Introduction

Virtual Chief Information Security Officers (vCISOs) play an essential role in the protection of their customers, service to their peers, and contribution to the information security industry. The importance of the vCISO role has grown significantly in recent years and will continue to grow into the future.

Consider the following:

  • Cybersecurity  risks are increasing at an alarming rate, both in terms of frequency and impact to victimized organizations. The frequency of cyber-attacks is estimated to double between 2021-2025 resulting in global damages (impact) of $10.5 trillion USD annually. To put damages in perspective, this is 12.4% of the current world economy, and if “cybercrime” were a country, it would have the third largest economy in the world behind the United States ($20.9 trillion) and China ($14.7 trillion).
  • Information security leadership talent is expensive. According to Salary.com, CISOs are paid an average annual salary of $227,009, and this cost is only expected to increase significantly with talent supply issues that are estimated to last through the foreseeable future. One study estimates a current global information security workforce shortage of 4.2 million people.


Cybersecurity risk is not going away, and neither will the ever-increasing need for information security leadership within organizations. While we need more CISOs in our industry, the need for CISOs pales in comparison to the need for vCISOs when we consider that most organizations don’t have full time CISO needs and cannot afford the full time CISO price tag.

We need more vCISOs.

Purpose

SecurityStudio built the Certified virtual Chief Information Security Officer (CvCISO) Program to establish the industry standard for vCISO quality and qualifications, ultimately to best serve the community’s need for more vCISOs in the best manner possible.

Two more important purposes for the CvCISO Program:

  • Improve the quality of life for CvCISOs through more opportunity, better benefits (productivity, accomplishment, pay, etc.), and more confidence in their abilities.
  • Improve the quality of life for the people who hire CvCISOs through more opportunity, better returns on cybersecurity investments, and greater confidence in their cybersecurity protection.


Developing more vCISOs is not the goal of the CvCISO Program. A vCISO who's poorly equipped to perform the role will likely cause more damage to the organization than had the organization not employed a vCISO in the first place.

The CvCISO Program offers prestige to certification holders and assurance to those employ them.

We need more vCISOs who are qualified.

The CvCISO Program

The CvCISO Program is more than certification, it’s a holistic program for vCISO development. There are four levels in the SecurityStudio CvCISO Program, CvCISO Level 1 through CvCISO Expert.

There are no specific experiential pre-requisites for the CvCISO Level 1, and there are extensive experiential requirements for a CvCISO Expert.

The CvCISO Program is for everyone who wishes to become a vCISO, regardless of what point they are at in their career.

Progressing through the four CvCISO levels is dependent upon training, experience, and collaboration with others in the CvCISO community. Training, experience, and community are each essential in certifying and maintaining the best vCISOs in the industry.


Training

All CvCISO training starts with the official SecurityStudio Certified virtual Chief Information Security Officer Course (CvCISO-1). Additional courses will be required for CvCISOs who wish to serve more complex organizations or in slightly different capacities.

Experience

There are experiential requirements for CvCISOs. Each CvCISO level requires a different amount and type of experience as noted under each level.

Community

The value of community cannot be undersold. The CvCISO community is exclusive to CvCISOs and offers the opportunity for mentorship, validation, friendship, and career advancement.

CvCISO Certification Levels

Different CvCISOs can do different things for their clients in different situations. In the initial iteration of the CvCISO certification, there are four certification levels and one specialty certification: Level 1, Level 2, Level 3, and Expert. The Mentor designation is the certification specialty.

Certification means that the CvCISO has demonstrated they can fulfill the requirements necessary to perform the role well. Certification does not offer a guarantee that the CvCISO will perform the role well (a benefit that comes from the CvCISO community).

Requirements – All Levels

All CvCISO certifications have the following minimum requirements:


Additional requirements for each CvCISO Level are summarized in the table (below).

Level CvCISO-1 Course Additional Courses
Cybersecurity Experience
Management Experience
vCISO Experience
vCISO/CISO Experience
Level 1
Yes No 0 0 0 0
Level 2
Yes No .5 0 2 .5
Level 3
Yes Yes 5 2 5 2
Expert Yes Yes 10 5 10 3
Mentor Yes Yes 10 5 10 3

CvCISO Level 1

There are no additional experience requirements for CvCISO Level 1; however, there are some restrictions on the work that should be permitted to perform. A CvCISO Level 1 should NOT be permitted to lead vCISO work for any client, they should always work alongside or under the tutelage of a CvCISO Mentor.

