{"id":3123,"date":"2025-05-12T06:30:00","date_gmt":"2025-05-12T06:30:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3123"},"modified":"2025-05-12T06:30:00","modified_gmt":"2025-05-12T06:30:00","slug":"the-rise-of-vciso-as-a-viable-cybersecurity-career-path","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3123","title":{"rendered":"The rise of vCISO as a viable cybersecurity career path"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

For all the talk of security skills shortages and the recession-proof nature of cybersecurity, it\u2019s been a tough job market for many veteran security professionals over the past year. The consensus among many in the industry is that hiring standards have grown more stringent, and maybe even unrealistic, for entry-level and midcareer positions. And for executive spots the reality is that there really are only so many CISO positions to go around.<\/p>\n

Many midmarket companies and even some larger companies still don\u2019t have a CISO<\/a>. According to a Board Cybersecurity study of 10K SEC filings<\/a>, only 52% of public companies specifically mentioned having a CISO position as a part of their reports to regulators and investors.<\/p>\n

Nevertheless, there are plenty of opportunities for ambitious and even aspiring CISOs seeking to broaden their career prospects. One route that\u2019s gaining momentum is the virtual CISO (vCISO) or fractional CISO career path.<\/p>\n

Companies that don\u2019t have the means to hire a full-time CISO still face the same harsh realities their peers do \u2014 heightened compliance demands, escalating cyber incidents, and growing tech-related risks. A part-time security leader can help them assess their state of security and build out a program from scratch, or assist a full-time director-level security leader with a project.<\/p>\n

What they\u2019re looking for is a vCISO. According to recent studies, vCISO services are becoming a pressing market need. For example, Cynomi\u2019s State of the Virtual CISO 2024<\/a> showed that 75% of MSPs and MSSPs report very high demand for vCISOs and fractional CISOs.<\/p>\n

This demand is fueling a bona fide career path for security leaders that can be more just a gig between in-house CISO roles. And many experienced security professionals are finding the variety and independence of vCISO work to be a rewarding route to career success.<\/p>\n

What the vCISO path can look like: Perspectives from four vCISOs<\/strong><\/h2>\n

To understand how varied and valuable these opportunities can be, we talked with four vCISOs about how they settled into their roles and what their workflows look like. Some work for service or consulting firms; others run their own businesses. Three served one or more stints as an internal CISO prior to jumping into the vCISO and consulting world. All have spent many years in IT amassing a wealth of cybersecurity, risk management, and compliance knowledge.<\/p>\n

\n

Damon Petraglia, vCISO and CISO on demand<\/p>\n

Blue Mantis<\/p>\n<\/div>\n

Damon Petraglia<\/h3>\n

A long-time cybersecurity pro with chops built up in the federal government world and through forensic investigation work, Damon Petraglia works as a vCISO and CISO on demand for the IT services firm Blue Mantis.<\/p>\n

\u201cWhere I am today as a vCISO is a culmination of 20 years of experience in information security,\u201d says Petraglia, who has worked as an embedded vCISO at universities, hospitals, and other state agencies. \u201cI started out as a contracted federal investigator, wound up going into digital investigations, owned my own forensic computer investigation company for a while, contracted to the government and then contracted out to private industry, wound up consulting as an advisor to CISOs in various capacities, and then becoming a CISO myself for different organizations.\u201d<\/p>\n

He has run his own consulting firms in the past but now works for Blue Mantis so he can focus on the security work he really enjoys.<\/p>\n

\u201cWhen you own your own business or you hang your own shingle, you necessarily have to take time away from the core of what you\u2019re doing because you\u2019ve got to run that business and you\u2019ve got to do the sales, and you\u2019ve got to do all the marketing, and you\u2019ve got to be out there,\u201d he says. \u201cAnd so, there\u2019s a lot of time away from actually doing what you\u2019re good at or what you love.\u201d<\/p>\n

