When you were asked in the second grade what you wanted to be when you grew up, I doubt you said “Virtual CISO.” The concept of a Virtual CISO probably didn’t exist back then!
Having worked with so many vCISOs and having been one myself, most of them didn’t plan on becoming one. Instead, they found that it was a role that made sense to them over time.
Now, I don’t know where you are on your journey. But if you’re considering pursuing this role, I hope you find this article valuable. I say that not just because of my experience but because I know how other Virtual CISOs eventually fell into their roles.
The truth is everybody’s path is unique. In this article, I’ll share a little about mine, along with a few things I happen to know about requirements, pathways, and what I think makes a great vCISO.
What Is a Virtual CISO?
A Virtual Chief Information Security Officer (vCISO) is a cyber security leadership role operating on a remote, contract basis that focuses on strategy, compliance, and developing (and implementing) critical security procedures. Virtual CISO responsibilities include creating and implementing security programs, conducting security assessments , ensuring compliance , managing risks, overseeing incident response , and developing training programs.
This is different from a traditional CISO role, which is full-time and in-house, working for one company. A virtual CISO fulfills the same responsibilities as a traditional CISO but on a remote, contract basis.
Why become a vCISO? Well, I believe that every mid-sized company will have a full-time or vCISO in the next five to ten years. Virtual CISOs are a more flexible, affordable option without compromising expertise and experience. Unlike traditional CISOs, vCISOs enjoy more freedom of choice with whom you work, and the role pays well if you’re good at juggling multiple clients.
Do You Need To Go To College To Become a Virtual CISO?
Most entry-level cybersecurity jobs will want you to have a degree, though it doesn’t necessarily have to be in “Cybersecurity.” The kinds of positions you follow in the career path to a virtual CISO role are much more concerned about intelligence and experience. A non-cybersecurity degree with a “cybersecurity bootcamp” or entry-level certification will often be enough to get your foot in the door.
That said, I know some incredible CISOs and vCISOs who did not attend college. Now, I’m not suggesting you drop out of college if you’re already pursuing a degree. In 20 years, it’s likely that every CISO will have a Masters of Cybersecurity or similar. But, you should know that hands-on experience and certifications provide much more value right now than a degree alone.
When pursuing a college degree, it’s important to use the time to start building connections to get into internship roles that will prepare you for your future cybersecurity career.As far as what kind of position to start from, it can be anything relating to security, compliance, GRC, or IT. Personally, I learned a lot from product management, which is where it started for me. The most important thing is that you’re interested in security and willing to learn.
In my experience (and the vCISOs in my network would agree), it’s less significant where you start. So, let’s shift the discussion to what’s really important to potential clients so we can talk more about where you need to go.
What Do Clients Look for In a vCISO?
Clients are primarily looking for experience and capabilities in a vCISO. They need to trust your abilities to solve their specific security and compliance challenges. They will want to know that you’ve helped other businesses – preferably similar to their own –improve their security posture and achieve their desired compliance goals, like SOC 2.
Referrals are REALLY important, especially to start, as a vCISO. If you don’t come referred to the prospective client, you will likely be asked for references in the sales process. Case studies and testimonials can also help prove your capabilities. One thing that makes virtual CISOs valuable is that they have experience working with clients in different industries. This means they have insights and expertise in dealing with a wide range of security challenges.
The second most important thing is certifications, most notably a Certified Information Systems Security Professional (CISSP) from ISC(2). This is one crucial certification I recommend that you either have or are in the process of pursuing as a Virtual CISO.
A CISSP validates that you understand specific security knowledge and acts as a credibility booster in seeking clients. ISACA has some similar certifications that might also be relevant, including the Certified Information Security Manager (CISM)
Okay, so you understand the importance of experience and certifications. But what does running a vCISO business look like?
What Are the Different Types of vCISOs You Can Become?
The natural progression for a vCISO is to start as a freelancer (or part-time), grow into a small firm, and then scale to a large firm (or join one).
Freelance vCISO
As a freelancer or part-time vCISO, you can take on one or two clients to get started. If you’re doing this part-time, this is a great way to get experience and test the waters while still holding on to your primary employment.
Or you could do what I did and quit your full-time job without any clients lined up! While I wouldn’t necessarily recommend it for anybody else, I don’t regret it. I will say it was nerve wracking in the beginning trying to land my first clients. But after putting in the work (from my home office), sending out lots of emails, and meeting a lot of people for coffee, I landed my first two clients back to back in just three weeks!
The most important thing you can do in your early stages is to provide a ton of value and tremendous customer service. If your first few projects go well, make sure to get positive testimonials and write case studies, if you can, to use as future sales tools. Plus, happy clients can refer you to people in their network, but only if you do a stellar job.
