More about the Virtual CISO (vCISO) Role

by Chris Bedel | Mar 19, 2016


What is a Virtual CISO (vCISO)?

Keeping your information security and cybersecurity programs up to snuff can be difficult for community banks.  Having the proper personnel to achieve that goal may be the greatest challenge, particularly in the CISO position.

Maintaining a full-time CISO on staff can be expensive, especially when most community banks only need 30-40 hours per month of this type of specialized work.

Handing the responsibility to other employees can have consequences too. The wearing of many hats means that the designated "ISO" just doesn't have the time or expertise to give information security the attention it deserves.

To address the issue of having an independent and qualified CISO, some community banks are turning to 3rd party relationships for help.

This is often referred to as a Virtual CISO (vCISO): the CISO being a strategic security leader and advisor, and virtual meaning that it's not a conventional in-house employee.

While a Virtual CISO is not for everyone, more and more community banks are finding it to be an affordable way to strengthen and enhance their Information Security Programs.


Who Should Consider vCISO Services?

  • You have a recent vacancy of your CISO/ISO position
  • You have a newly appointed CISO/ISO
  • Your current ISO lacks the time or expertise to take on ever-changing demands of the position
  • Your Board of Directors is seeking a cybersecurity advisor
  • You need supplemental expertise to fill gaps in your information security program

What if you Don't Want to Outsource Such a Critical Role?

You don't have to outsource the decision making and acceptance of risk, and you really shouldn't as a long term solution.  What the vCISO role offers is outsourced guidance and advisory services at the proper level for your organization.

One solution that I've found to be a nice "middle ground" is to create an in-house information security committee.  Your vCISO would provide the necessary services to give that committee the proper support, and in turn, the committee responsible for oversight and final decision-making.

What are the Various Levels of vCISO Services?

  • Full vCISO – Full-time outsourced responsibilities and duties (typically an interim position).
  • Supplemental CISO– Expertise as a resource to the in-house CISO or Information Security Committee.
  • CISO Coaching – Development and Training of a new CISO.
  • Custom – Custom scope to fill gaps and/or other needs.

What do Examiners Say?

While the ideal situation is that every bank would have an in-house full-time CISO, we all know that is not always an option.  Examiners understand the challenges that banks face when filling this role and know that banks are looking for help in unconventional areas.

What do examiners expect from banks who are considering the vCISO option?

  • Do a risk assessment
  • Keep Executive Management Involved
    • Keep responsibility and decision making in-house(Consider an Information Security Committee)
  • Do your Vendor Due Diligence
  • Have a contract - use this to help mitigate your risk
  • And as always, be able to explain the tradeoffs you considered in the decision-making process.

Won't it be Difficult to Transition Away from vCISO Services?

While I would love to work with you forever, I know that is not always the best for you, the client.  My services are designed with an educational base, and can be structured in a way that you and your staff become less dependent on the vCISO role as time goes on (if that's your ultimate goal).

If this is a concern for you and you'd like to eventually be self-sustaining in the CISO role, ask me about my "step down" approach to gently transition over the course of a multi-year engagement.

How do you Find out More?

Read through our whitepaper, 14 Things Banks Should Consider Before Hiring a Virtual CISO.

Grab Your Copy

Set up an informal chat on the fit at your organization

Drop Us a Line!

We will discuss if the vCISO concept is right for you, and what your long-term goals are.  This service is not for everyone, but for those with this specific need, a vCISO can make a big impact on your information security program at an affordable cost.

And if after careful consideration, you feel that the full vCISO concept just isn't for you, there are other projects we'd love to help with:
  • Risk Assessments
  • Business Continuity Planning
  • User Awareness Training
  • Policy Creation and Updates
  • Board Reporting
  • Incident Response
  • IT Committee and CIRT Membership
  • Log and IDS Report Reviews
  • Examination and Audit Remediation Consultation

For more info, please visit our  LinkedIn Page or you can email us at

Want these articles delivered weekly to your inbox? Subscribe to our Newsletter!

Recent Posts

Stay in the Loop!