NIST AI RMF: Where to Start with AI Governance
Quick Answer: AI governance starts with the Govern function of the NIST AI RMF. That means establishing an AI policy, updating existing cybersecurity...
9 min read
Randy Lindberg
:
08 Jul 2026
Quick answer: Choose a vCISO who acts as a strategic security leader, not an operator. The right one owns risk, governance, board reporting, and the examiner relationship, asks for read-only access, and can explain their cyber risk model in dollars. Budget from the dollar value of the risk you are reducing, not a flat rate, and expect clear progress within 90 days. If a pitch is heavy on tools and light on strategy, keep looking.
You have one or two people covering security, the board keeps asking questions nobody can answer with confidence, and your last exam left findings on basics that should have been handled years ago. A virtual CISO (vCISO), sometimes called a fractional CISO, can fill that leadership gap. The problem is that the term gets attached to almost anything now. Some providers sell you a strategic security leader. Others sell you someone who runs tools and calls it a vCISO. This guide walks through how to tell the difference and choose the right vCISO for a regulated financial institution like a credit union or community bank.
I have spent about 25 years living between technical security and the business, including time as the security leader for an Air Force base, a grocery chain, a four billion dollar bank, and eight years as a virtual CISO for a software company. That seam, tying security to the business, is exactly where a vCISO belongs. Here is how to hire for it.
A vCISO is a fractional security leader. The role should be roughly 90% executive and management work: governance, risk, compliance, strategy, board reporting, and the examiner relationship. It is not hands-on operations.
That distinction matters because three different services get confused all the time. Here is how vCISO, MSSP, and compliance consultant compare:
| vCISO (virtual or fractional CISO) | MSSP | Compliance consultant | |
|---|---|---|---|
| Primary job | Security leadership and decision-making | Security operations | Point-in-time assessments and policy work |
| Owns | Strategy, risk, governance, board and examiner reporting | Monitoring, alerting, running tools | Gap assessments, policy drafting |
| Time model | Fractional, ongoing | Continuous, 24/7 | Project-based |
| Best when | No one owns the security strategy | You need eyes on tools around the clock | You need a specific assessment or policy set done |
| Not the fit for | Hands-on tool operation | Strategy and board reporting | Ongoing leadership |
If what you actually need is someone to run vulnerability scans and watch a SIEM, that is not a vCISO. That is an analyst or an MSSP. Start every conversation with the pain you are trying to solve, not the title.
Built for lean security teams in highly regulated industries
You probably need a vCISO if you recognize a few of these:
That last one is worth sitting with. In a regulated industry, where the consequences are measured in real money or, in healthcare, in lives, having IT own security is not the same as having a security leader. IT and security are different disciplines with different focuses. If you are in a regulated industry without a security leader, that is a strong signal to bring in help.
The cleanest way to scope the role is to separate strategy from operations. A vCISO leads; it does not operate.
Always in scope:
Out of scope:
The biggest gray area is how much the vCISO touches tools. This is where programs go sideways: the institution assumes the vCISO will run the security stack, while the vCISO assumes they are there to oversee it. Settle that up front. The right answer is read-only access. I have walked into roles where someone handed me domain admin because everyone else had it, and the first thing I did was give it back. A vCISO who can change configurations is a vCISO with a conflict of interest. You want them to read and advise, not to break things and then sign off on their own work.
There are three common ways to buy virtual CISO services. All of them can work. The question is where each one fails.
| Model | What you get | Where it breaks down |
|---|---|---|
| Solo vCISO | A deep, consistent relationship with an experienced person who has a clear playbook | Overload. You rarely know how many other clients they carry, and their expertise may not match your exact need |
| Firm with a bench | Broader expertise, redundancy, and the ability to scale | Being sold on a senior name, then handed a junior analyst for the actual work |
| Platform-enabled | A vCISO backed by a shared platform instead of personal spreadsheets, with real risk visibility, consistent reporting, and continuity | Only as strong as the platform behind it, so the platform itself is worth vetting |
John Moeller, who has run vCISO engagements both ways, put it plainly: for years his platform was Excel and Word, and moving to a real platform took the role to another level. It is simply more efficient, and the work does not live or die with one person's filing system.
This is where the Rivial platform-enabled vCISO model fits. It gives a vCISO read-only visibility into your environment, consistent reporting across engagements, vulnerability and remediation tracking, and a risk assessment that ties audit results back to the risks they affect. Most important for the board: it expresses cyber risk in dollars using an eight-element Cyber Risk Model and Monte Carlo simulation, so risks tagged during an assessment become a dollar-denominated board report instead of another high, medium, low chart. That is the difference between activity and a number leadership can actually act on.
Picture a three-legged stool. A strong vCISO stands on three legs of equal weight: a strategic cybersecurity thinker, a clear communicator, and someone with industry-specific experience. It is a balance, not a hierarchy.