A CvCISO Level 1 can progress to CvCISO Level 2 once they have met the additional requirements for CvCISO Level 2.

No Experience Requirements

Limited Engagement – Must Work with Mentor

CvCISO Level 2

The additional experience requirements for CvCISO Level 2 ensure that they can serve small organizations (up to 100 employees) without the need for a Mentor.

CvCISO Level 2 is a mid-level vCISO who should be able to manage information security in less complex environments and with customers who have minimally mature information security programs.

The experiential requirements for CvCISO Level 2 are:

  • 1 year information security experience.
  • 3 previous vCISO engagements.
  • 6 months (.5 years) vCISO/CISO experience (w/Mentor is acceptable).


The primary purpose for CvCISO Level 1 and Level 2 is to introduce new people into the information security industry and help them progress in their vCISO work.

Minimum Experience Requirements

Limited Engagement – Small Organizations

CvCISO Level 3

Level 3 CvCISOs can work as a vCISO in all organizations; however, there are some additional training and experience requirements.

The experiential requirements for CvCISO Level 3 are in line with those of a Certified Information Systems Security Professional (CISSP®); however, the CvCISO Level 3 certification holder must also have previous vCISO experience.

Additional Required Training:

  • Information Security in Complex Environments Course (CvCISO-E)
  • Information Security Communications Course (CvCISO-C)
  • Information Security Budget Justification Course (CvCISO-B)


The experiential requirements for CvCISO Level 3 are:

  • 5 years information security experience.
  • 2 years management experience.
  • 5 previous vCISO engagements.
  • 1 year vCISO/CISO experience.


NOTE: A person who successfully completes the CvCISO-1 Course, passes the CvCISO-1 exam, and possesses the necessary experience for Level 3 or Level 4

A person certified at Level 3 should be fully capable and qualified to serve as a vCISO in complex environments across industry verticals.

Additional Training Required

Mid-Level Experience Requirements

Unlimited Engagement

Qualifies to become CvCISO Mentor

CvCISO Expert

The most prestigious CvCISO certification level, a CvCISO Expert is truly an expert and has achieved a great accomplishment. CvCISO Experts are fully capable of helping the largest and most complex organizations, but they are also an extremely important part of our CvCISO community. A CvCISO Expert is esteemed and gives back to the community by being an active participant in the CvCISO program.

To become a CvCISO Expert, all the requirements for CvCISO Level 3 must be met, and the certification holder must complete the CvCISO Expert Interview. The CvCISO Expert Interview is a structured interview with other CvCISO Experts.

The experiential requirements for CvCISO Expert are:

  • 10 years information security experience.
  • 5 years management experience.
  • 10 previous vCISO engagements.
  • 3 years vCISO/CISO experience.


CvCISO Experts ultimately become the people who run the SecurityStudio Certified virtual Chief Information Security Officer (CvCISO) Program.

Additional Training Required

CvCISO Expert Interview Required

Expert Experience Requirements

Unlimited Engagement

Lead Direction of CvCISO Program

CvCISO Mentor

CvCISO Mentors are extremely capable vCISOs, but also possess the skills and desire necessary to mentor other vCISOs. CvCISO Mentors often work for organizations who are building and maintaining their own group of vCISOs.

Anyone can mentor a CvCISO, but the CvCISO Mentor designation demonstrates that the certification holder is committed and credible to this important task.

To earn the CvCISO Mentor designation, a person must be CvCISO Level 3 (or higher) and successfully complete the Information Security Mentorship Course (CvCISO-M).

Additional Training Required

Mid-Level Experience Requirements

Unlimited Engagement

Mentors for CvCISO Level 1 and 2

Training

As of January 1, 2022, there are four courses mentioned in the CvCISO Program training requirements:


CvCISO-1 is the only course required for all CvCISO certification Levels, and is the only course currently being offered. The other four courses (CvCISO-E, CvCISO-C, CvCISO-B, and CvCISO-M) are all in development and will be available soon (FALL 2022).