By Caroline McCaffrey, CEO and Co-founder, ClearOPS
Most people find themselves in cybersecurity because they find its ever-changing landscape interesting. 2023 did not disappoint with new concerns over liability in the CISO role coupled with greater restrictions from the SEC and various state privacy laws. These concerns and, frankly, opportunities for more work are why security experts are turning their focus from corporate employment to starting their own firm.
This year, I’ve had the privilege of interviewing nearly 40 vCISOs and security entrepreneurs, and I want to share my findings, offering a roadmap for those who dream of building their own vCISO firm in 2024.
The Hardest Part: Marketing and Sales
My favorite question from the interviews is “What is the hardest part about running your own virtual CISO firm?” I think it is a tough question, but the responses seem to come pretty easily. 80% of the time the answer is “sales.”
Why is sales so hard? Focusing on what I have learned from the consultants versus my own experience with this problem, there is no magic bullet and almost everyone has their own unique approach. I will address a few of them.
The first approach to sales is to focus on marketing. I have spoken to several vCISOs who have a podcast, teach through LinkedIn learning or other teaching platforms, write books or contribute to a specific publication. What was most interesting about this approach was the focus on how their expertise is discovered by their potential client. They have really focused on identifying that ideal client profile for their services and then targeting their marketing towards that client. For example, if they find that they are most suited to startups in the $1M to $10M revenue range, they will target their marketing to the CEO or CTO of that startup and figure out how they do their research for service providers.
The second approach is to solely rely on their network. Often, the reason a vCISO launches their own firm in the first place is because a former employer, boss or colleague asks them to provide fractional security services to a business that is in a growth or established phase. This is a lucrative consulting position that sets the vCISO up financially to make the leap. Once they do quality work for this one company client, they use it aa a reference to build a network of other potential customers through word of mouth.
The third approach I will mention here is the direct sales route. In my discussions, I find that this is the one that vCISOs consider the hardest path to take. Whether it is cold outreach or using a staffing firm, the time a vCISO must commit is significant and takes them away from providing the client services. It can also be relatively expensive as both paths require buying tools or paying fees. Also, vCISOs are generally uncomfortable doing sales. My suspicion is that part of that comes from having been on the other side of the sales pitch so many times that they are hesitant to fall into sleazy practices.
Fractional vs. Virtual: Demystifying the Divide
When I interview a vCISO, I like to ask them what they think about the use of the term “vCISO” versus “fractional CISO” when referring to their practice. Interestingly, several interviewees refuse to label themselves as “vCISOs” or they used to label themselves as “fractional CISOs” only to now focus on “vCISO.” Ignoring the SEO of either term, these two words “fractional CISO” and “virtual CISO” seem to be awkwardly used and confused.
In speaking to an industry expert, I enjoyed her perspective on the difference. She stated that because the term “fractional” is a mathematical term, those who tend to be more math thinkers may prefer to use it. Following that logic, it defines the role as someone who offers some of their time, a fraction, to companies and CISO departments.
Virtual CISO, on the other hand, is a bit more ephemeral and implies someone who can work full-time, but remotely. The implication being that this virtual person is the only security expert working for that company which in turn means the company is relatively small or has an immature security program.
I like this distinction that she made but I am not convinced that the industry has adopted it. In my more recent conversations with vCISOs, some of them expressed an opinion that they originally called themselves vCISO only to now switch to fractional CISO. I picked up that the term vCISO has been degraded. I see on social media posts that “anyone can call themselves a vCISO” without requiring the corresponding experience or credentials, which further gives evidence that the community is becoming skeptical of the term.
And that list bit is an interesting point because even though there are several certifications and credentials in the cybersecurity space, most of them are younger than the cybersecurity professionals. Therefore, not everyone is credentialed. Regardless of that debate, I see the movement to “fractional CISO” more and more, so if you are launching your own firm, choose which term you want to use on your website with full knowledge that the line, while still fuzzy, is getting drawn.
Mapping Your Path: Finding Your Niche
The vCISO market is diverse, offering a range of client needs and engagement models. Identify your sweet spot. Will you specialize in specific industries? Focus on project-based work? Or do you charge hourly? Or maybe you prefer to cater to long-term engagements for larger enterprises? Choose your path wisely, honing your expertise and value proposition to become the go-to vCISO for your chosen niche.
As I explained in the previous section, vCISO has varying meaning. Some vCISOs I have spoken to only focus on pre-audit readiness. These are limited engagements, varying from 6 months to a year, where the vCISO builds the security program for the client, maintains it during the audit period and coordinates with the auditor during the audit. This type of vCISO then terminates their contract at the audit conclusion.
