A CISO as a service (CISOaaS) is the outsourcing of CISO (chief information security officer) and information security leadership responsibilities to a third-party provider. By hiring a third-party provider to manage its security program remotely, an organization gains access to staff and resources that it doesn't have in-house, and can better keep up with information security and compliance demands.
CISOaaS is often paid for on a subscription or per-use basis, like many XaaS models. Also, like many XaaS models, CISOaaS offerings may be entirely remote, or may be a hybrid model in which the provider's experts work with an organization's existing security team.
Having robust security leadership is important in the modern organization, as digital transformation increases an organization's overall breadth of vulnerabilities. There is also an industrywide cybersecurity skills shortage, meaning that affordable skilled security leaders are hard to find, and often bounce from organization to organization. CISOaaS provides a potential solution to this problem by providing access to cost-efficient security leadership on an as-needed basis.
CISOaaS may also be referred to as a fractional CISO or virtual CISO (vCISO). Fractional CISO is also the name of a company that provides CISOaaS offerings.
The CISOaaS has mostly the same responsibilities as an in-house CISO. These include:
- protecting the confidentiality, integration and availability of data;
- long-term cybersecurity strategy development;
- GRC (Governance, Risk and Compliance) program development;
- risk assessment;
- risk management;
- security awareness and training;
- developing secure business and communication practices;
- reporting on security operations;
- monitoring security operations;
- defining metrics to measure program success;
- management of personnel and vendor relationships; and
- integration and management of other third-party security services.
Because CISOaaS providers serve multiple businesses, vCISOs have the additional responsibility of adapting to each customer business and serving them according to their unique needs. A CISOaaS team needs to have good people skills to provide a strong customer experience, learn the customer's needs, and serve them.
CISO-as-a-service job requirements and certifications
VCISOs have certain job requirements that closely mirror the requirements of a traditional CISO. VCISOs should have strong leadership skills and an in-depth understanding of information systems and security. They should also be able to effectively communicate their complex security and IT knowledge to colleagues across varying levels of technical understanding.
CISOaaS vendors will often display cybersecurity certifications and credentials that demonstrate their expertise in the field. They may also offer training programs for client staff to earn these certificates themselves. Some example certifications include:
- Certified Information Systems Security Professional (CISSP) certification;
- Certified Information Systems Auditor (CISA) certification;
- Certified Information Security Manager (CISM) certification;
- Certified in Risk and Information Systems Control (CRISC) certification; and
- Certified Chief Information Security Officer (CCISO) certification.
Benefits of employing a CISO as a service
There is a list of benefits for hiring a CISOaaS, including:
- Unbiased analysis. Using a third-party service allows the vCISO to evaluate the existing security program objectively without bias.
- Cost-effective. Pay-as-you=go pricing allows organizations to pay for only what they use. VCISOs are usually drastically cheaper than having a CISO in-house.
- On-demand service. Using a service provider allows for constant availability of security resources. As demands change, clients can alter their service.
- No capital expenditure. With the outsourcing of a vCISO, there is no in-house cost to the organization.
- Long- and short-term benefits. In addition to the immediate security improvements vCISOs create for a company, they also help lay the groundwork for a sound long-term in-house security program through training and improvement of core processes and infrastructure.
- Experience. It's likely that the individual or team employed as a vCISO will have had a diverse set of experiences working with multiple organizations.
Determining if you need a CISO as a service
Any organization without a CISO in-house could consider CISOaaS as a viable option. There are several scenarios in which this might be the case:
- Startups without the resources to hire a full CISO can use a vCISO for their expertise and cost-effectiveness.
- Organizations that are in the process of looking for a new permanent CISO can hire a vCISO temporarily to fill the gap.
- Organizations under pressure to meet security or compliance goals can benefit from a vCISO's on-demand nature.
- Organizations looking to upgrade cybersecurity programs and need third-party expertise can seek the aid of a vCISO as they can upgrade the program and train staff.
- Organizations that use a lean IT function and can't open a new position can temporarily employ a vCISO.
- Organizations without a permanent security team that want to lay the foundation for a lasting program can benefit from a vCISO.
One of the disadvantages of hiring a vCISO is that they likely will be serving other organizations as well. This could potentially lead to problems with loyalty, a lack of timely responses when they are urgently needed and risk ownership if a breach occurs. An in-house CISO is a better option for organizations that need an employee with no other external commitments.
CISO-as-a-service offerings are usually pay-as-you-go and on-demand. They are often paid for on a yearly subscription basis using a retainer. The amount of time the vCISO spends on site is then negotiated and the retainer is based on set number of days or hours per year. This varies based on the vendor's offerings and the customer organization's needs. Sometimes vCISO's are hired for short-term fixes to security issues, other times they are hired for longer-term solutions such as developing a company's entire security program.
CISO's are some of the highest paid positions in IT security. Hiring a vCISO is often drastically cheaper because of this payment model. Organization's may spend between $100,000-$200,000 a year on retaining in-house talent, whereas a vCISO generally costs less than half of that.
Some organizations that offer CISOaaS include Fractional CISO, Lares, ITgovernance, Truvantis and iSecure.