His work today is done as a part of a small and specialized team that his firm calls the security transformation group. The work he does is extremely varied. \u201cAs a vCISO you can be embedded in an organization and then you\u2019re sort of available to them at any given time, even though you may have set contractual hours and agreements like that,\u201d he says. \u201cBut I\u2019ll also do project work for people. I\u2019ll do assessments, I\u2019ll do incident response, I\u2019ll do incident response planning, I\u2019ll do policy development.\u201d<\/p>\n

\n

Kristin Demoranville, CEO, AnzenOT<\/p>\n

AnzenOT<\/p>\n<\/div>\n

Kristin Demoranville<\/h3>\n

A vCISO with very specialized expertise in the food, agriculture and operational technology worlds, Kristin Demoranville has worked her way up the tech food chain not once, but two times before locking into her specialty.<\/p>\n

\u201cThe majority of my career has been in tech \u2014 I was in break fix way back in the early days and even drove a Geek Mobile for a hot minute,\u201d CEO of AnzenOT Demoranville says. By 2008 she\u2019d worked her way up to director level in the tech sector but ended up getting caught up in the tech crash of that year. So, she decided to go back to school for environmental management to get a job that had nothing to do with any of the tech work she\u2019d previously done.<\/p>\n

\u201cBut the joke is on me because I totally use that experience all the time now, which is hilarious to me\u201d she says, explaining that after getting her degree she wound up getting back into tech \u2014 this time as a security analyst. She essentially had to start over at the bottom rung.<\/p>\n

\u201cIt was the super humbling but the best thing that could have ever happened in my career. I worked my way up to CISO in that company by the time I was done,\u201d she says, explaining that the firm was a food company that has been sold. \u201cI cut my teeth heavily in there with operational technology and just fell in love with it. I got to know the food side and understanding where food safety culture intersected with cybersecurity.\u201d<\/p>\n

After that job she jumped back over to the tech sector, working for Sony running its risk management team. It might sound like a departure but not so much when considering the company\u2019s manufacturing roots. She wrote Sony\u2019s first factor security control policy \u2014 one that is still in use today.\u00a0 And then she moved to consulting, working for a large consulting firm in the CPG and food industries. She worked her way up to partner and almost burned out in the process. When her firm underwent a reorganization and released her in the process, it was her chance to set her own pace and control her own stress.<\/p>\n

This was how her independent firm was born. Now she\u2019s a near one-woman-band \u2014 she leans on her partner Stuart King for professional support and engineering help in building a platform for OT risk assessment that she uses in her engagements. She says the work is exciting and crucial due to the relative immaturity of her industry specialty when it comes to cyber.<\/p>\n

\u201cA lot of these places I\u2019m dealing with don\u2019t have any type of CISO roles. They don\u2019t even have a head of security or anything at all sometimes. If they do, it\u2019s on the IT side,\u201d she says. \u201cSo, it is sort of de facto vCISO because I become *the* security person.\u201d<\/p>\n

She considers it her mission to try to get her clients to understand that much of cyber risk management is not related to IT at all. Not only does she try to level up discussion to a broader business risk focus, but she also tries to tie many of her discussions back to the operational technology issues that OT production operators care most about, such as issues of health and human safety. \u201cBecause I\u2019m experienced in operational technology, if I can get with production or the operators, I can speak their language,\u201d she says. \u201cIt\u2019s really about process management, strategy and advisory work, and risk management as a whole. I\u2019m really a risk person.\u201d<\/p>\n

\n

Mike Pedrick, VP of cybersecurity consultant and a client-facing vCISO, Nuspire<\/p>\n

Nuspire<\/p>\n<\/div>\n

Mike Pedrick<\/h3>\n

Like many longtime security veterans, Mike Pedrick worked his way into the CISO spot by way of generalized IT roles. Prior to his consulting career he ran IT and information security for a manufacturing firm, working at the executive level for over eight years. \u201cThat\u2019s an eternity in our particular industry. And I definitely enjoyed the people and my time there, and I learned a lot. I grew a lot as a person. It permitted me time to raise a family and so on. But it just became so unchallenging,\u201d Pedrick says. \u201cI was bored.\u201d<\/p>\n

