[OUTLINE — expand before publishing]
The vCISO market has a low barrier to entry: anyone with a LinkedIn title and a folder of policy templates can sell "virtual CISO services," and the difference between a real security executive and a rebadged consultant usually doesn't show up until you're six months and many thousands of dollars in. The fastest way to protect yourself is to ask harder questions before you sign. These ten separate the professionals from the pretenders — along with the answers you should expect to hear.
Before the questions: know what you're buying
- Recap engagement models and tiers: advisory, fractional retainer, full program ownership
- Match the conversation to your actual driver: compliance deadline, customer security demands, board pressure, or a regulatory need like CMMC
The 10 questions
- 1. Who, specifically, will be my vCISO — and what are their credentials? Expect names and certifications (CISSP, CISM, CISA), not a bench description.
- 2. What deliverables will I have in hand after 90 days? Expect an immediate, specific answer: risk assessment, roadmap, policy plan.
- 3. How many hours am I buying, and who covers when you're unavailable? Solo-practitioner risk vs. team-backed continuity.
- 4. Have you run programs under my frameworks? Ask for specifics by framework — SOC 2, HIPAA, NIST 800-171/CMMC — and how many audits or assessments they've sat through.
- 5. What happens when we have an incident at 2 a.m.? On-call expectations, escalation path, and what's inside vs. outside the retainer.
- 6. Do you resell products or take referral fees? Independence test — recommendations should stand without commissions; disclosure at minimum.
- 7. How will you report to my leadership and board? Ask to see a sample board deck and metrics pack.
- 8. Can you serve as our named security officer? Regulatory and contractual designation — and whether they'll put their name on it.
- 9. What does it cost, and what changes the price? Clear scope triggers beat vague "we'll flex with you" answers.
- 10. What do we keep if we part ways? Policies, risk register, and documentation ownership; offboarding handover in writing.
Red flags that end the conversation
- No named individual — only certifications "across the team"
- A price quoted before any discovery of your environment
- Templates presented as strategy; no sanitized artifacts from past engagements
Scoring the answers
- Simple rubric: separate dealbreakers from preferences
- For regulated businesses, weight incident support and framework experience heaviest
How Essendis helps