Over my (somewhat lengthy) career, I have often been asked what a CIO (Chief Information Officer) does. More recently, I am also asked about associated derivatives such as vCIO and CIO-on-Demand. So, I decided it was time to put my thoughts to electronic “paper” and share what a CIO, vCIO, and Fractional CIO actually does, as well as the related CISO and vCISO roles, plus discuss why you should consider hiring a vCIO or vCISO.
A Few Definitions Among Alphabet Soup –
- CIO – Per Wikipedia, a Chief Information Officer “is a job title commonly given to the most senior executive in an enterprise who works with information technology and computer systems, in order to support enterprise goals.”
- Fractional CIO – Wikipedia states that a “fractional chief information officer differs from a traditional chief information officer in that they serve as a working member of a company's executive management team as a contractor and may or may not serve on the companies board of directors.”
- That same Wikipedia article goes on to additionally state that a “fractional CIO, also known as a part-time CIO, parachute CIO, or CIO on-demand, is an experienced, multi-faceted professional who serves as the part-time chief information officer of a small or medium-sized business that otherwise could not afford or would not need a full-time executive to hold the position of chief information officer.”
- Note that searching for “vCIO” on Wikipedia redirects to “Fractional CIO”.
- CISO – Again using Wikipedia, a Chief Information Security Officer “is a senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected.
What is a vCIO Anyway? –
The “v” in vCIO implies virtual, which is a bit misleading to me, but appears to be what the industry is settling on. To me, a vCIO is a part-time, or fractional, CIO, in effect outsourced and on-demand, providing strategic technology leadership and guidance to organizations, without the cost of a full-time CIO.
The vCIO may work virtually (it is now common for people to work remotely), although new business relationships are often best worked face-to-face, at least initially. Ultimately, it is the client organization, hiring the vCIO, that will dictate how best to handle on-site versus remote work.
In terms of what a vCIO truly is, I look at it as wearing the hiring organization’s hat, only on a part-time basis. When I have consulted as a fractional CIO, I am that organization’s CIO, and I am working diligently in the best interests of that organization, just on an arranged, part-time basis. This could be one day per week or multiple days per month, and could include ongoing quarterly or other periodic check-ins. It depends on the client, their needs, their budget, etc. This part-time leadership role interacts not only with the executive team within the organization, but often with the board of directors as well.
And a vCISO? –
The vCISO is very similar to the vCIO role, available to an organization on a part-time basis, but providing strategic leadership with a focus on enterprise cybersecurity and information-related compliance.
Some individuals can execute both roles, while others are only qualified to be the vCIO or the vCISO, but not both. Interviewing candidates and a background check should verify experience and qualifications.
Why Should You Hire a vCIO (or vCISO)?
While it is often smaller or medium-sized businesses that hire a vCIO or vCISO, it is not limited to just those sizes of organizations. To various degrees, all businesses need the following:
- Technology strategy and technology leadership.
- Technology roadmaps and execution.
- Technology assessments, reviews, and selections.
- People development and organizational structure (not just on the technology side!).
- Vendor partner and/or Managed Service Provider (MSP) reviews and selections.
- Cybersecurity strategy and risk mitigation, plus assistance with cybersecurity insurance renewals.
Larger organizations may also have unplanned executive leadership turnover and need to quickly get a vCIO or vCISO in place to keep the department stable and moving forward, while also assisting in evaluating internal and external candidates for a full-time replacement hire.
Here is how I boil down bullet points that I often refer to that a vCIO and/or vCISO can assist with:
- Assessments
- IT Technology Stack
- Security Posture
- IT Organization (People, Process, Org Chart)
- Compliance & Policy
- Strategic Planning
- Multi-Year Department Planning
- Annual Budget Review
- Executive Team / Board Presentations
- IT Organization Development
- Short-term or Long-term IT Department Leadership
- Staff Development and Mentorship
- Technology Roadmaps
- Security Risk Mitigations
- Compliance Attainments
- Software / Vendor Selection
- Technology Lifecycle Management
Hopefully, this article helps to explain the various roles and functions that a part-time vCIO or vCISO can execute within different organizations. You may note that I have intentionally avoided referencing specific industries here. There are definite unique requirements among different industries (think Health Care versus Manufacturing versus Retail), and those unique requirements should be considered during the vCIO or vCISO evaluation process, but at the end of the day, it boils down to People, Process, and Technology needs (& Security), regardless of the industry.
About the author:
Michael Lehman is the COO and vCIO Practice Lead for TSR Solutions, an MSP (Managed Services Provider) based in Wisconsin, supporting numerous clients in multiple states. Michael has been the top IT strategist for over 25 years at multiple organizations, plus was previously a fractional CIO supporting multiple SMB clients.
