Strategy and Governance /

Looking Back at the Role of the Virtual CISO and the Reality of Small Firms

virtual ciso reality small firms

Many small firms would often benefit from looking internally first, before jumping to externalised cybersecurity solutions


Many small firms have been struggling with cyber-attacks over the past few years and might have been tempted by virtual CISO (“vCISO”) services.

I first wrote about this in 2019 and, 5 years on, I am still seeing an large number of misconceptions around this type of roles, and beyond, around the real dynamics of small organizations.

I have to start by repeating that the use of the word “virtual” in this context is a catastrophic marketing shortcut that the cybersecurity industry must stop using: The fact that the role could be “virtual” implies that the threats might not be real and devalues it entirely in my view. Of course, it is not meant in that sense, but it still carries that type of undertone.

It is generally meant as a part-time and externalised role; it also implies that this is an expert role requiring highly specific skills the firm does not possess in-house (or could not find or could not retain).

So the question is: Can an external cybersecurity expert spending a few days a week really help a small firm to protect itself?

There is one scenario where it makes perfect sense, and that’s the post-breach scenario: Bringing an external expert – fulltime first – to drive or supervise the forensics work, help the firm’s management understand what went wrong and why, work with them towards a corrective roadmap then staying on, a few days a week, for a period of time to ensure its deployment: All that is just good management.

Outside those types of special situations, I think care is required with “vCISO” roles in small firms.

First, we need to bear in mind the specifics of small firms: People know each other. They are used to working with one another. Senior management is often hands-on. Middle management is always hands-on. “Leadership” is small firms is about looking at people in the eyes and making things happen; it is not about talking about something at the other end of a Zoom call.

That’s what makes the “vCISO” role often difficult.

Proving yourself will involve helping people and taking load off their back; it will involve “doing” things, not just “talking” about them or providing advice: Giving awareness talks to staff or joiners, performing risk assessments on new vendors, organizing intrusion tests and the remedial work, being there in case of incidents… All this means “real” hands-on work… there is nothing “virtual” here…

The cybersecurity concepts cannot be seen as alien to the firm, otherwise they will never be taken seriously, so the “vCISO” person has to be visible and trusted, at least amongst the small IT community of the firm but preferably by management as well.

This level of trust will have to be built, but how can you be seen as “one of the team” as an external person, spending only a few days a week with the firm, and not necessarily on-site? At best, it requires some rare skills…

That’s why I have always felt that small firms would often benefit from looking internally first, before jumping to externalised cybersecurity solutions.

Lots of young IT professionals like IT security as a hobby; they just don’t have the time to develop those skills at work because they are constantly firefighting other operational matters.

If you have one of those gems in your IT team, nurture it, train it, help it grow. The person will be known and trusted and will also know the firm and its IT environment from day one.

Having the role visibly held in-house (not externally) may also help with the acceptance of necessary security measures, as something “home-grown”, not imposed from outside.

As always, all this may be more difficult than hiring a random cybersecurity expert in the hope of making the problem disappear, but it may prove best in the long-term. I think most small firm owners should understand that.


JC Gaillard

Founder & CEO

Corix Partners

Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.

Corix Partners is a Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.

An edited version of this article was published on Forbes on 16th February 2024 and can be found here.