Should I Hire a vCISO or a CISO?


Managing security risk is a core business function in today’s world. Security management requires a professional and deliberate effort.

Like many initiatives within your organization, information security requires buy-in from the top down. Having a C-level security expert who understands the importance of implementing, growing, and fostering a strong information security culture is often the difference between organizations that protect data well and those who struggle.

Within information security, there are different ways organizations can handle this role—through outsourcing or hiring internally.

Deciding on whether to insource to a Chief Information Security Officer (CISO) or outsource to a virtual Chief Information Security Officer (vCISO) is a critical step in getting your security program up and running quickly and efficiently.

Here are some of the benefits of both a CISO and vCISO option so you can better understand which option might be right for your organization.



Most of the conversations we have at FRSecure regarding vCISO are about cost.

Many smaller or even mid-sized organizations feel they can’t afford the total compensation of a full-time CISO, or simply wouldn’t be able to utilize their time effectively.

With salary, benefits, stock programs, bonuses, etc., CISOs often cost $250k-$300k per year. A vCISO’s services typically cost $35k-$250k per year and decrease with time as the focus shifts to maintenance. A vCISO is a cost-effective way to apply verifiable industry experience to clarify your needs and apply scalable bandwidth.


Some organizations, especially smaller ones, have employees who wear many hats.

These employees, despite taking on information security objectives within their role, often wouldn’t consider security as their primary job function. They may have very little formal security training and might not know where to begin when trying to implement security measures and security awareness.

Often too, employees in this situation are generalists. They’re able to create, facilitate, and complete simple initiatives, but lack the training and skill to complete more in-depth tasks.

In this instance, a vCISO is beneficial as it will enhance internal capabilities. Good vCISOs bring proficiency and techniques from years of training and experience working with companies similar to yours. They know how to build successful security programs, and have the ability to help get you there.


Employee turnover is something all organizations face, and the market for security talent is very competitive.

Not only does a vCISO limit the turnover, but it also provides proven methodologies, and can help ensure that expertise isn’t lost during an employee transition,  regardless of whether your organization decides to hire another full-time security professional or not.

vCISO comic


Clearly, as the purveyor of virtual CISOs, I am in the corner of outsourcing security services. But, there are also advantages to a full-time CISO over a part-time vCISO.


If you employ a full-time CISO, they are ONLY your CISO. They are not pulled in other directions and can spend all their attention on your organization’s security team and initiatives.

Just like the majority of consultants, agencies, service providers, etc., vCISOs will have more than one client. While capable of handling this combined workload, it can force them to prioritize certain efforts. This will certainly not be the case with your own employee. 


If properly positioned, a full-time CISO will quickly improve the security posture of an organization through the focus of their bandwidth and their ability to internally influence executive management.

As mentioned before, the ability to focus on just your company’s initiatives provides tangible benefits. Plus, it increases your leadership’s confidence.

While our vCISO team prides ourselves on being able to have difficult conversations with executive leadership teams and boards of directors, it’s no question that the rapport with an employee will carry more weight—especially with conversations about funding.


Having a full-time CISO can have marketing and public relations benefits. It simply looks good to have someone on staff full time. 

C-level hires can generate earned media you can use to promote your organization.

More importantly, though, it proves to your customers and prospects that you are taking and will take the protection of their information seriously. That’s something you can also market and promote. If your competitors don’t have one, it may give you a perceived competitive advantage in the security category.

Managing security risk is a core business function in today’s world. Whether you outsource or insource, get your information security program up and running immediately. Don’t get left behind!

I hope that you’ve found these tips helpful. If you have any questions about how you can help protect your organization please visit

virtual CISO checklist

John Harmon on FacebookJohn Harmon on LinkedinJohn Harmon on Twitter
John Harmon
President at FRSecure
John Harmon is an alum of Concordia College in Moorhead, MN and has 10+ years of business leadership and IT industry experience, through which he developed an affinity for information security. As president, John's focus is helping clients better understand security requirements and implement effective information security strategies. As FRSecure continues to enjoy positive growth, he is constantly working to refine procedures and leverage our customer feedback to keep FRSecure providing ever-improving value.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *