![](/wp-content/uploads/2025/02/tenable-i.png")
9 Biggest Reasons Why Virtual CISO Engagements Fail
As demands for cybersecurity expertise increase, it’s no surprise that Virtual Chief Information Security Officer (vCISO or fractional CISO) services continue to grow in popularity—especially among SMBs that may lack the budget for a full-time CISO.
If your business is considering a vCISO engagement or is looking to find a new vCISO, what are the major pitfalls you want to avoid? What should you be looking out for to ensure you engage a great vCISO?
This article overviews the nine biggest reasons why vCISO engagements fail or falter, as corroborated by long-time vCISOs.
One: Failure to establish mutually agreed expectations
Service providers and service consumers both have expectations going into vCISO engagements. These must be shared, validated, and aligned so that both parties are working towards a common goal with common priorities.
Some companies wrongly believe a vCISO can solve all their cybersecurity problems. Or they may want to move ahead unrealistically fast given the resources they’re ready to expend on cybersecurity. Or maybe they see cybersecurity as an “IT problem” and haven’t factored business strategy into the vCISO equation.
Perhaps most importantly, the hiring organization needs a clear understanding of what they want to accomplish with the vCISO engagement. To ensure their clients can articulate what their goals are, experienced vCISO providers take time to discuss cybersecurity risks and options prior to closing a deal.
Two: Getting caught up in tactical concerns at the expense of strategy
A successful cybersecurity program requires not just operational competence but also alignment with business strategy—a key area of expertise and coordinative focus for the CISO/vCISO role. But it’s one thing to develop a strategic plan and another to see it through to the end.
There are three main reasons why vCISO clients tend to falter or fail on executing strategic plans, potentially reducing the business value of a vCISO engagement:
- New or unexpected factors impacting the business, from a data breach to high-priority stakeholder demands to a major software migration, which require immediate prioritization until resolved. Pressing problems can arise anytime in any area of business, not just cybersecurity. But hopefully the focus shift they require is only temporary and your team can return to planned objectives within several weeks or months.
- A cultural tendency to over-focus on tactical minutia and lose sight of the bigger picture. It can feel like you’re forever going in circles, oiling the squeaky wheels yet never finding the bandwidth to execute on strategic goals. It can be extremely difficult to break out of this rut, even with a vCISO’s help.
- Getting IT-centric cybersecurity advisory services that are biased towards products and tactics and don’t provide adequate strategic guidance. As more managed service providers (MSPs) and managed security service providers (MSSPs) have begun offering vCISO services, this issue is coming up more frequently. Outsourced IT services are vital to many companies—especially SMBs. But it’s important for clients to understand what level of strategic guidance a vendor is able to provide with their vCISO offering.
Three: You don’t just need a vCISO, but also a virtual security team
As the architect of your cybersecurity program, you wouldn’t expect your vCISO to dive into nitty-gritty tasks like patching software or reviewing system logs. But if the vCISO isn’t handling operational activities, who is?
If a business hasn’t already filled critical cybersecurity roles, a vCISO engagement can fail for lack of tactical expertise and engagement. A great strategic plan isn’t of much use if there is insufficient talent to operationalize it.
Top vCISO providers (including CBIZ Pivot Point Security) can help address this challenge by adding on-demand or a la carte “virtual security team” services under the vCISO’s direction. It’s a great way to gain peace of mind that you’ll have all the cybersecurity expertise you’ll ultimately need for success.
Four: Your current vCISO lacks important knowledge to handle a pressing issue
Just as an individual might need advice or support from more than one medical specialist, an organization might need vCISO-level expertise in more than one cybersecurity discipline—data privacy, AI, compliance/audit, application security, cloud security, Internet of Things (IoT), etc., etc. No single vCISO can be “all things to all clients.”
For example, a business might acquire a new manufacturing facility with a lot of ongoing operational technology (OT) requirements. Even if they love their vCISO, they might be better off finding a new one that has deeper OT expertise, as this will now be routinely required.
