Businesses are looking for skilled professionals who can provide the services of a virtual chief information officer (vCIO) or, specifically, to address cybersecurity, a virtual chief information security officer (vCISO).
Building a strategy and effectively managing IT is growing increasingly complicated for businesses. For business leadership whose core competency may be, for example, retail, manufacturing, healthcare, education or government administration, the fact that every company is now a tech company can be a challenging reality. As companies advance their digital transformations, they need someone in the C-suite who can make sure that their tech investments align with business goals. Furthermore, as they expand their networks and deploy more cloud solutions, they need someone to ensure they aren’t creating new risks and vulnerabilities that could result in cyberattacks and data breaches.
Taking the role of a vCIO or vCISO is different than providing managed services. The biggest contrast is that your priority as a virtual member of the C-suite isn’t selling solutions. Instead, for a monthly or quarterly fee, you assess needs from the client’s perspective and consult with their team to create an IT strategy, a workable budget, and a timeline for solution implementation. In some cases, the client prefers to work with a different company for managed services to ensure the decisions their vCIO is making aren’t influenced by their own interests.
The Higher Demand for vCISO
There are several reasons that vCISO services, rather than more generalized vCIO services, may open more doors and result in more growth for your company:
Good help is hard to find: Research for the fourth annual Life and Times of Cybersecurity Professionals 2021 report from Enterprise Strategy Group (ESG), in cooperation with the Information Systems Security Association International (ISSA), found that the cybersecurity skills shortage has impacted 57 percent of organizations. Businesses are feeling the impact through increased workloads (62 percent), unfilled job openings (38 percent), and staff burnout (38 percent). Additionally, 95 percent say the cybersecurity skills shortage hasn’t improved over the past few years and 44 percent say it’s gotten worse. With fewer skilled people available to fill CISO positions at businesses and enterprises, a vCISO becomes a good option.
Good help comes at a cost: The shortage of skilled professionals in cybersecurity has made average salaries rise. Some businesses may not be able to afford to have a CISO in house, even if they have a CIO.
Cybersecurity takes time: An in-house CIO may be the leader requesting vCISO services. The changing nature of the threat and regulatory landscapes may be more than the CIO can address along with his or her other duties. A vCISO can focus on security alone, devoting full attention to technology that identifies threats and stops them.
Greater effectiveness: Businesses without cybersecurity expertise may take ineffective approaches. Some may deploy cybersecurity solutions without a strategy and hope for the best or throw money at solutions they don’t understand. Either way, their investments may not adequately protect their businesses and still face fines for noncompliance or data breaches. A vCISO will develop the most effective for the business that provides the maximum level of security possible.
Additionally, research for the ESG-ISSA report states, “The cybersecurity training paradox continues and needs attention. For the fifth straight year, the research reveals a cybersecurity training gap.” According to the report, 59 percent of cybersecurity professionals agree that they need skills development, their other job responsibilities often get in the way.
The current state of the profession may create opportunities for skilled vCISOs who have the determination, focus and leadership abilities to provide real value to their clients.
Your Work Is Just Beginning
If you decide that specializing as a vCISO would be beneficial to your business, the ESG-ISSA report includes some valuable facts and advice:
- Experience is vital: Cybersecurity competency is tied to hands-on experience. The report adds that certifications should be used to supplement and not replace more practical ways to learn cybersecurity skills.
- Expect recruiting to be a challenge: More than three-quarters of survey respondents say it is extremely or somewhat difficult to recruit and hire security professionals. If you are looking for talent to build your team, ensure you clearly communicate the skills you are looking for and offer competitive compensation.
MSPs who have provided security solutions to their clients and have taken advantage of vendor and industry education opportunities may have a head start on the timeline. Your track record as a trusted advisor may also have paved the way for you to become a vCISO. Building an offering that leverages your expertise and leadership could be the next milestone in your business’ growth and success. 
