Hiring a vCISO: Prelude to a Concerto

man in a red tuxedo jacket with tails conducting an orchestra we cannot see while standing on a red chair in front of stage lights in the backgroundPhoto by Mark Williams on Unsplash

I am often asked if hiring a vCISO is the solution to addressing a company’s cybersecurity concerns.  Before answering that complex question, I want to offer a short story to draw comparisons.

The story begins with an organization that wants to establish a new philharmonic orchestra.  They go out and hire a conductor.  This conductor has a long and prestigious resume, including past jobs as a conductor for other orchestras.  Does this experienced, talented conductor equate to a fully functioning orchestra?  Of course not.  An orchestra requires musicians, each playing their own role.  Those musicians need instruments to play.  Decisions need to be made about the musical selections.  Rehearsal times and concert schedules need to be established.  In sum, the orchestra is composed of people, processes, and technology (instruments).  The conductor’s job is to bring those components together. 

First Movement

So, back to the original question if hiring a vCISO will solve a company’s cybersecurity needs.  I urge you to think about the vCISO like the conductor of an orchestra.  Like the conductor, the vCISO should be a seasoned professional in their field.  Past experiences evaluating, maturing, and operationalizing a cyber program are all essential and valuable in building a program.  However, additional people, processes, and technology are all important components in every cyber program.    

The team needed within a cybersecurity program cannot be the vCISO alone.  An effective cybersecurity program needs engineers to design and implement various security controls.  Technical project managers are needed to oversee the implementation.  Analysts are needed to monitor diagnostic tools to identify ‘indicators of compromise’.  These people can certainly be internal resources, but they could also be outsourced.

Second Movement

The processes within a security program consist of the policies and procedures a company follows to maintain a high level of security control.  For example, what are the password requirements for each company information system?  What is the process for evaluating a third-party vendor’s security posture before licensing their services?  How does an organization identify, prioritize, and mitigate risk? 

Third Movement

The technology aspects of a security program are the tools utilized across the organization that protect the computers, network, and cloud services.  Like the musicians in the orchestra that select their instruments, there are many security tools to choose from.  Not every tool is needed for every organization, and they vary in quality and effectiveness. 

These people, processes, and technology all require time, effort, and funding.  They also require support of the executive leadership team to communicate cybersecurity as a critical function within the company.  With this commitment from leadership, coupled with the experience of a tenured vCISO, an organization has the support, funding, and vision to embark on the beginning a successful cybersecurity journey


Allow us to conduct your cybersecurity orchestra. Our vCISO service offers gap analysis, tool selection, documentation, policy creation, staff mentorship and so much more.