Exterro's E-Discovery & Privacy Breakdown

The world of E-Discovery & Privacy is constantly changing – let us break it down for you with a weekly dose of News, Resources, Case Law, and Humor, all written in a concise and easy to understand format.


The Role & Considerations of Hiring a vCISO

Created on July 13, 2021

Marketing Manager, Exterro

Let’s face it: Every company, no matter how large or small, needs a leader to navigate it across this new and treacherous information security landscape, especially since COVID-19 is still going on. When one thinks of this role, the image of the Chief Information Security Officer, also known as the “CISO” very often comes to mind. But today, hiring one directly into a full-time role is sometimes out of the question.

For example, consider some of these statistics:

  • The average salary of a CISO in Corporate America is $185,000. However, this does not include bonuses, stock options, benefits and 401K matching plans. Add all of this together, and the total cost could even exceed 7 digits.
  • The burnout rate of CISOs is very high:

> 91% of CISOs suffer from very large amounts of stress;

> Almost 90% work well over 40 hours per week;

> 26.5% of them claim that their job impacts both their mental and physical health;

> The average tenure of a CISO is just a short 26 months.1, 2

Is there an alternative to this? Some organizations are looking into what is known as a “virtual Chief Information Officer” or a “vCISO” for short.

What Are the Benefits of a vCISO?

There can be many benefits to hiring a vCISO. Here are some of them:

They can be more affordable for some businesses:

When you hire a vCISO, you very often do so on a contractual basis, for a fixed time period. Depending upon what you need them to do and your security requirements, typical costs are just a few thousand dollars versus the hundreds of thousands that you will spend in trying to recruit the right CISO and onboard them, which can take anywhere from six months to even an entire year. The money saved here when hiring a vCISO can be spent toward other, much- needed areas in your company such as marketing and research/development.

They can be highly scalable:

You bring a vCISO into your company on contract for just as long as you need them. Once this time period has been met, you can end the contract, and if you need them again, you can simply ask them to come back on a new contract. With this in mind, you do not have to worry about the burnout rate or the time and expense that it would take to bring on a new CISO.

You can get a wide breadth of experience:

Since vCISOs have engagements and opportunities with other companies, their depth of experience could exceed that of the typical CISO. Because of this, they can offer you brand-new ways to combat the threat variants that you might be facing, as well as different approaches you can take to further strengthen your lines of defense. Also, the vCISO might have more contacts they can reach out to in order to further expand the breadth of expertise they can offer you. With a CISO, you can only rely on their level of expertise, which could be limited in some key areas of Cybersecurity.

You can get staff augmentation quickly:

Let’s face it, the IT Security team of today is totally overburdened and overtaxed, especially in today’s COVID19 environment. There are two primary reasons for this:

• The severe shortage of Cybersecurity workers;

• The overwhelming number of warnings and alarms that your team has to triage on a daily basis, leading to a psychological phenomenon known as “Alert Fatigue.”

When you hire a vCISO, they can bring their own team along and in just a few hours, supplement your IT Security team. For instance, they can take over monitoring the warnings and alerts that come through, which will allow your staff to work on the more pressing issues at hand that may have been neglected. Also, the vCISO can introduce and train your team in the automation technologies that they can use, such as artificial intelligence (AI) and machine learning (ML).

You can get an unbiased approach:

One of the best advantages that a vCISO can offer you is that they will be completely apart from any company politics or fixed views that could exist in your work environment. Because of this, they can offer you unbiased and honest solutions that you may not be able to find elsewhere. If the person has deep levels of experience, the vCISO and their team can be up and running within just a couple of hours and examining the unknown gaps and vulnerabilities that may lie in your IT infrastructure.

They can offer guidance and expertise in many other areas:

Cybersecurity involves a lot more than just simply reacting to and putting out the looming threat variants. For example, there are hot-button issues like creating and implementing the Incident Response (IR) /Disaster Recovery (DR) /Business Continuity (BC) plans and rehearsing them. They can also bring your company into compliance with the statutes of both the GDPR and the CCPA.


This article has examined some of the strategic benefits of hiring a vCISO versus a direct hire CISO. Keep in mind that there are many vCISOs and CISOs out there, and you should take your time to find the right one that will meet your needs and provide the best solutions possible.