Before looking at the salary costs of a full-time CISO and a vCISO, we should look at the differences in the output.
There is no tangible difference in the work product in nearly every case of engaging a CISO or vCISO. In both cases, interviews should be conducted to understand the organisation’s skills, experience, and cultural fit as part of the engagement. Suppose your organisation has selected the right candidate that matches the job requirements. In that case, the impact on the organisation should be nearly identical if working on the same project with the same time constraints. The only significant difference would be the calendar time it may take to complete the project. A vCISO works on a time assigned commitment each month.
The cost of a full-time CISO can be as low as £75,000 a year. However, base compensation is broad; most are in the £120,000 to £400,000 range.
In-house CISO salaries are continuously increasing. They have one of the fastest rates in the IT-sphere. Often making employing an internal full-time CISO cost-prohibitive. The escalating wages are due to the increased emphasis on security for organisations and the specialised skill set required to perform the role.
So, suppose your organisation is not ready for a full-time CISO. Your best choice might very well be to initially engage with a virtual CISO for around £5,000 per month to help build and support the security initiatives within your business. However, if employing a vCISO for a full-time rate, an organisation should expect to pay significantly more, somewhere in 30-60% over most vendors’ full-time direct hire rate.