The rise of vCISO as a viable cybersecurity career path

For all the talk of security skills shortages and the recession-proof nature of cybersecurity, it’s been a tough job market for many veteran security professionals over the past year. The consensus among many in the industry is that hiring standards have grown more stringent, and maybe even unrealistic, for entry-level and midcareer positions. And for executive spots the reality is that there really are only so many CISO positions to go around.

Many midmarket companies and even some larger companies still don’t have a CISO. According to a Board Cybersecurity study of 10K SEC filings, only 52% of public companies specifically mentioned having a CISO position as a part of their reports to regulators and investors.

Nevertheless, there are plenty of opportunities for ambitious and even aspiring CISOs seeking to broaden their career prospects. One route that’s gaining momentum is the virtual CISO (vCISO) or fractional CISO career path.

Companies that don’t have the means to hire a full-time CISO still face the same harsh realities their peers do — heightened compliance demands, escalating cyber incidents, and growing tech-related risks. A part-time security leader can help them assess their state of security and build out a program from scratch, or assist a full-time director-level security leader with a project.

What they’re looking for is a vCISO. According to recent studies, vCISO services are becoming a pressing market need. For example, Cynomi’s State of the Virtual CISO 2024 showed that 75% of MSPs and MSSPs report very high demand for vCISOs and fractional CISOs.

This demand is fueling a bona fide career path for security leaders that can be more just a gig between in-house CISO roles. And many experienced security professionals are finding the variety and independence of vCISO work to be a rewarding route to career success.

What the vCISO path can look like: Perspectives from four vCISOs

To understand how varied and valuable these opportunities can be, we talked with four vCISOs about how they settled into their roles and what their workflows look like. Some work for service or consulting firms; others run their own businesses. Three served one or more stints as an internal CISO prior to jumping into the vCISO and consulting world. All have spent many years in IT amassing a wealth of cybersecurity, risk management, and compliance knowledge.

Blue Mantis

Damon Petraglia

A long-time cybersecurity pro with chops built up in the federal government world and through forensic investigation work, Damon Petraglia works as a vCISO and CISO on demand for the IT services firm Blue Mantis.

“Where I am today as a vCISO is a culmination of 20 years of experience in information security,” says Petraglia, who has worked as an embedded vCISO at universities, hospitals, and other state agencies. “I started out as a contracted federal investigator, wound up going into digital investigations, owned my own forensic computer investigation company for a while, contracted to the government and then contracted out to private industry, wound up consulting as an advisor to CISOs in various capacities, and then becoming a CISO myself for different organizations.”

He has run his own consulting firms in the past but now works for Blue Mantis so he can focus on the security work he really enjoys.

“When you own your own business or you hang your own shingle, you necessarily have to take time away from the core of what you’re doing because you’ve got to run that business and you’ve got to do the sales, and you’ve got to do all the marketing, and you’ve got to be out there,” he says. “And so, there’s a lot of time away from actually doing what you’re good at or what you love.”

His work today is done as a part of a small and specialized team that his firm calls the security transformation group. The work he does is extremely varied. “As a vCISO you can be embedded in an organization and then you’re sort of available to them at any given time, even though you may have set contractual hours and agreements like that,” he says. “But I’ll also do project work for people. I’ll do assessments, I’ll do incident response, I’ll do incident response planning, I’ll do policy development.”

AnzenOT

Kristin Demoranville

A vCISO with very specialized expertise in the food, agriculture and operational technology worlds, Kristin Demoranville has worked her way up the tech food chain not once, but two times before locking into her specialty.

“The majority of my career has been in tech — I was in break fix way back in the early days and even drove a Geek Mobile for a hot minute,” CEO of AnzenOT Demoranville says. By 2008 she’d worked her way up to director level in the tech sector but ended up getting caught up in the tech crash of that year. So, she decided to go back to school for environmental management to get a job that had nothing to do with any of the tech work she’d previously done.

“But the joke is on me because I totally use that experience all the time now, which is hilarious to me” she says, explaining that after getting her degree she wound up getting back into tech — this time as a security analyst. She essentially had to start over at the bottom rung.

“It was the super humbling but the best thing that could have ever happened in my career. I worked my way up to CISO in that company by the time I was done,” she says, explaining that the firm was a food company that has been sold. “I cut my teeth heavily in there with operational technology and just fell in love with it. I got to know the food side and understanding where food safety culture intersected with cybersecurity.”

After that job she jumped back over to the tech sector, working for Sony running its risk management team. It might sound like a departure but not so much when considering the company’s manufacturing roots. She wrote Sony’s first factor security control policy — one that is still in use today.  And then she moved to consulting, working for a large consulting firm in the CPG and food industries. She worked her way up to partner and almost burned out in the process. When her firm underwent a reorganization and released her in the process, it was her chance to set her own pace and control her own stress.

This was how her independent firm was born. Now she’s a near one-woman-band — she leans on her partner Stuart King for professional support and engineering help in building a platform for OT risk assessment that she uses in her engagements. She says the work is exciting and crucial due to the relative immaturity of her industry specialty when it comes to cyber.

“A lot of these places I’m dealing with don’t have any type of CISO roles. They don’t even have a head of security or anything at all sometimes. If they do, it’s on the IT side,” she says. “So, it is sort of de facto vCISO because I become *the* security person.”

She considers it her mission to try to get her clients to understand that much of cyber risk management is not related to IT at all. Not only does she try to level up discussion to a broader business risk focus, but she also tries to tie many of her discussions back to the operational technology issues that OT production operators care most about, such as issues of health and human safety. “Because I’m experienced in operational technology, if I can get with production or the operators, I can speak their language,” she says. “It’s really about process management, strategy and advisory work, and risk management as a whole. I’m really a risk person.”

Nuspire

Mike Pedrick

Like many longtime security veterans, Mike Pedrick worked his way into the CISO spot by way of generalized IT roles. Prior to his consulting career he ran IT and information security for a manufacturing firm, working at the executive level for over eight years. “That’s an eternity in our particular industry. And I definitely enjoyed the people and my time there, and I learned a lot. I grew a lot as a person. It permitted me time to raise a family and so on. But it just became so unchallenging,” Pedrick says. “I was bored.”

It’s been twenty years since he left that in-house role and jumped into security consulting, working on all areas from infrastructure and IT architecture work to risk management over the decades. Along the way he’s been called to dive into a range of vCISO positions while working for numerous consulting firms. He’s worked as the acting CISO of client firms, helped guide projects, and done a significant amount of advisory work. This is his bread-and-butter.

“Part of my ethos is I enjoy mentoring; I enjoy teaching. I do both quite regularly as a vCISO and I’ve been teaching for ISACA for 10 years now,” he says. “In fact, I’ve got a client right now who is very new to information security leadership and we have meetings on a recurring cadence. I say ‘Here’s how I think I would approach this or that. Let me know if you want to jump into a conversation with the other parties in your organization.’ And he chooses based on how confident he feels in the process.”

He says he especially likes his current position at Nuspire as the VP of cybersecurity consultant and a client-facing vCISO because he’s a huge automotive enthusiast and his firm has enabled him to specialize in that industry. So, he’s able to still enjoy the variety of vCISO work while also settling into a specific industry that feels like ‘home’ to him.

Fortify Experts

Tim Howard

Of this particular selection of vCISOs, Tim Howard has one of the most unique paths to the job. His journey started in technology staffing and executive search consulting. His businesses would help tech and business leaders build out their cybersecurity teams and executive roles.

“Back in 2014 or so we saw the uptick in cybersecurity take off pretty significantly and created a new company called Fortify Experts, and we soon became the go-to-guys for hiring CISOs,” he says.

From that people-centric position in the industry he started building professional networks and connections with CISOs and cybersecurity risk professionals. The work started to blur from not just looking to fill a role but to assess the state of their teams and eventually the overall state of their cyber programs.

“We started getting drawn more into these engagements where we’d be drawn into doing the assessments,” he says.

Additionally, one of the big pushes his firm made was to develop a CISO forum where it would create a safe place for CISOs to discuss interesting topics or professional challenges.

“So here I’d have 40 or 50 CISOs all talking about these topics and I’m learning an awful lot. It’s almost like I had been coached by some of the best CISOs in the country for years and we were already doing assessments,” he says. “Ultimately, we got pulled in as opportunities came along to help companies on more of a project basis rather than helping them hire a CISO. Projects like ‘Can you help assess where we are, build a roadmap, or give me a prioritized target list of security work where we can get the best bang for our buck?’”

Because of his significant business and executive experience, Howard has been able to relate to clients in the way that they really need security leaders to approach problems — namely with a business-focused lens. He’s also less focused on doing the work himself as he is on building a brand and professional platform under which other semi-independent vCISOs can work. For example, he provides these pros with technical tools and training, as well as support materials like master service agreements (MSAs). Additionally, he helps provide business coaching. “Then they can step (into the security work) and still take 80% of their own cut for their business,” he says. “Then they’re leveraging a bigger brand and we’re all working together. We basically create a lead structure for everyone.”

He says he has five regulars that he works with and a much bigger network that he taps into on an as-needed basis, for example if a client has a project that requires a very specific set of skills. “And then I’ve still got the recruiting arm,” he says. “That way anytime a client or a network vCISO runs up against staffing challenges like ‘Hey, we need a technologist for a certain time period’ or ‘I’ve got to do some GRC work,’ then we can help them bring those folks in, too.”

Controlling your destiny as a vCISO

The range of work done by our panel of vCISO experts illustrates the dynamic nature of vCISO working models. The kinds of engagements vary wildly depending on the client’s needs. In many cases companies are seeking subscription or retainer arrangements.  

In some of these ongoing relationships this could be to fill the proverbial chair of the CISO, doing all the traditional work of the role on a part-time basis. This is the kind of arrangement most likely to be referred to as a fractional role. Other retainer arrangements may just be for an advisory position where the client is buying regular mindshare of the vCISO to supplement their tech team’s knowledge pool. They could be a strategic sounding board to the CIO or even a subject-matter expert to the director of security or newly installed CISO.

But vCISOs can work on a project-by-project or hourly basis as well. “It’s really what works best for my potential client,” says Demoranville. “I don’t want to force them into a box. So, if a subscription model works or a retainer, cool. If they only want me here for a short engagement, maybe we’re trying to put in a compliance regimen for ISO 27001 or you need me to review NIST, that’s great too.”

Meantime, as a security pro starts to work their way into the industry they’ll have to consider whether they want to hang their own shingle or work for a consulting company.

“There are a couple of alternatives,” says Pendrick. “There’re the solopreneurs that provide vCISO consulting services to a small group of clients. They keep their client load just what they need to cover the bills. Theres’s folks that work for a consulting organization — for better or for worse — and they are more like the utility players. And then there are those that are trying to grow a brand of their own and grow an organization.”

Any one of those paths may morph or change for a vCISO as their client loads shift and new opportunities crop up. But one of the prevailing themes among all of the vCISOs we spoke with that keeps them rooted in this path is the opportunity for varied and interesting work that constantly flexes their skills.

“When you work for one organization what happens is you start to get stagnant once you build out a program,” says Petraglia. “To me, working as a vCISO is a lot more exciting because there’s always something new to work on. You have a new industry, you have new company, you have new culture, you have new and different challenges to face.”

What’s more, as a vCISO you control your own destiny, and you have much more control over the working conditions and the environment you work in on a day-in and day-out basis. As a woman in the male-dominated world of security this can be especially refreshing, says Demoranville, who explains that as a vCISO outside of the organization chart she’s buffered from politics and if she does run into toxic culture issues, it is easy enough to extricate herself. “Working internally is more difficult than externally because as a consultant you can leave if you want,” she says. “When you work internally it’s a lot harder to leave.”

Nevertheless, being a vCISO or any kind of security consultant is not a job made for everyone, Pedrick says. “For those who do thrive on structure and who want others to just tell them what they need to do to get their job done, if they want to clock out at the end of the day and walk away, well, then this world is not for those folks,” he says.

However, if that rigidity isn’t a must for you, he and the others say that this can be a fun and lucrative way to build security and business skills and take your career to the next level. In many instances it’s a great move for mid-career security professionals, even if they haven’t necessarily held a CISO role.

“You don’t have to have been a CISO or anyone in a higher-ranking position to qualify to be a vCISO. If you have deep security expertise to be shared and maybe more industry-specific knowledge with a long track record behind you, you are qualified,” Demoranville says. “I always say, find something you love about security and chase it to the highest level you can. Don’t limit yourself because some blowhard said you couldn’t do it.”