Another practice focus for vCISOs is the fractional cybersecurity professional who charges a flat fee, monthly, to their clients for building and maintaining a security program. With this work, the vCISO conducts a gap analysis, builds an action plan for the client that is customized and mapped to a specific framework and then works with the client on implementation, all the while helping with responses to security questionnaires and insurance assessments on the client’s behalf. Sometimes the vCISO charges an hourly fee instead of a flat fee and I usually see this type of billing when the vCISO is early in the life of the firm and trying to establish that initial client base (because hourly earns them less money). These services are usually referred to as “Advisory Services” and MSPs and MSSPs are also offering them.
Finally, the third most common vCISO offering is what I refer to as a secondment. The vCISO works full-time, but for a temporary period of time, within the client’s business. In this work, either the client lost their in-house CISO and needs someone to cover for a period, or they have never hired a CISO and need coverage while they conduct their search. With the dearth of high level, c-suite talent (and the fears over liability since Joe Sullivan of Uber was prosecuted), a CISO search can take up to a year, so these vCISOs cover the gap. Usually, these vCISOs also have a whole separate engine built for discovering and training new talent so that when they receive the client call, they have a pool of aspiring CISOs to call upon. I find this fascinating because the vCISO is part cybersecurity advisor, part strategist, part practitioner and part recruiter.
I am sure more niches will evolve, but, based on my interviews, these are the most common. One consistency I have noted is the initial due diligence required with each client, usually called a gap analysis or gap assessment. My takeaway is that if you are offering vCISO services, you have to be offering gap analyses.
Go It Alone or Build a Scaling Business
It is exciting to start your own business working for yourself. While consulting businesses are often considered “lifestyle” businesses, they still can grow and scale like a startup. I personally like to analogize cybersecurity consulting firms to law firms and I think the model works well. The most highly experienced partner starts the firm and starts to grow enough client work such that they need help due to bandwidth constraints. At first, they have a few vCISO friends who can pitch in and consult when needed. Eventually, they need to hire someone to take over the client work so they can focus more on marketing and sales. Eventually, the founding partner is managing several other vCISOs and also associates who are earlier in their career. In this model, a vCISO partners with the associate. The associate has a cheaper hourly rate than the vCISO and works on more of the heavy lifting, like conducting the due diligence for gap assessments, reviewing vendor evidence of security and responding to security questionnaires on the client’s behalf. The vCISO partners focus more of their time on high-level tasks, training the associates and keeping abreast of changes to any standards or regulations (like NIST CSF 2.0 or CMMC).
Meanwhile, the founding partner now spends almost all of his/ her or their time managing the business, hiring and firing and marketing and sales. It is worth taking the time to understand what you want. Do you want to run a business or do you like doing the work for the clients? Your decision will determine whether you stay a one-person firm or grow into something much larger.
Back to the law firm analogy, I see vCISO firms eventually having specialties like law firms do now. One firm may have an entire practice area that focuses on audit readiness while another practice area that focuses on secondments within companies. Basically, those choices you made to start your firm, which niche to offer, becomes one division of your much larger firm.
2023 was the year of the explosion of the vCISO market and I do not anticipate that it slows down in 2024. If anything, we will start to see larger and larger firms emerge as top-tier with reputations for being best in class. If you have been thinking of starting your own firm, I say the time is now before the price of entry gets too high.
As you dive deeper into running your own firm, you’ll discover even more insights and nuances. Stay curious, adapt to the changing landscape, and never stop learning. With dedication and the right strategies, you can build a vCISO firm that brings you challenges that are worth experiencing and enjoyment in your work that you never thought possible.
About the Author
Caroline McCaffery is the CEO & a Co-founder of ClearOPS, Inc., a security program management platform for security experts, powered by Generative AI. Prior to ClearOPS, Caroline spent the last 23 years as an attorney, both as in-house counsel and outside counsel, representing technology start-up companies in Silicon Valley and the tri-state area. Most recently, Caroline was the General Counsel & VP of Business Affairs at an A.I. company performing image recognition, where she was also responsible for ethics, finance, information security, people operations and business operations. Caroline is a frequent speaker on topics such as privacy, ethics in A.I. and women in business and law. Caroline received her B.A. in International Relations from the University of Pennsylvania and her JD from New York University School of Law. Caroline is a member of the bar in both NY and CA and she is a Certified Privacy Professional (CIPP/US).
Caroline can be reached online at (ronnie@vewpr.com) and at our company website https://www.clearops.io