It\u2019s been twenty years since he left that in-house role and jumped into security consulting, working on all areas from infrastructure and IT architecture work to risk management over the decades. Along the way he\u2019s been called to dive into a range of vCISO positions while working for numerous consulting firms. He\u2019s worked as the acting CISO of client firms, helped guide projects, and done a significant amount of advisory work. This is his bread-and-butter.<\/p>\n

\u201cPart of my ethos is I enjoy mentoring; I enjoy teaching. I do both quite regularly as a vCISO and I\u2019ve been teaching for ISACA for 10 years now,\u201d he says. \u201cIn fact, I\u2019ve got a client right now who is very new to information security leadership and we have meetings on a recurring cadence. I say \u2018Here\u2019s how I think I would approach this or that. Let me know if you want to jump into a conversation with the other parties in your organization.\u2019 And he chooses based on how confident he feels in the process.\u201d<\/p>\n

He says he especially likes his current position at Nuspire as the VP of cybersecurity consultant and a client-facing vCISO because he\u2019s a huge automotive enthusiast and his firm has enabled him to specialize in that industry. So, he\u2019s able to still enjoy the variety of vCISO work while also settling into a specific industry that feels like \u2018home\u2019 to him.<\/p>\n

\n

Tim Howard, managing partner and vCISO, Fortify Experts<\/p>\n

Fortify Experts<\/p>\n<\/div>\n

Tim Howard<\/h3>\n

Of this particular selection of vCISOs, Tim Howard has one of the most unique paths to the job. His journey started in technology staffing and executive search consulting. His businesses would help tech and business leaders build out their cybersecurity teams and executive roles.<\/p>\n

\u201cBack in 2014 or so we saw the uptick in cybersecurity take off pretty significantly and created a new company called Fortify Experts, and we soon became the go-to-guys for hiring CISOs,\u201d he says.<\/p>\n

From that people-centric position in the industry he started building professional networks and connections with CISOs and cybersecurity risk professionals. The work started to blur from not just looking to fill a role but to assess the state of their teams and eventually the overall state of their cyber programs.<\/p>\n

\u201cWe started getting drawn more into these engagements where we\u2019d be drawn into doing the assessments,\u201d he says.<\/p>\n

Additionally, one of the big pushes his firm made was to develop a CISO forum where it would create a safe place for CISOs to discuss interesting topics or professional challenges.<\/p>\n

\u201cSo here I\u2019d have 40 or 50 CISOs all talking about these topics and I\u2019m learning an awful lot. It\u2019s almost like I had been coached by some of the best CISOs in the country for years and we were already doing assessments,\u201d he says. \u201cUltimately, we got pulled in as opportunities came along to help companies on more of a project basis rather than helping them hire a CISO. Projects like \u2018Can you help assess where we are, build a roadmap, or give me a prioritized target list of security work where we can get the best bang for our buck?\u2019\u201d<\/p>\n

Because of his significant business and executive experience, Howard has been able to relate to clients in the way that they really need security leaders to approach problems \u2014 namely with a business-focused lens. He\u2019s also less focused on doing the work himself as he is on building a brand and professional platform under which other semi-independent vCISOs can work. For example, he provides these pros with technical tools and training, as well as support materials like master service agreements (MSAs). Additionally, he helps provide business coaching. \u201cThen they can step (into the security work) and still take 80% of their own cut for their business,\u201d he says. \u201cThen they\u2019re leveraging a bigger brand and we\u2019re all working together. We basically create a lead structure for everyone.\u201d<\/p>\n

He says he has five regulars that he works with and a much bigger network that he taps into on an as-needed basis, for example if a client has a project that requires a very specific set of skills. \u201cAnd then I\u2019ve still got the recruiting arm,\u201d he says. \u201cThat way anytime a client or a network vCISO runs up against staffing challenges like \u2018Hey, we need a technologist for a certain time period\u2019 or \u2018I\u2019ve got to do some GRC work,\u2019 then we can help them bring those folks in, too.\u201d<\/p>\n

Controlling your destiny as a vCISO<\/h2>\n

The range of work done by our panel of vCISO experts illustrates the dynamic nature of vCISO working models. The kinds of engagements vary wildly depending on the client\u2019s needs. In many cases companies are seeking subscription or retainer arrangements. \u00a0<\/p>\n

In some of these ongoing relationships this could be to fill the proverbial chair of the CISO, doing all the traditional work of the role on a part-time basis. This is the kind of arrangement most likely to be referred to as a fractional role. Other retainer arrangements may just be for an advisory position where the client is buying regular mindshare of the vCISO to supplement their tech team\u2019s knowledge pool. They could be a strategic sounding board to the CIO or even a subject-matter expert to the director of security or newly installed CISO.<\/p>\n

But vCISOs can work on a project-by-project or hourly basis as well. \u201cIt\u2019s really what works best for my potential client,\u201d says Demoranville. \u201cI don\u2019t want to force them into a box. So, if a subscription model works or a retainer, cool. If they only want me here for a short engagement, maybe we\u2019re trying to put in a compliance regimen for ISO 27001 or you need me to review NIST, that\u2019s great too.\u201d<\/p>\n

Meantime, as a security pro starts to work their way into the industry they\u2019ll have to consider whether they want to hang their own shingle or work for a consulting company.<\/p>\n

\u201cThere are a couple of alternatives,\u201d says Pendrick. \u201cThere\u2019re the solopreneurs that provide vCISO consulting services to a small group of clients. They keep their client load just what they need to cover the bills. Theres\u2019s folks that work for a consulting organization \u2014 for better or for worse \u2014 and they are more like the utility players. And then there are those that are trying to grow a brand of their own and grow an organization.\u201d<\/p>\n

Any one of those paths may morph or change for a vCISO as their client loads shift and new opportunities crop up. But one of the prevailing themes among all of the vCISOs we spoke with that keeps them rooted in this path is the opportunity for varied and interesting work that constantly flexes their skills.<\/p>\n

\u201cWhen you work for one organization what happens is you start to get stagnant once you build out a program,\u201d says Petraglia. \u201cTo me, working as a vCISO is a lot more exciting because there\u2019s always something new to work on. You have a new industry, you have new company, you have new culture, you have new and different challenges to face.\u201d<\/p>\n

What\u2019s more, as a vCISO you control your own destiny, and you have much more control over the working conditions and the environment you work in on a day-in and day-out basis. As a woman in the male-dominated world of security this can be especially refreshing, says Demoranville, who explains that as a vCISO outside of the organization chart she\u2019s buffered from politics and if she does run into toxic culture issues, it is easy enough to extricate herself. \u201cWorking internally is more difficult than externally because as a consultant you can leave if you want,\u201d she says. \u201cWhen you work internally it\u2019s a lot harder to leave.\u201d<\/p>\n

Nevertheless, being a vCISO or any kind of security consultant is not a job made for everyone, Pedrick says. \u201cFor those who do thrive on structure and who want others to just tell them what they need to do to get their job done, if they want to clock out at the end of the day and walk away, well, then this world is not for those folks,\u201d he says.<\/p>\n

However, if that rigidity isn\u2019t a must for you, he and the others say that this can be a fun and lucrative way to build security and business skills and take your career to the next level. In many instances it\u2019s a great move for mid-career security professionals, even if they haven\u2019t necessarily held a CISO role.<\/p>\n

\u201cYou don\u2019t have to have been a CISO or anyone in a higher-ranking position to qualify to be a vCISO. If you have deep security expertise to be shared and maybe more industry-specific knowledge with a long track record behind you, you are qualified,\u201d Demoranville says. \u201cI always say, find something you love about security and chase it to the highest level you can. Don\u2019t limit yourself because some blowhard said you couldn\u2019t do it.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

For all the talk of security skills shortages and the recession-proof nature of cybersecurity, it\u2019s been a tough job market for many veteran security professionals over the past year. The consensus among many in the industry is that hiring standards have grown more stringent, and maybe even unrealistic, for entry-level and midcareer positions. And for […]<\/p>\n","protected":false},"author":0,"featured_media":3124,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3123","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3123"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3123"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3123\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3124"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3123"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3123"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3123"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}