Some vCISOs prefer to remain freelancers indefinitely. So, if you find you’re comfortable with this business model, you can stay at this stage. Just keep in mind that you’ll have to manage everything business-related (including administrative work, finances, etc.) as well as fulfilling your role as a vCISO.
Small Business Owner vCISO
Other vCISOs tend to want to grow beyond their freelance role into a small firm. In this arrangement, you’ll be able to take on more clients as you make intelligent hires to support you as a vCISO.
A quick tip here is an expression that a former colleague, Ken Wilkins, shared with me – “Hire hard, manage easy.” In other words, create a strong interview process with advanced planning and thought that gets you the best candidates. Hire right, and the managing part becomes easy.
I actually didn’t make my first hire until I was running my firm for about a year. It was getting tough to handle all of the project work, and I knew it was time to hire, but I wanted to make sure I hired only the best. Thankfully, I found a great candidate from a prominent computer science grad school. She’s since added tremendous value both to us and to our clients.
Employee/Contractor at vCISO Firm
Or you might leverage your existing experience to join a larger firm as an employed/contracted vCISO. Cybersecurity consulting firms and managed service providers often employee vCISOs like this. To touch on that, let’s look at two different examples of vCISOs who joined our company, both with very different backgrounds.
RJ Russell, one of our Principal vCISOs worked in Fintech, which he saw as a technologically conservative career bubble he knew he didn’t want to stagnate in. He saw an opportunity in cybersecurity to help clients create meaningful cybersecurity programs. He was able to make the transition into a rewarding vCISO role thanks to his experience as a technical manager who led SaaS operations, engineering, and cybersecurity teams.
Dan Bjorklund, another Principal vCISO of ours, served in the US Army for 20+ years and helped Department of Defense contractors and SMBs manage their security programs. He actually founded his own firm back in 2015 but eventually decided to join us. He is not the first owner of a firm to decide to join a different company in order to focus on just being a vCISO.
What Makes a Great Virtual CISO?
Given everything I’ve learned over the years and all the relationships I’ve built with clients, security professionals, and fellow vCISOs, there are three things I prescribe for being a great vCISO.
I don’t think I see these things touched on as often since people tend to focus on CISO-centric tasks. If you are good at these three things, they’ll make you stand out as an exceptional vCISO, and they are:
Have lots of coffee
Get good at writing
Learn public speaking
Have Lots of Coffee
When I say have lots of coffee, I mean build your social skills. The idea here is to drink coffee with other people. In other words, have regular social coffee meetups to establish and build relationships. To earn referrals, you need good relationships with people who know decision-makers who need vCISOs. Start this habit early on, and you’ll see just how powerful this practice can be over time.
Get Good at Writing
Good writing skills are crucial for vCISOs. If you want to be a leader, there’s nothing more important than being able to communicate effectively. How you write is one way of determining how effective you are at communication.
You should learn how to communicate complicated ideas simply and concisely. Plus, good writing is helpful for building your brand and creating resources that add value to your clients. Not to mention all the detailed reports you’ll have to fill out regarding security programs.
Learn Public Speaking
Developing the skill of public speaking is a huge asset as a leader. It’s not just about getting good at speaking in front of people. Learning public speaking also helps to build confidence, teaches you to remain calm in potentially stressful situations (not that you’ll have any of those), and helps you present things like security initiatives or strategies compellingly.
As a vCISO, you’ll likely conduct regular meetings with your clients, present important initiatives to board members, and run training or workshops. It’s essential that you carry yourself well and present with confidence so that your team, your clients, the board, etc., see you as a leader who knows what they’re doing and adds value every step of the way.
A Few More Recommendations
Read a lot of books. Even if you get one idea out of a book, that makes it worth reading in my… book. Take notes on what you find and do your best to apply what you learn to your work. If you don’t have time to sit down, take advantage of audiobooks. There’s always more you can learn and, I’m not sure why, but the most successful people in the world read lots of books. And so should you.
Finally, I recommend that you participate in cybersecurity conferences as you’re able. These are great places to expand your network, keep up with the latest trends, and gain insights that you might have otherwise missed out on.
Conclusion
There you have it. That’s my take on becoming a vCISO. It’s pretty straightforward – as long as you have the right experience and certifications, you too can become a vCISO, no matter your background. The world certainly needs more of them, and I think we’re living in a time when businesses are truly beginning to appreciate the value of good vCISOs.
Wherever you are, I wish you the best in your journey. And I look forward to the day that you can enjoy just how rewarding it is to be a vCISO. Please feel free to reach out to us if you have any questions along the way!
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.