Five: The client can’t commit the resources to implement their vCISO’s recommendations
It’s frustrating but not uncommon for a company to engage a vCISO but for whatever reasons be unable to act on their cybersecurity guidance.
Say you’re a vCISO trying to perform a risk assessment for a client, and it takes weeks just to get it scheduled. Finally, you go through the risk assessment, and the result is a list of serious risks that everyone agrees the client cannot live with. So you lay out plans to mitigate the risks, which inevitably involve actions on the client side. But at each bi-weekly status meeting, you hear, ‘We haven’t gotten to it yet.’ Months go by and you’re not still making progress…
Matt Webster, Partner at Harbor Technology Group, refers to these kinds of engagements as a “death spiral.”
“We’ve had a couple of clients where we’ve enacted the cancellation period and said to the client, ‘Listen, you’re not ready. You don’t have the appetite to really go after these pressing needs. Why don’t we step back from everything and we’ll re-engage when you have the time, wherewithal, and desire to accomplish these tasks,’ says Matt.”
“If you’re considering a vCISO, you have to understand that your vCISO isn’t going to accomplish everything for you. They’re an advisor. So, it’s really important to think about the time and effort commitment that cybersecurity is going to take before you start this journey,” Matt adds.
Six: The client’s vCISO/cybersecurity “champions” are unable to drive change with senior management
It sometimes happens that an organization engages a vCISO, with much excitement to build an effective cybersecurity program. But without C-suite and boardroom support, real progress is likely to be difficult or impossible.
Even if the vCISO “champion” is the CTO or COO, it may not be enough to counter resistance from the CEO, CFO, or other senior leaders. Cybersecurity touches all areas of an organization, making strong executive support especially critical to success.
“You have to have that vision or that push from the top—it greases the skids for lack of a better term,” validates Matt.
Seven: Your vCISO leaves and has failed to pass along knowledge about your business
If you’re looking to onboard a vCISO, be sure to ask prospective providers about how they address client impacts associated with vCISOs turnover. Do they have a process within their vCISO business model to pass along institutional knowledge of your engagement so it’s not lost?
While the rapid turnover among CISO-level practitioners may be cooling in today’s uncertain business climate, it remains important manage the risk of losing a vCISO’s knowledge of your business and its cybersecurity program. Otherwise, replacing your current vCISO could significantly delay your strategic plans, leaving you unable to meet contractual or regulatory requirements within an agreed timeframe, among other concerns.
Eight: Lack of cultural fit
Owing to the wide purview of the vCISO role, it is recommended for hiring firms to approach the engagement as if you were considering the candidate(s) for a full-time position. You want to feel a lot of comfort and trust with that person, because they will see both the good and the not-so-good in your organization. But like with any executive hire, sometimes a vCISO who interviews well may not ultimately work out for whatever reason.
Another concern for hiring orgs is the proverbial “bait and switch.” When evaluating vCISO providers you might be speaking to a partner or the principal of a firm. They might seem great and you end up engaging their company.
But what if the vCISO you get is not the person you’ve been speaking with? Are you equally as comfortable with the consultant assigned to the account as with the business leader that initially impressed you? vCISO procurers should sure they have sufficient interaction with the person who will be they vCISO.
Nine: Lack of knowledge unique to your industry
Every vertical is different and some are like a world unto themselves. If you’re in such an industry, shop for a vCISO who has experience in your space.
For example, if you’re a SaaS provider, be wary of onboarding a vCISO who thinks a pipeline carries oil or gas or that Kubernetes is a city in Uzbekistan. They don’t need to be a full-stack developer, but they should have a solid technical understanding of cloud-native development.
Likewise, a manufacturer would want a vCISO who understands both IT and OT and has spent some time on a shop floor. Legal is another vertical where prior experience would be invaluable for any vCISO.
What’s next?
For more guidance on this topic, listen to Episode 147 of The Virtual CISO Podcast with guest Matt Webster, Partner at Harbor Technology Group.
