Previous
Learn how PurpleSec’s Virtual CISO services can help you build your security program.
Author: Michael Swanagan, CISSP, CISA, CISM / Last Updated: 3/19/2023
Reviewed By: Rich Selvidge, CISSP
View Our: Editorial Process
Table Of Contents
You can expect to pay $1,600 to $20,000 per month (retainer), $200 to $250 per hour, or $8,000 to $10,000 for a one-time project for virtual CISO services. Other factors that determine cost include the scope of work, expertise, business size, and experience.
What You’ll Learn
Hiring a Virtual Chief Information Security Officer (vCISO) is an option for an organization that cannot afford a traditional CISO.
Many companies forego hiring a vCISO and continue to rely on their internal teams to oversee the security program.
A research firm reported that 64% of SMB’s were operating without a CISO.
This approach may fall short on meeting long term security objectives.
In this article, we will discuss what your organization can expect to pay for a vCISO.
Let’s start by examining factors that influence the cost of this service.
Determining the cost of a vCISO requires research on several key factors.
These factors will provide direction to help you determine the scope of work, and estimate project duration while ensuring the deliverables of the vCISO’s services align with your allocated budget.
Prior to gathering cost details, your organization’s leadership should understand the key benefits of a vCISO role:
Let’s review the first factor in the selection process, the scope of work.
The scope of work has a direct bearing on cost. In most cases, a managed security provider has a team of vCISO’s with various capabilities and experience.
You can select the services and define the responsibilities you want the vCISO to implement based on their suite of service offerings.
As you select more services, expect an increase in cost.
The services available will vary from one provider to the next, below is a list of general services the vCISO typically performs, but not limited to the following:
Another factor impacting the scope of work is the type of organization.
Note the following examples related to the type and the scope of work:
Let’s now look at the next factor your organization should consider when selecting a vCISO.
An experienced vCISO with expertise and experience in federal systems, finance, regulatory and compliance frameworks is typically in high demand.
For MSPs providing this service, expect to pay a higher rate.
In addition to the specializations in regulatory frameworks, a high-quality vCISO should be certified in the area of Information Security.
The CISSP (Certified Information Systems Security Professional) is the most common certification.
In addition, look for the remaining certifications and experience when selecting a vCISO:
Learn More: How To Become A Virtual CISO
The type of industry and size impact the cost as well. Let’s note this in the next section.
Healthcare, financial, and global organizations with complex cyber security requirements will impact the cost of hiring a vCISO.
Note a few examples of cyber security-related regulations per industry that a vCISO will need specialized experience to succeed:
An SMB with 1 to 1000 employees compared to a large enterprise organization with 10,000 employees inherently will have more risk and security controls to oversee, impacting the cost.
Another direct impact to cost is the duration of the project.
A short-term duration for the vCISO’s service will typically incur a higher premium.
A long-term contract, such as an annual or multi-year plan will provide the opportunity to negotiate discounts on services, however, there may be upfront fees associated with the contract.
To ensure you properly estimate the length of the engagement, regularly assess and evaluate your security program’s maturity.
This will help your organization meet the budget expectations and select the proper services to achieve the optimum ROI.
Let’s now see how the pricing structure works for your next vCISO hire in the next section.
One of the main benefits of hiring a VCISO is the reduced cost compared to a full time CISO.
Let’s discuss and review the cost structure of a managed security provider that offers this service to SMBs.
Estimated cost: The average starts $1,600 to $20,000 per month or $19,200 to $240,000 per year.
A retainer fee allows you to pay upfront to reserve the services for a specific business need.
This allows the client to forecast and budget for x amount of hours for the year.
A sample of services you can where a retainer is necessary:
This model is ideal for an SMB that does not have the in-house expertise or lacks experience in the area of Incident Response and Forensics, where services may be needed immediately.
Estimated Cost: $200 to $250 per hour.
The hourly fee model allows the client to pay per hour for the vCISO service. This allows the client to pay per month on a part-time basis.
A sample of services you can expect to pay per hour are services that can be completed during a fixed time period:
This model is ideal for an SMB that has a fixed project requirement that fits within an SLA agreement.
Estimated Cost: A project is typically a per-hour cost. A 40-hour project will cost $8,000 – $10,000.
The Project-Base fee structure is a pricing model that allows the vCISO to charge a flat fee for a particular service regardless of the time.
This model is beneficial for a client that has a fixed annual budget that cannot be exceeded.
Estimated Cost: This will vary, based on company share prices or equity available.
Equity compensation allows the client to offer a stake in the organization in exchange for the vCISO service. The vCISO can expect to receive stock options or other forms of equity in lieu of a cash payment.
This model is ideal for an SMB or startup that needs to hold onto its cash flow for a period of time.
It’s now take a look at the average cost of the vCISO and how it is determined
When calculating the final cost for the vCISO service, it is important to understand the contract in full.
There may be less obvious details that may be missed in the review. Let’s note a few of the fine details.
Although the vCISO is typically a part-time remote role, there may be an additional cost to onboard, such as occasional travel to the site or potential conflict resolution fees.
Long-term cost savings is a benefit of contracting a longer-term contract. The performance of the vCISO will help you meet long term compliance objectives.
If your organization is on the fence as to whether they should hire a vCISO or not, consider the risk of not having a vCISO.
Relying on existing teams to fulfill this role is not a prudent decision these days.
Not hiring a vCISO can potentially increase the likelihood of data breaches, unpatched systems, poor security awareness, and unresolved gaps in security processes.
Let’s now discuss how your organization can go about hiring a virtual CISO in this section.
The first requirement is to understand the weaknesses in your security strategy and what you seek to accomplish.
Gather input from your stakeholders and security leaders.
This will help determine what type of vCISO is needed.
A few needs to consider include, but is not limited to:
Understand the terms of the vCISO’s proposal.
If you have a legal team, request a review of the terms of the contract to ensure the deliverables align with your business objectives.
If you do not have legal counsel, ensure your contract review process is thorough, to ensure your expectations are communicated properly in the terms of the contract.
In this article, we have discussed key factors that determine how much you should pay for a vCISO. We examined cost structures your organization can choose from, based upon your specific business requirements.
We learned that the cost of a vCISO is determined by demographics, expertise, business size, and experience.
The cost structure of PurpleSec’s vCISO service was provided as a sample to observe what you can expect to pay for a vCISO:
If your organization is an SMB and does not have a CISO, we urge you to consider the lower-cost alternative of a vCISO. The benefits far outweigh the risk of not having one at all.
Learn more about PurpleSec’s virtual CISO services or schedule a free consultation.
Michael is an IT security expert with 15 years of proven experience. He has experience leading and supporting security projects and initiatives in the healthcare, finance, and advertising industry.
Recent Articles
Categories
Policy Templates
Popular Articles
There are many factors that determine the cost of a virtual CISO. In most cases, the range is typically between $2,000 and $4,000 a month for an SMB. This cost will vary depending on the size of the organization and the provider. PurpleSec’s monthly rate starts at $1,600.
According to ZipRecruiter, the national hourly rate average as of February 2023 is $65.00. This rate will vary based on demographics and size of the organization.
Current virtual CISO rates are estimated to be about 30% of what it would cost to hire a full-time CISO, potentially less than $30,000 annually.
As of February 2023, the base salary for Chief Information Security Officer ranges from $209,104 to $265,926 with an average base salary of $234,912.
Virtual CISOs are in high demand due to their lower cost compared to a full-time CISO. The vCISO service is also attractive for SMBs that need to acquire management for critical services on an as-needed, affordable basis.