Case Study Details

Making The Case for Virtual Chief Information Security Officers in Education


Information security is becoming more and more of a priority for educational institutions the world over, but it’s a serious challenge to find the right personnel to fulfill the role.  This is due to the current lack of talent in the cybersecurity industry because of the relative infancy of the industry and the significant competition for cutting-edge information security officers.

This leaves many educational institutions with somewhat of a conundrum.  This is a role that cannot be ignored, and yet – it seems that they can never find the right person.  To fill this gap, many have turned to virtual Chief Information Security Officers which are utilized as a service, rather than looking to hire someone in-house.  This is a fascinating way to cover your bases and one that the entire education industry could benefit from.

What are the Benefits of Having a Virtual Chief Information Security Officer? (vCISO) 

Some of the key reasons that a vCISO makes so much sense for educational institutions are as follows:

  • Lower Costs.  Utilizing the service of a vCISO can drastically reduce costs because you can leverage the service as and when you need it.  Instead of having a permanent hire that comes with a fixed cost, you can engage with a managed services provider that allows more flexibility and tighter cost control to keep budgets in check.
  • Cutting-Edge Knowledge.  Cybersecurity is a field that is continually evolving and if you’re not on the cutting-edge of what’s going on, you can find yourself in trouble.  Working with a professional firm that specializes in this work means that you’re always leveraging the experience and expertise of someone who deeply understands the industry and the threats that come with it.  You don’t have to worry about continuous training for an in-house staff member, and you can rest assured that your cybersecurity is always up-to-date.
  • Policy Guidance.  vCISOs are always engaging with policymakers in government and other data security authorities so they can act as a direct line to how regulators are thinking about the field.  This allows them to advise on proactive policies that can position your institution effectively for the long term.  You simply wouldn’t get this industry insider knowledge if you were relying on an internal staff member.
  • Separation of Strategic and Operational Focuses.  A typical Chief Information Security Officer is tasked with managing both the strategic and operational components of any information security implementation.  However, these require completely different skillsets and mindsets – and would be better served if you had specialists in each area providing insights.  That separation is exactly what you get when you utilize the services of a vCISO because they can build a balanced team with a combination of skills at a fraction of the cost.
  • Regulatory Compliance.  The regulatory environment for education continues to evolve and a vCISO will ensure that you’re always compliant and fully in control of your destiny.  An important example of where this is valuable includes the DOJ’s new cyber fraud initiatives, which seek to clamp down on organizations that have received federal grant funding but are not adequately prioritizing key cybersecurity initiatives.  Having someone on hand to manage these compliance concerns is worth its weight in gold.

Those are just some of the reasons why a vCISO can be so valuable.  To illustrate the points above, let’s look at a case study where we worked with a sophisticated higher education research institute to implement a vCISO in lieu of a new permanent hire.

Case Study

The institute in question included 700 professionals, students, and support staff from 38 different countries.  Combine this with a vast network of more than 200 public and private research sponsors and you have yourself a complex and nuanced information security landscape.  From a regulatory perspective, they needed to be compliant with NIST 800-171, NIST 800-53, FERPA, and TAC 202 as a state agency and educational institution.  And they also had a reporting deadline to the state in just a few months which required a risk register, security plan, and security program.

With a significant budget constraint, they turned to the services of a vCISO.

“We faced significant security concerns, but we couldn’t absorb the cost of a qualified, full-time CISO when ours accepted a promotion. We had heard about Columbia Advisory Group through their work with peer institutions, and we decided to consider their services in lieu of making another hire.”

We took on the role on a 6-month interim basis and assigned one of our strongest vCISO to right the ship.  Immediately, the client felt the difference that an experienced and well-resourced team was bringing to the table.  Even in the midst of changing requirements from the Texas DIR, we managed to vastly increase the overall effectiveness of the security program at around 40% of the cost of a permanent hire.

An unexpected side effect of this was that the savings allowed for an internal IT operator to transition into a junior security role, making the cybersecurity strategy that much more robust and streamlining workflows across the organization.

The client had this to say: “We have found CAG to be responsive and efficient at leading and managing all cybersecurity projects and needs.  CAG provides product and tool recommendations for security monitoring as part of our vCISO service, helping us make more nimble and cost-effective solutions.   As part of the vCISO service, CAG provides ongoing vulnerability scans, more often than the organization did previously.  Our vCISO is fully integrated into weekly staff meetings and meets with researchers and staff regularly.  Sometimes the vCISO acts as the ‘heavy’ when tough decisions need to be communicated to researchers and stakeholders regarding cybersecurity and their work.  The voice of his expertise and seniority within higher education data security circles adds weight to these decisions.”

Hopefully, you can see just how powerful a vCISO can be for educational institutions to transform their cybersecurity setups.  If this is of interest to your organization, be sure to get in touch today, and let’s see how we can help.

ABOUT CAG: CAG is a highly experienced IT consulting firm. With 100+ years of combined technology experience and business acumen, CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments. By focusing on simple, meaningful, and practical solutions combined with straight-for ward analysis and recommendations, CAG’s team has experience in many regulatory and economic environments with companies and organizations of all sizes. CAG not only offers a deep understanding of IT, but its solutions are software and hardware agnostic. Whether a client is high growth or economically challenged, CAG can adapt to the complexities and nuances of that business. Based in Dallas, Texas; Columbia Advisory Group works extensively with clients throughout the United States. For more information, visit

More Case Studies: