Should You Outsource Your CISO?

Should You Outsource Your CISO on cyberguard360.comLearn how outsourcing the role of Chief Information Security Officer (CISO) can help you meet New York’s new cybersecurity regulations for less cost.

If you’re a non-exempt financial services company that missed the March 1, 2018 deadline for designating a Chief Information Security Officer (CISO) under New York’s new cybersecurity regulation (23 NYCRR 500), there is good news. Section 4 of the new regulation allows companies to fulfill the requirement with a third-party service provider, also known as a “virtual CISO,” or “vCISO.”

What is the role of a CISO?

Under 23 NYCRR 500, a CISO is responsible for creating and overseeing a company’s cybersecurity policy. One of their key roles is filing an annual report with a company’s board of directors or equivalent governing body outlining the risks to the company’s confidential information and the effectiveness of its cybersecurity program.

Benefits of a virtual CISO

Companies not exempted from 23 NYCRR 500 were required under Section 4 of the law to designate a CISO by March 1, 2018; but hundreds of smaller financial services firms still are still working to secure exemptions from the provision from the New York Department of Financial Services. Many of those firms could benefit from hiring a vCISO service for the reasons described below.


For small to mid-sized organizations, one of the biggest obstacles to hiring a CISO is the sheer cost. According to, the average CISO salary in the United States was $217,768 as of July 31, 2018, with individual salaries ranging from $190,283 to $251,409. A survey cited by Forbes in January 2016, pegged average CISO salaries in New York at $240,000 but estimated they went as high as $367,000. This means many companies are struggling to find a solution they can afford.

A vCISO can provide valuable industry experience at a reduced cost because their bandwidth is spread across several clients.


Most companies that provide vCISO services have amassed a team of technology executives with decades of experience. This level of expertise can be vital to helping IT staff members in your company who have very little formal security training comply with New York’s new cybersecurity law.

You can think of a vCISO as the architect behind the entire operation. He or she puts the processes and mechanisms in place that can then be followed by IT staff, with occasional oversight as needed.

Vulnerability due to turnover

You may have heard the saying in corporate America that “anyone can be replaced,” but that isn’t always the case with a CISO. This individual typically creates and executes the overall strategy for cybersecurity and if he or she leaves abruptly, a company can become suddenly exposed.

As the salary surveys demonstrate, competition for CISO talent is intense, particularly in New York. Larger virtual CISO providers, by contrast, have a deep bench of cybersecurity experts who can step up to the plate should key personnel leave. This insulates companies from inevitable turnover in IT talent.

Still unsure whether your organization needs a CISO?

If you’re still unsure whether you are exempt from Section 4 of 23 NYCRR 500, which requires financial services firms to designate an in-house or virtual CISO, reach out to Absolute Logic. Start the process online or call us at 844-315-9882 to schedule a session with one of our cybersecurity experts.