Jeffrey Wheatman, VP Advisor, Gartner.
CISO News

Why small and midsize organisations need to hire a virtual CISO

Hiring a Chief Information Security Officer, CISO, may not be in the budget for small or midsize organisations as their total cash compensation can range between from $208,000 to $337,000. However, at the same time, these organisations recognise the growing importance of being more strategic and the necessity of having a leader responsible for programme creation and guidance.

“Virtual CISOs can provide vision and guidance to drive a more programmatic approach.”

The good news for such organisations is that Gartner has seen an uptick in what we are calling virtual CISO offerings. For organisations that need to fill the need for leadership but are not in a position to bring in a full-time and often very costly qualified CISO, the virtual CISO, a combination of staff augmentation, consultant, advisor and strategist, might be an option. Virtual CISO offerings are a hybrid of:

#1 Traditional staff augmentation involving an on-site or virtual presence in meetings, events, operations, and strategy planning.

#2 Consultative engagement and management to drive creation and implementation of security and risk programme artifacts, such as strategic and tactical roadmaps, architecture, and policy, and to run risk management and risk assessment processes.

#3 Project management of architecting and deploying security and risk solutions.

#4 Coaching or advisory services to train full-time staff on how to leverage created artifacts, develop communicating plans and train the next generation of security and risk leaders.

That is not to say there are not organisations that seek to defend their lack of a leader with some short-sighted rationalisations. It is useful to look at the most common rationalisations to help show the reasons why smaller enterprises should seriously consider bringing in a virtual CISO role.

Jeffrey Wheatman, VP Advisor, Gartner.
Jeffrey Wheatman, VP Advisor, Gartner.

The first one is that we are not regulated, so we do not need a CISO. Not being regulated may not obligate an organisation to staff a CISO position; however, that does not mean it does not have risks to manage as part of achieving its business goals. Having a programme leader, and the associated governance and strategic vision, also provides defensibility.

“Having a programme leader, and the associated governance and strategic vision, also provides defensibility.”

Maybe, but you are not an island either. The dramatic increase in broad ransomware attacks such as WannaCry and Petya – NotPetya mean that nobody is immune from attack. Also, the increasing connectedness of digital business ecosystems expands and extends enterprise risks, so while your organisation may not be a target, your partners may be.

The second is we do not have anything anybody would want. This outlook may be accurate if you have no customers, no employees, no intellectual property, no business processes, and no shareholders or stakeholders but that would also mean that you do not have a business.

“For organisations that need to fill the need for leadership but are not in a position to bring in a full-time CISO, the virtual CISO might be an option.”

The third common rationalisation is we cannot afford to hire a CISO, so we will put the engineer in charge of security. This is at best a band-aid fix. In theory, this tactical approach might work in the short term, but as a long-term approach, there will be an overemphasis on tools and tactics and not enough on people and process.

In practice, you need a dedicated, focused role to guide the programme and ensure, over time, a shift to a more strategic approach that can be communicated to business leadership with the appropriate level of business context.

Virtual CISOs can help by sitting outside the tactical day-to-day activities. From there, they can provide vision and guidance to drive a more programmatic approach, which clarifies the scope of the programme. This then begins the shift toward a more proactive approach to security and risk management.


Organisations which cannot afford a traditional CISO should consider virtual options in this post-pandemic world, writes Jeffrey Wheatman of Gartner.