Pratum Blog

Virtual CISO is an outsourced senior-level security executive.

A virtual chief information security officer (vCISO) is an outsourced senior-level security executive who is responsible for the strategic development and implementation of information security programs. Included in vCISO services is a supporting team of information security professionals who help implement the vCISOs cybersecurity vision.

The vCISO team is responsible for structuring policies and procedures to align with company culture, risk tolerance, and compliance requirements. A tailored approach is integral in the creation of an effective security program. Most vCISO engagements begin with an IT risk assessment, which identifies areas of needed improvement and helps set priorities for the security program. Once deficiencies are identified, a plan is generated to begin addressing security gaps.

Why does the Virtual CISO (vCISO) service exist?

The demand for vCISO services has grown rapidly the past few years. As information security threats increase and businesses remain the primary target, the demand for security professionals will continue to rise. The employment gap between the demand for security professionals and its supply is widening. This drives a competitive market for security professionals and places a major burden on companies seeking to staff for their cybersecurity needs.

This is where a vCISO offers its value. Virtual CISO services provide organizations that would otherwise not be able to hire a qualified security candidate the ability to work with an experienced CISO and security team, without increasing their organization's headcount. Many organizations don't need a fulltime CISO, they need an independent security professional to lead their organization by assessing cybersecurity issues, building a cybersecurity program, and ensuring the achievement of proper security milestones.

5 Reasons to Consider a Virtual CISO (vCISO)

  1. Expertise Across Industries:
    vCISOs work with various clients in unique industries, exposing them to opportunities not available to CISOs working in isolated verticals. The security knowledge gained by a vCISO from each unique client environment ensures continual growth and improved expertise for the security leader, which positively impacts each client the vCISO leads.
  2. Flexibility in Unique Business Environments:
    Virtual CISOs are prepared to begin working immediately with little on-boarding time and can adapt to most any setting. By their very nature, vCISOs can enter a new environment and quickly adjust as business and security demands require. vCISOs first gain a thorough understanding of each organization’s business model, company culture, risk tolerance, and objectives. From there, they gain an understanding of security risks faced by the organization. With a full view of the security landscape, the vCISO will communicate the findings to help clients make the appropriate security decisions for their environment.
  3. Efficiency with Core Competencies:
    A virtual CISO fills in the security gaps where organizations need it most. By focusing on cybersecurity strategy and implementation, vCISOs relieve internal teams of the daunting responsibility. This enables both internal staff and cybersecurity professionals to remain dedicated to their respective core competencies.
  4. Objective Independence:
    vCISOs are not swayed by internal politics or personal career goals. vCISOs are an independent third party with an objective viewpoint and goals of helping clients make the best security decisions for their business.
  5. Economical:
    Pratum’s vCISO programs generally cost a fraction of a full-time CISO and supporting security team. According to SilverBull's May 2016 report, the Median salary for a CISO is $223,000 per year. The base salary doesn't even include the expenses incurred with additional employee headcount. On average, Pratum's vCISO clients pay a fraction of what it would cost to hire an in-house CISO. vCISO clients also gain access to the expertise of an entire team, which eliminates the inherent skills gap of a single employee.

What types of businesses are using vCISOs?

There are organizations of all sizes in various industries that are benefiting from vCISO services. For example, at Pratum we work with businesses in healthcare, manufacturing, technology, analytics, printing, marketing, insurance, retail, and finance. Regardless of the industry, technology plays a major role in operating a business, and with technology comes security risk.

Each business is unique, and every organization handles risk differently. However, the approach is the same with every organization. First, a vCISO helps an organization understand its risk, and second, the vCISO helps organizations make the appropriate security decisions to align with business objectives.

To learn more, follow this link to Pratum’s Virtual CISO service.

Learn More About vCISO

On January 3, 2018, two new high severity vulnerabilities were disclosed. The vulnerabilities are named Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 & CVE-2017-5715). The vulnerabilities are inherent to certain computer processors and how memory is protected. Specifically, the vulnerabilities target how malicious applications could access protected memory reserved for an operating system kernel, thus causing leakage of protected sensitive data.

