What type of information security officer does your company need?

by Brad Garland

Today’s data-centric businesses rely on a secure cyber environment to operate within. If you are a small firm, you may task contractors or your general IT support staff to handle your security needs. Mid-size to large firms, however, most likely employ an information security officer (ISO), also known as a Chief Information Security officer, or CISO). In a digital world ripe with fraudulent emails and trojan horses, your ISO presents your first and best line of defense. Finding a suitable security professional, however, can be costly: CISOs in top U.S. markets command an average salary of $204,000. Despite these costs, smaller businesses that lack the budget to hire an in-house ISO are not out of luck. A virtual information security officer (vISO) can bridge this security gap. A vISO gives your business the same level of security and expertise as an in-house ISO, without the associated overhead and expenses.

Is a (v)ISO useful for my business?

The answer depends on a variety of factors, including your particular industry, acceptable level of risk, budget expectations, and the sensitivity of data that you process. To help guide their decision, executive teams should ask themselves one key question:

 What are the consequences to our business if we are breached?

A “security breach” may include everything from a virus that exposes your databases to the public to a malicious attacker who steals financial information of your customers. Numerous operational, legal and technical issues may be raised, depending on the nature of the breach. When discussing such issues, executive leaders should keep in mind the associated damages, both monetary and reputational, that undoubtedly will follow. If you or your current IT staff is prepared to address this question, and the myriad of issues raised by a breach, you may not need a dedicated security professional. Chances are, however, that your staff is not prepared to handle severe security incidents. This rings especially true for businesses in highly regulated industries, such as healthcare or financial services, which must abide by elevated and strict security requirements.

In many cases, engaging a professional whose sole job is to protect your business’s cyber operations, ie. a vISO, makes the most sense from a business standpoint. A business that prioritizes security differentiates itself from the pack – according to a report by PwC, 85% of consumers report that they will not do business with a company if they have concerns about its security practices. Adequate security personnel can mean both additional customers and savings for your payroll. Not only do you free up your business’s other employees and resources from tackling security, you can also work with your vISO to select the right hardware and software to automate security monitoring. If implemented correctly, such automation may reduce or eliminate the need for other full-time employees.

Ok, so I need a virtual information security officer. What should I look for in a vISO?

First and foremost, a vISO should have the requisite technical knowledge and background in security. Certifications can provide proof that your vISO possesses the skills and interest required to do the job. Several important certifications your vISO should possess include:


  • Security+
  • CEH
  • CISA
  • CISM
  • C|CISO


In addition to technical know-how, a vISO should be well versed in a business’s particular goals, strategy, and risk tolerance. A great vISO realizes that their role bridges the gap between security and business. Therefore, communication is key. A vISO should be able to translate technical jargon into terms business leaders will understand. This will help executive leadership understand why security matters and align business practices toward the implementation of security principles.

Where can I find a vISO?

At Vala Secure, our professionals are able to serve as your vISOs. Contact us to schedule a call. We’re here to help.