vCISO Service Provider Survey Results
INTRODUCTION
Introducing the 2023 vCISO Survey Report by Hitch Partners – our first-ever publication in this domain. This report aims to lay the foundation for understanding the perspectives, challenges, and roles of vCISOs, while also serving as a valuable resource for the vCISO community.
We are an executive search firm focused on creating advocacy and providing valuable, actionable insights to the CISO and vCISO community we serve. We welcome your feedback on this data, including recommendations on topics to cover in future surveys. After collecting the data we have assessed several areas which we intend to analyze further in order to provide additional clarity to the security community.
METHODOLOGY
The data presented in this report originates from a voluntary online anonymous survey conducted between June 13 and July 31, 2023, with the participation of 100+ vCISO (Fractional CISO) professionals based in the United States. The survey was sent to individuals that consider themselves full-time professional vCISOs and not individuals at companies that offer a vCISO service as part of a security product/services company.
In this context, a vCISO or Fractional CISO refers to an outsourced information security resource that assists companies in safeguarding their infrastructure, data, personnel, and clientele.
It is essential to note that the information below reflects responses gathered from willing survey participants. We have calculated that the data represents approximately one-quarter of the current vCISO population in the market in the United States.
KEY INSIGHTS
The vCISO role has emerged significantly, driven by increasing awareness of its importance and unique market conditions. These conditions have led to an unprecedented shift within the CISO community, with more CISOs actively seeking work in a sluggish market than ever before, making the vCISO role an attractive and low-risk option to maintain their career trajectory and market presence.
Our survey data suggests both small companies and companies with cloud-enabled infrastructures opt to retain the services of a vCISO more often than their counterparts, suggesting that new companies are more likely to adopt cloud infrastructure solutions.
vCISO engagements frequently extend beyond the originally agreed-upon term.
Among companies of all sizes, the most frequently requested vCISO services are GRC, Strategic Planning, and Evaluating the Security Team’s Maturity / Mentoring Junior Team Members. As companies scale, additional priorities emerge, such as threat prevention and reducing the attack surface, business continuity planning, and temporary/interim coverage.
Companies with less than 500 employees show a greater tendency to utilize vCISO services for sales-related credibility and guidance, while slightly larger companies (those with over 1000 employees) are more inclined to hire a vCISO to address insider threats and event remediation.
The primary sectors utilizing vCISO services include finance/banking, SaaS, manufacturing/industrial, fintech, and healthcare. This observation indicates that in industries where customer trust is crucial, they are more inclined to engage with vCISO partnerships.
Positioning of the vCISO
FINDINGS:
Customer trust plays a vital role in the decision to retain both vCISOs and full-time CISOs when the presence of a security expert within the organization becomes essential. This emphasis on trust is evident when an entire organization prioritizes security as a first principle for its products and services. Our findings show that among the various industries, Banking/Financial Services are the most frequent customers for vCISO services.
The vCISO path offers CISOs the opportunity to pursue their career path while enjoying greater flexibility and diversity in their work arrangements and the chance to support several companies simultaneously. Moreover, vCISOs can continue utilizing skills not often utilized in their full-time CISO position. Additionally, vCISOs receive compensation and contract value within a similar range as a full-time CISO role, making the transition more appealing and seamless.
Our survey findings indicate a significant expansion in the vCISO market over the last five years, with 67% of survey respondents coming into the role during that time frame, and, notably, more than half (36%) of that subset of vCISOs have been providing services for two years or less. When you factor in that over 80% of the respondents have previous experience as CISOs, the statistics suggest that recent market conditions have contributed to this rapid growth. Annual follow-up surveys will help us track and analyze these trends for additional insights.
As stated above, the data indicates that the vCISO role is experiencing significant growth, making it one of the fastest-expanding positions in information security. As businesses confront increasingly intricate threats to their data and systems, the demand for expert security guidance has surged, a trend substantiated by our historical CISO placements.
Along with market factors, the expansion, and prolonged engagements, of vCISOs could also be attributed to the following:
Companies often lack a clear vision for their CISO programs and struggle to define success. Consequently, the vCISO option becomes an appealing choice.
The rise in vCISO providers correlates with the increasing burnout effect experienced by CISOs in the market. CISOs seek more options, balance, and freedom rather than being tied to every incident.
The operating models and commercial terms for vCISOs vary. Typically, the vCISO model involves independent consultants working under a statement of work with pricing based on project scope. However, a small percentage of vCISOs (around 6%) utilize a combination of commercial terms, such as a flat fee combined with a fixed-period retainer while some vCISOs employ a blend of different operating models to meet the specific needs of their clients such as fixed fee for upfront evaluation/assessment along with an hourly retainer or minimum monthly retainer or hourly fee.
