The bad guys are now starting to target mid-tier companies with their hacking activities. In many cases these companies have not yet come to realize that having a Certified Chief Information Security Officer (C|CISO) or a Virtual Cerified|CISO (vC|CISO) is something that needs to be accepted as a part of doing business. The recent Presidential report on how Cyber Attacks impact the economy of the U.S.A. makes it clear that the cost of having a security expert on staff or on retainer is well worth it if the smaller company wants to remain in business. Cyber crime is putting many of these smaller companies out of business simply because they cannot recover from the post breach losses. At the same time these companies may not have the dollars to pay for a full time C|CISO, so their alternative is to explore the vC|CISO concept. The vC|CISO model can be leveraged to effectively manage security risk for small to mid-tier companies.
If a company is going to explore the hiring of a vC|CISO they need to make sure to do their due diligence and ask about the certifications (such as the one in the graphic below) and experience of the vC|CISO they are going to have giving them advice. While there are a lot of good vC|CISO options available there are just as many vendors and security professionals touting themselves as vCISO’s who lack the background or experience to be of much help. I lack quantifiable data on this point but I would say you should expect to pay between 3 and 400.00 per hour for a vC|CISO, the good news is you can choose what % of their time you want them to work for you (10%, 20%, on retainer, etc.) and then only pay for that portion of time.