Intel has reported they have been working with various developers of operating systems such as Microsoft Windows and Linux distribution for several months to address these issues. A press release from Intel states they were planning to release this information the week of January 8, 2018. We believe this indicates that Microsoft was likely planning to issue a patch during the normal January 9, 2018 patch cycle. The patch for Windows 10 from Microsoft was released out of cycle and became available at 5PM EST yesterday, January 3, 2018. Customers who are not using automated Windows Updates should apply this patch as soon as possible. Patches for other Microsoft operating systems have not been released yet.

Customers should continue to monitor security updates from vendors of operating systems to determine when a patch will become available for their products.

At this time, there are no other actions users can take to mitigate this issue. Affected hardware and software will need to be patched once vendors release these security updates. Once these updates are released, vulnerability scanners will be updated to identify systems which are missing these patches.

Pratum advises all customers to continually update vulnerability scanning signatures and profiles to check for existence of these patches. Customers of Pratum’s managed vulnerability scanning service will automatically receive these updates and no additional action is needed.

Pratum customers who have questions or concerns about these vulnerabilities should contact the support team at This email address is being protected from spambots. You need JavaScript enabled to view it. . If you are not a current customer of Pratum but would like guidance on how to address this or other vulnerabilities, please contact This email address is being protected from spambots. You need JavaScript enabled to view it..

Three cyber security questions every business leader should ask their technology teams.

If you are feeling overwhelmed with cybersecurity concerns, here are three cybersecurity questions that every CEO should ask their CIO, CISO, CFO, VP, Director or “Whatever” of Technology. The following questions will spur your team to focus on information security and provide you with actionable information.

  1. Can you prove to me that we’ve not had a system breach in the past “x” months, and will your evidence stand up to an independent 3rd party review?

  2. The idea here is to make your technology leader a little uncomfortable. You don’t want to hear someone touting their belief in the team. You want concrete evidence. Challenge them. Make them show you months of event logs (SIEM reports) that have been reviewed for anomalies or malicious activity. Ask for something, anything. Just don’t settle for “We believe our systems are safe”. Even if you have no plans to get an independent review, ask them to be able to support their conclusions.

  3. How are we coming with addressing the top risks identified in our latest IT risk assessment?

  4. This assumes you have performed a high-level IT risk assessment with your CIO, CFO, Legal, HR and Insurance teams within the past year. Technology is changing daily. The way we use technology is changing just as fast. Are you up to speed on the risks that face your organization from the use of technology in your business operations?

    You know risk exists. Are you addressing the biggest risks first? Are your investments to reduce risk working? Are their new laws that could change your risk? Can new insurance products transfer some of the risk? Ask questions of your leaders. Make sure sufficient progress is being made to reduce risk where necessary.

  5. Do we have expertise on staff to deal with the changing threat and regulatory landscape?

  6. This is the toughest question. Everyone hopes to have the best and brightest on our teams. The reality is there are always gaps. Make sure your leaders know gaps are ok. However, the gaps need to be identified and dealt with.

    Perhaps you already have a security team. Great, but do they have all the skill needed to fully protect the organization? If not, can they get them? Should they? Are contracts or retainers with cybersecurity experts a better solution? Either way, it’s best to be prepared. You can’t afford to be caught flat footed in this rapidly changing security environment.

CEOs that get answers to these three questions will be far ahead of many of their peers and competition. While there is a “right” answer to every one of these questions, the “right” answer will be different for everyone. The important part is to ask the questions and then ensure the “right” answers are supplied.

Through this process, if you discover that you need some cybersecurity expertise, Pratum is available to help. We can perform everything from IT Risk Assessments to full on Virtual CISO services. We help businesses solve information security challenges based on risk, not fear.

Contact Pratum
Get our blog posts delivered to your inbox: