The vCISO Dividend: How Fractional Security Executive Retainers Make Dollars and “Sense”

Updated: Sep 17, 2021

Most executive leadership teams today are uncomfortably aware of the need for a strong information security posture, but not all are able to ensure it. That might be because:

  • they are focused on their company goals, such as growing the business

  • their risks are not formally defined, or

  • they simply do not have the time, budget, or expertise for information security.

For many organizations, that uncomfortable awareness of the need to address information security tends to develop in two ways:


First, if organizations have been lucky enough not to have been affected by ransomware or supply chain attacks in the last couple of years, they are nonetheless keenly aware of their prevalence and impact from recent media coverage and first- or second-hand accounts. From the Colonial Pipeline and Kaseya ransomware attacks to SolarWinds and Accellion breaches, no company or any of its suppliers is immune from the devastating effects of cyber attacks.


Second, customers, investors, and other external stakeholders increasingly demand detailed information about an organization's information security posture via endless procurement questionnaires or virtual audits. For the unprepared, these demands interrupt sales and fundraising cycles while functional managers scramble to provide legal teams with acceptable and defensible answers. It’s important for companies to perform due diligence on new vendors because cyber insurance does not remedy the impact of a poor security posture. In fact, underwriters, stung with losses stemming from recent attacks, are requiring significant information security investments before they write new policies.

So how can organizations without the requisite security resources gain confidence in their information security capabilities?

A new option has emerged, known as virtual CISO, or vCISO, services. This fractional CISO retainer model gives organizations a cost-effective way to address information security risks as well as manage and optimize investments in information security. vCISOs can help create your organization’s information security strategy and program as well as implement it and report on results.

There are several beneficial reasons why vCISO services are becoming increasingly common. For example, they:


  1. Are Cost-Effective - With the cost of experienced full-time CISOs running in the hundreds of thousands of dollars (if not more), a virtual CISO as a service delivers the required expertise for a fraction of the cost. Companies only pay for what they need, without unnecessary overhead.

  2. Reduce Hiring Gaps - Information security professionals are exceedingly hard to hire in the first place and CISOs tend to stay on the job only a few years, leaving organizations behind the curve when it comes to keeping the position filled. As an external partner, vCISOs can fill the role quickly and stay on indefinitely.

  3. Deliver Expertise on Call - vCISOs tend to be seasoned professionals who have decades of experience in information security, giving clients expertise that is both broad and deep.

When to Use vCISO Services

There are a number of situations when using a vCISO makes sense. For example, if you are concerned about cyber attacks but do not know where to start, a vCISO can sort through your options and recommend the best course of action. A vCISO is especially beneficial when:

  • You are a small- to medium-sized business that cannot afford to hire a full-time CISO but needs professional help in developing and implementing a security program.

  • You are trying to hire or replace a CISO and need an expert to carry out the organization’s strategy while you manage the hiring process.

  • You are faced with new or evolving regulations and do not have the expertise on staff to implement the appropriate security controls.

  • You are not sure your security investments are effectively addressing the organization’s needs, because cyber threats continue to evolve faster than most companies’ security stacks.


How IOmergent Can Help

IOmergent Fractional CISO services help clients build information security programs or fill critical capabilities gaps based on industry best practices so they can continue to focus on their mission-critical goals and growth. We provide deep and broad information security expertise and proven methodologies to help companies identify and surmount challenging security issues and ensure that your organization optimally aligns its security investments with its strategy.

Our Process

We tailor the scope and focus of all our vCISO engagements to your requirements while ensuring a comprehensive approach that includes three key phases: Assess & Triage, Align & Build, and Operate & Adapt. We leverage deeply experienced CISOs because knowledge and judgment make a significant difference in the quality of executive decisions as well as our ability to advise on an optimal, risk-aligned security investment strategy and manage the efforts of internal staff. When clients develop specific security requirements and tasks, we deploy domain-certified consultants and architects.


Our cost-effective approach enables you to invest in additional staff, solutions, or services with the budget you would have spent hiring a full-time CISO, while delivering deep security expertise to optimize security decisions and align security investments.


Would you like to see how IOmergent can help your organization reduce risk, optimize security decisions, and gain confidence in its security posture? Contact us today to schedule a confidential consultation at no cost.