Call us on 03450 21 21 51

5 ways to check if you need a VirtualCISO™ in your business
The SRM Blog

5 ways to check if you need a VirtualCISO™ in your business

Julia Wailes-Fairbairn

Written by Julia Wailes-Fairbairn

29th November 2019

Share this article


Chief Information Security Officers (CISOs) are hard to find and even harder to keep. In fact, the global shortage of experienced CISOs means that there are few who can operate at the highest level, and those that can are expensive to employ and even harder to retain. Few organisations have the in-house expertise at board level to fulfil the CISO function adequately. Yet, in today’s world, threats to online security cannot be ignored. They are ever present and continually evolving, making the CISO function one of the most vital roles within any organisation.

If this dilemma sounds familiar to your business, you may well be left scratching your head as to how you can meet your information security responsibilities without breaking the bank. There is a solution that not only provides CISO capability but also delivers a number of additional benefits, which actually make it a better option for many businesses.

Here at SRM we have championed the role of the VirtualCISO™ – enabling businesses to embed one of our senior information security consultants into their business to fulfil the requirements of a CISO in a flexible and cost-effective manner.

Depending on the size of your business, you may require support from a VirtualCISO™ for as little as a day a month but the advantage is that drawing on the expertise of an SRM consultant means that you can tailor the time and role to your specific needs.

So, how do you know if a VirtualCISO™ (sometimes known as a vCISO) is the best option for your business?


1. You need to keep tight control of costs or you don’t need a full-time CISO

One of the major advantages of a VirtualCISO™ is that although you have access to the highest standard of service, it costs, on average, between 30% and 40% of a full time CISO. You can also use the service as much or as little as you require which is particularly beneficial if, because of your company size, you do not require a full time CISO. And, as the business matures, you can quickly and efficiently scale that resource up or down, depending on your changing requirements.


2. Your business is evolving or growing rapidly

Fast growing businesses do not always have time to focus on the evolving requirements of their information security strategy. Their attention is understandably elsewhere. They may not have anyone in house with the required level of expertise or have not yet appointed a CISO.

Yet there is never a more important time for the CISO function. Just consider the challenges of security architecture development, mobile and remote device management and network security/firewall management. Then add in disaster recovery planning, crisis response and remediation in addition to application and database security. The list does not end there. To ensure that nothing falls between the gaps, you require an overarching approach that includes all the elements of data management and security.

Having access to top class professionals through a VirtualCISO™ service will ensure all the bases are covered, improving system security and improving your ability to bounce back quickly in the event of a breach.


3. You want the very best but can’t find the expertise in the market place

When it comes to top level CISOs it is a seller’s market. This is not surprising given that on average the CISO role requires 7 – 10 years of progressive IT security experience combined with supremely effective communication and management skills. Those with the required level of technical expertise, board-level influence and the ability to manage complex IT architecture are not only able to command extremely competitive salaries but can pick and choose where they go.

The obvious advantage of a VirtualCISO™ is that it provides you with access to some of the most experienced and knowledgeable information security consultants in the business. Not only can they fill your CISO role from a standing start but with a designated individual as a main point of contact, it is far from impersonal. What’s more, an SRM VirtualCISO™ possesses the highest level of industry qualifications together with experience of the CISO role across a range of sectors and business sizes.

This external experience brings added value because their expertise is continually updated in response to the ever-evolving threat landscape.


4. You want to avoid recruitment headaches

Recruiting staff is always a challenge. No matter how well you interview and assess an individual, it’s always a leap of faith when you finally take someone on board. This is particularly true in a field such as information security where your board members may not necessarily have the expertise to ask the right questions or understand the subtle differences in CVs.

Not only that but there are significant costs associated with hiring an experienced professional – particularly if you decide to work with a recruiter. Add to this the fact that the average tenure of a CISO is between two and four years, and an organisation can quickly find itself facing a regular recruitment challenge.

With a VirtualCISO service you save on recruitment costs and downtime. You also benefit from the continuation of service from a highly experienced team.


5. Your in-house CISO wants to bring in additional resource with genuine experience

A VirtualCISO™ service does not always have to replace the in-house CISO role. In some cases, where someone within a business has the responsibility for information security, we are able to provide the VirtualCISO™ service as an additional resource to support a CISO with wide-ranging responsibilities in a large and complex organisation.

Our consultants are easily capable of providing strategic input and assisting with CISO duties – be it managing projects, reporting into the board or monitoring the deployment of budget. This is similar to the way in which finance directors are supported by accountancy firms and is particularly relevant where test and exercise programmes and business continuity planning are concerned.


Not sure that your organisation has its fast-growing information security responsibilities in hand? Let’s start with a call so we can help you assess your needs: 03450 21 21 51. Or drop us an email

Back to top