top of page
RM2-Security-logo
RM2 Security

What Should Boards Demand from a vCISO?

  • Writer: Robert Yaus
    Robert Yaus
  • 2 days ago
  • 2 min read

Updated: 2 days ago

Boards: Don’t Buy “Security Activity” — Demand Risk Governance




Not all vCISO services are equal

The market is crowded with “vCISOs” who are smart, well-intentioned, and hardworking. Unfortunately, many have never actually sat in the CISO seat - even when the service is delivered through a reputable advisory firm. That gap matters, because the role isn’t just about knowing frameworks and best practices. In reality it’s about leading a risk program.


Why it matters

A vCISO has to lead through ambiguity - driving risk decisions, influencing executives, and building an operating model that holds up under pressure. Pressure looks like:

  • an incident that forces fast decisions,

  • a customer audit that threatens revenue,

  • a regulatory inquiry,

  • budget constraints,

  • competing business priorities that constantly push security down the list.

In those moments, the difference between advice and leadership becomes obvious.


What the board actually needs

Boards are accountable for oversight. This is particularly true for publicly traded companies where the oversight role is published in a charter. In practice, it comes down to a short list of questions - questions that indicate whether cyber risk is being managed like any other enterprise risk. Here is the Five-Question Scorecard:

  • What are our top risks?

  • What changed since last quarter?

  • What are we doing next?

  • What decisions do we need to make?

  • How do we know we’re getting safer?

If your vCISO can’t answer these clearly and in plain language with evidence or supporting artifacts, your program isn’t aligned to risk or resilience. You don’t have effective governance. You have optimism at best.


What to ask on a quarterly basis

The simplest way to ensure you’re getting decision-grade leadership is to require a consistent set of deliverables every quarter. Next time you meet with your vCISO, ask for the following Board Pack:

  • Top 10 enterprise cyber risks written as clear risk statements with business impact + owner

  • Risk register with treatment plans, milestones, and dates

  • Quarterly risk trends + what changed + key decisions required

  • Metrics dashboard with leading indicators + thresholds

  • 12-month roadmap (sequencing + resourcing assumptions + tradeoffs)

  • Tabletop exercise or similar program validation results plus improvement plan tracked to completion

  • Critical vendor risk summary plus remediation tracking

  • Annual policy refresh summary plus exceptions trend

These artifacts force a risk based approach: focus on cyber risk reduction, accountability, and measurable progress. They also give the board what it needs most: clarity and decision points.


The bottom line

Boards should demand a vCISO who can operate like a real CISO: set direction, drive execution, and provide decision-grade governance around cyber risk. Because in the moments that matter - an incident, a regulatory inquiry, a major customer diligence request, or public scrutiny - security is no longer a strategy discussion. It’s a leadership test. If you want a vCISO who leads like a CISO, start with the Board Pack and the Five-Question Scorecard. Everything else is just noise.

 
 
bottom of page