IRON RODSecurity

Evaluating a vCISO Engagement Without Getting Sold Hours

Steven Carlson·

I have sat through enough vCISO pitches to recognize the pattern. The consultant walks in with a slide deck about frameworks and maturity models. They talk about NIST CSF and CIS controls and how they will assess your posture. Then they offer ten hours a week of their time and ask for a twelve-month commitment.

What they do not talk about is what you will have at the end of ninety days.

If you run an EMS agency or a fire department, your security needs are not the same as a bank or a hospital system. Your CAD system has to stay up, your ePCR data has to be available, and your dispatch center cannot go dark because someone pushed a patch that broke the radio interface. A vCISO who does not understand these constraints is not a solution. They are an expense.

Here is how to evaluate a vCISO engagement based on what they produce, not how many hours they bill.

The First 90 Days: What You Actually Get

A real vCISO produces artifacts. A generalist produces meetings.

In the first thirty days, you should receive three specific work products. An asset inventory that lists every CAD, ePCR, and dispatch system with ownership and data location. An immediate risk registry that identifies the vulnerabilities that could cause an operational outage tomorrow. A stakeholder map that names the decision-makers in your agency and the technical contacts at your critical software vendors.

In month two, the vCISO should deliver a current-state versus target-state comparison mapped to a recognized framework like NIST CSF or HIPAA, tailored to public safety constraints. They should also produce a policy gap analysis that tells you whether your existing policies reflect operational reality or are just shelf-ware. And they should complete an initial vendor risk assessment that reviews the SOC 2 reports, SLAs, and backup protocols of your primary CAD and ePCR vendors.

By month three, you should have a twelve-month strategic plan that prioritizes security wins by operational impact, not just technical severity. A budget estimate for the tools and personnel needed to close the identified gaps. And a draft incident response playbook for what happens when the CAD goes down, including communication channels that do not rely on the compromised network.

If your vCISO cannot name these work products in the first conversation, keep looking.

The difference between a vCISO who has worked in public safety and a generalist is visible in the first five minutes of conversation.

Contract Terms

The contract is where most agencies get into trouble. The standard model is a monthly retainer for a fixed number of hours. This creates a perverse incentive. The more hours the consultant spends, the more they bill. There is no reason to solve the problem quickly.

Instead, use a capped monthly retainer tied to completing specific work products. The fee stays the same each month, but it is contingent on producing the artifacts in the plan. This shifts the incentive from time spent to outcomes achieved.

Make sure the contract specifies that all documentation, risk registries, and plans are the property of the agency and must be delivered in an editable format. If the vCISO leaves, you should not lose your security program. The artifacts stay.

Include a service-level agreement that distinguishes between availability and responsiveness. Being available for a scheduled call is not the same as responding to a critical incident within four hours. Define both separately.

And include a termination-for-convenience clause with thirty days notice. If the chemistry is wrong or the delivery is not there, you need to be able to walk away without paying out the rest of the contract.

Specialists vs Generalists

The difference between a vCISO who has worked in public safety and a generalist is visible in the first five minutes of conversation.

Ask them how they would handle patching on the CAD server. A generalist will say something about automated patch management and vulnerability scanning. A specialist will ask what the maintenance window looks like and whether the vendor has certified the patch for the dispatch environment. They know that uptime matters more than patch version.

Ask them what the manual fallback process is if the ePCR system is encrypted by ransomware. A generalist will talk about backups and recovery time objectives. A specialist will ask how the crews document patient care when the electronic system is down. They know that clinical continuity matters more than technical recovery.

Ask them how a security control affects seconds-to-dispatch time. A generalist will not know what that means. A specialist will know that adding a step to the authentication flow could add measurable latency to a 911 response.

I wrote about a related problem in The Vendor Subprocessor Problem: When Your ePCR Vendor's Vendor Has Your PHI. The same principle applies here. The people who understand the operational environment are the ones who will ask the right questions.

Frequently Asked Questions

What is the difference between a vCISO and a general security consultant

A generalist provides technical advice based on broad standards. A vCISO acts as a strategic partner who owns the security plan, manages the budget, and takes responsibility for the overall security posture over a sustained period. The vCISO should produce artifacts. The generalist produces reports.

How do I know if my vCISO is just selling me hours

If your monthly updates are about how many hours were spent on various activities, you are being sold hours. If your updates are about completed work products and the top three risks that need attention this month, you are receiving a deliverable-based service. The distinction is clear in the first billing cycle.

Why is public safety experience critical for a vCISO

Public safety environments have unique constraints like twenty-four-seven uptime requirements and legacy hardware that cannot be easily updated. Clinical workflows depend on system availability. A generalist may recommend security controls that break life-safety communications or dispatch workflows. A specialist knows the difference between a theoretical control and an operational one.

What should I ask in a vCISO interview

Ask about their experience with CAD and ePCR systems, how they would handle a ransomware event in a dispatch center, and what they think about patching a production server that runs 911 software. The answers will tell you whether they understand your environment or are reading from a script.

The best vCISO I have seen was a former fire department IT director who had been in the dispatch center when a system went down. He did not need to ask what the priorities were. He already knew.

That is what you are looking for. Someone who has been in the room when the stakes were real. Not someone who read about it in a case study.

-- Steven

Need help with your agency’s cybersecurity? Get in touch

Evaluating a vCISO Engagement Without Getting Sold Hours | Iron Rod Security