Four signs a vCISO is not right for you.

When a virtual CISO is not what you need.

Jeff Kohrman
eCISO - Security for Startups
4 min readAug 5, 2019


One of our peers recently shared an article with us titled Four Signs You’re Ready for a Virtual CISO, published by a prominent security news outlet.

Business-persons looking disconcerted around a display

Although that article may have been written with reasonable intentions, it carried tones of fear, uncertainty, and doubt by using information out of context. Questionable marketing and sales tactics aside, we strongly disagree with the points they raised to encourage engaging a vCISO.

To restore the context necessary for anyone considering a virtual CISO for their company, we would like to revisit each of the points they covered in favor of traditional vCISO services.

Disclaimer: We are naturally biased as we provide leadership mentoring and services similar to what some vendors call a virtual CISO, helping you to become self-sufficient (and replace us with your own security leader). When and how to build security into your company should be treated as a business decision, not something a vendor manipulates you into buying.

Signs a vCISO is not for you.

1. Your customers are telling you.

One metric that many of our clients have adopted is that there are no lost sales because of security. We agree that although security doesn’t sell your services, it can certainly be challenging to continue making sales without reasonable security.

It is important to understand what level of security you need to protect your data and your customers, as well as what assurances your target market expects of you.

This must be a business decision — Hiring a security leader before you are ready can be more damaging long-term, and there are ways to meet these requirements without hiring a CISO, virtual or otherwise.

2. Your regulators are telling you.

Unless you are in a heavily regulated industry, in which case you may already have a CISO, industry regulators will rarely if ever require companies to have a Chief Security Officer. They might, however, ask that you have a security point of contact.

We encourage our clients to be open with their regulators to meet the spirit of their requirements within their current capabilities. They have frequently provided valuable suggestions based on their experience with similar companies.

3. Mergers and acquisitions demand it.

Perhaps one of the most inopportune moments to make a significant change in your security processes is in the middle of a merger or acquisition. Without a security program in place already, a part-time security leader won’t have anything to execute against to evaluate either party.

These situations do require a certain level of due diligence to make sure you are not taking on unnecessary risk to your business, but that is precisely why third-party auditors exist.

4. A vendor or MSSP is telling you.

The author of that post made references to the shrinking average tenure of CISOs today. It is true, security leaders have an average tenure at an organization of 18–24 months. This is often due to companies bringing in a CISO before they are prepared to support them or a more mature security program.

These are toxic and unhealthy indicators that will lead you to expensive churn, a souring security reputation in your industry, or worse — a deep-rooted dependency on your service provider while you ignore critical risks that only an in-house security leader can manage effectively.

One sign a virtual CISO could help you succeed.

When should you consider using a virtual CISO? That’s a decision that you (and hopefully your advisory board) need to make for yourselves, but our clients typically all have something in common.

We have found one consistently effective indicator that you are ready to be successful with a virtual CISO is if you are ready to commit to hiring your first security leader within the next year. One essential step to being prepared for supporting a CISO is recognizing that your company needs a security voice at the executive level.

Security leaders necessarily partner with nearly every vertical of your business to set the strategy for managing your organization’s risks. This means they need visibility and support to have hard conversations about where we are and what things we might need to change.

Think you’re ready for your first security hire?

We help growth-stage companies plan for success today through our 18-month remote security leadership and startup accelerator program, preparing you to sustain your own security leader to make security your strategic market advantage.

Reach out to us at for a quick consultation call to learn how we can help you succeed today.



Jeff Kohrman
eCISO - Security for Startups

Jeff is a cybersecurity veteran with a passion for making security accessible to early and growth-stage startups.