Many vCISOs are open to being partially onsite during their contract, with only a small percentage operating entirely onsite in 2022, 3% within private companies and 5% within public companies among full-time CISOs operated onsite.¹ This observation aligns with the broader CISO community, where the workforce is a mix of fully remote and hybrid arrangements, with security teams tending to be more dispersed than other workforce counterparts. In 2022, CISOs at privately held companies reported that most of their team worked remotely, with 76% indicating it was more than half of their team.²
We expect the vCISO position to continue as primarily a hybrid role, influenced not only by trends in workforce migration but also by the willingness of vCISOs to consider onsite engagements (with only 8% reporting not being open to onsite arrangements).
We will continue to report on remote or hybrid work arrangements for both vCISOs and CISOs. Given the pressure to fulfill a wide range of responsibilities, most security leaders are experiencing adverse performance, balance, and personal health challenges, which will be a critical factor to consider as the scope of the vCISO and CISO continues to expand.
¹ ² Hitch Partners 2023 Compensation and Organizational Structure Survey
Environment and Engagement
FINDINGS:
Often when initially scaling a company, credibility is critical. Smaller companies, more than larger companies, decide to engage the services of a vCISO, especially those with less than 500 employees. Similarly, companies with a purely cloud-enabled infrastructure more often than companies with a hybrid infrastructure decide to engage the services of a vCISO. Generally, these factors (company size and infrastructure architecture) are correlated.
In our 6+ years of tracking CISO trends, we have observed companies consistently undervalue and underestimate the level of sponsorship required to run a proper security program. Interestingly, we are now seeing similar trends within the vCISO community, where vCISOs often face ambiguously defined objectives, job requirements, and increasing scope of responsibilities after starting their engagements. Over half of vCISO respondents said their contracts frequently extend beyond the initial arrangement at least 50% of the time. The reasons behind these extended engagements require further observation and analysis; however, factors like poor planning, reactive client management, or time management challenges might contribute to this tendency.
Most Common Services and Industries Engaging the vCISO
FINDINGS:
Regardless of company size, the primary services requested from vCISOs (as reported by over 80% of respondents) are GRC, the development and execution of strategic plans, and evaluating security maturity. GRC accounts for a significant proportion, ranging from 72% to 90% of engagements.
As companies grow, other services become more pressing such as threat prevention, reducing attack surface, and leveraging the vCISO to fill the CISO role on a temporary/interim basis. Services that rank 2nd or 3rd in importance are: developing and executing strategic plans, enhancing security maturity, validating security controls, setting budgets, and facilitating communication.
It's worth highlighting other noteworthy aspects (refer to the expanded chart in the appendix). One notable observation is that small companies often enlist vCISO services to support sales-related activities. However, they seldom seek vCISO assistance concerning reducing insider threats and event remediation. On the other hand, larger companies frequently utilize vCISO services to address insider threats and event remediation needs.
Metrics, Terms, and Challenges
FINDINGS:
Our data shows that for both large, mature companies as well as those in early stages, KPI are essential to the CISOs success in building awareness. A survey reveals that over 70% of vCISOs use KPIs to measure performance. As CISOs have become more business-oriented, this trend is expected to grow, in particular, with the prevalence of cloud-enabled infrastructures, necessitating digital transformation and the need for effectiveness measurement.
Dealing with challenges is intrinsic to any security role, especially for vCISOs, who must meet client expectations while ensuring security at scale. Among the various challenges, the two most prominent are budget constraints and the commitment from the company to implementing security recommendations (63% and 54%, respectively)." Interestingly, in the recent Hitch Partners CISO Compensation and Organizational Structure Survey, 17% of CISOs said they are willing to allocate a portion of their budgets towards acquiring 3rd Party Managed Services.³
Moreover, when asked about any challenges not previously listed, vCISOs added fostering a security-conscious culture as a significant obstacle, along with difficulties in acquiring new business. For the vCISO, it's not just about technical expertise, leadership, communication, business acumen, and the ability to drive a security-conscious culture across diverse companies. To be successful, they need to demonstrate their expertise, credibility, and the value they bring to the organizations they serve. Acquiring new business in a competitive market necessitates networking, marketing, negotiation, and showcasing a track record of successful security implementations. This business development aspect adds another layer of complexity to the vCISO role beyond its core security responsibilities.
Meeting these challenges requires a well-rounded and adaptable professional who can effectively navigate the technical and business aspects of the vCISO role.
We asked respondents whether they have a requirement to be covered by the corporate D&O (Directors and Officers) policy, and only 20% of vCISOs answered yes. At face value, this finding deviates from the broader CISO community, where 40% of those in privately-held companies and 43% at publicly-traded companies claim they are covered by the policy (as of 2022). In addition, over 80% of our CISO placements have coverage under the corporate D&O policy. Various factors could be contributing to this observation.
This finding could align with permanent/in-house CISOs typically having sign-off authority for the organization's GRC standards, while a vCISO usually would not. However, we acknowledge that we could have framed the question differently to obtain more valuable information. A more suitable approach would have been to directly ask respondents if they have D&O coverage, followed by a subsequent query to explore whether, if they do not have a policy, they require coverage under their client's corporate policy.
³ - Hitch Partners 2023 Compensation and Organizational Structure Survey