000 employees
Developing relationships with key organizations leaders, earning respect from peers, the ability to lead a remote team, and the ability to communicate effectively to management and even the board at a level they will understand.
VP of Information Technology in Construction, 201 - 500 employees
You first need to define your responsibilities as a CISO so that you can have a focused approach to the job.  You have to have the technical skills needed but you will also need the ability to manage people and their expectations.  You will need to be able to communicate to management and the rank and file. 


Content you might like

Strongly agree10%


Neither agree nor disagree12%


Strongly disagree0%



Chief Technology Officer in Software, 51 - 200 employees
My personal experience. 

I usually get the feedback and go back with data driven analysis providing details to cross leaders to understand the context and make decision basis data and and not gut feeling. 
Read More Comments
2.2k views2 Comments