People want to treat this as specialist versus generalist. It is not. A pure FFIEC, GLBA, or HIPAA specialist who cannot think strategically or explain risk to a board has one leg and tips over. A brilliant generalist who has never operated under regulatory exam pressure is also missing a leg. In financial services, where the examiner relationship is real and security leaders are often judged by their number of exam findings, industry experience earns its third. A vCISO who knows the FFIEC IT Examination Handbook and how NCUA examiners actually work walks in ready. You cannot fake your way through an exam. But it does not replace the ability to set strategy or to make security make sense in a boardroom.
Hire for the most balanced person across all three legs. The candidate who is solid on strategy,
communication, and your industry will outperform the world-class specialist who is shaky on the other two almost every time.
Two red flags are easy for a non-security buyer to miss.
The first is the pitch that promises to take it all off your hands: "We will handle all of your cybersecurity, just leave it to us." In a regulated industry, that is the wrong answer. A good vCISO educates you and makes sure you can provide oversight of them. They do not remove your ability to govern the program.
The second is the pitch that is impressive because it is full of technical activity. If a provider walks you through the tools they will deploy, the scans they will run, and the dashboards they will stand up, it feels like action and looks like a lot of value. But the vCISO's value is strategy, governance, and translating risk to your board and examiners. A pitch heavy on tools and light on risk is often a sign you are looking at an analyst, not a leader.
Two questions cut through both. Ask what their cyber risk model is. If they can explain how they measure and manage risk, that points to the executive side. If the answer sounds vague, dig in. Then ask what system access they need. If the answer involves admin, domain admin, or root, that may not be the right service for you.
vCISO cost ranges widely, from a few thousand dollars a month to twenty thousand or more, roughly twenty thousand to one hundred thousand dollars a year depending on the engagement. Do not start from a rate card. Start from risk.
Here is back-of-the-napkin math you can do before any detailed assessment. Pick the event you are actually afraid of. For most financial institutions that is one of two things: a damaging exam finding or a data breach. Take one and ask two questions. If it happened, what would it cost? And how likely is it in a given year?
Say a breach would cost you five million dollars once you add up remediation, member or customer notification, lost business, legal fees, and exam fallout. That is not a wild number: IBM's 2025 Cost of a Data Breach Report puts the average breach in financial services at $5.56 million. Say there is a 10% chance of it happening in a year, which is a reasonable estimate for many financial institutions. That single scenario is carrying about five hundred thousand dollars of expected loss per year.
That number is the point. It replaces high, medium, low with a dollar figure, and it tells you roughly where you should land. A smaller, less complex institution with modest exposure sits at the lower end. A larger, more complex one with heavy exam scrutiny and a bigger blast radius sits higher. Then weigh the price against how much of that risk the vCISO can actually reduce.
Cost is driven mostly by four things: your size and complexity, your program maturity, your regulators' expectations (a three or a four on a recent IT exam signals real work ahead), and what your internal security leadership looks like. Buyers also routinely underestimate the hours. Four hours a month sounds cheap until one monthly steering committee meeting, with prep and follow-up, eats most of it.
By the six-month mark, and arguably much sooner, you should see clear signs of progress:
A quietly failing engagement looks busy but goes nowhere. The vCISO attends meetings, sends emails, and produces reports, but there is no roadmap, no strategy, and the risks that were identified are not getting addressed. Activity is not progress.
My own rule is even tighter. I read years ago that if a new hire has not started doing something well in the first 90 days, they probably never will. So at 90 days, take the list of what the vCISO promised and compare it to what they have actually accomplished. Whatever has not happened yet is likely something they will never be great at, and that is your cue to rethink the relationship.
If you take one thing from this, make it this. The risk assessment is the foundation of the security program. Before you scope a vCISO engagement, or even as the first engagement itself, run a risk assessment. It tells you where you actually stand, where your biggest exposures are, and which work to tackle first. From there you build the roadmap and use the vCISO's time on the things that reduce the most risk, in the right order. That is where the return is.
Start with a free cyber risk assessment. We will run a cyber risk assessment of five of your critical systems so you can see exactly how we operate before any commitment. It is a clean way to find out where you stand and whether a vCISO engagement is the right fit, with no sales call required. Sign up for the free cyber risk assessment.
What is a vCISO? A vCISO, or virtual CISO, is a fractional security leader who handles strategy, governance,
risk, board reporting, and the examiner relationship for organizations that need security leadership but do not have a full-time CISO. The role is leadership, not hands-on operations.
Do small credit unions and community banks need a vCISO? If no one owns your security strategy, the board is asking questions nobody can answer, or exams keep surfacing the same basic findings, a vCISO can fill that gap. If you only need someone to run scans or monitor tools, an MSSP or analyst is the better fit.
What is the difference between a vCISO and an MSSP? An MSSP runs security operations such as monitoring and alerting. A vCISO leads the program: strategy, risk, compliance, and reporting to the board and examiners. Many institutions use both.
How much does a vCISO cost? Roughly twenty thousand to one hundred thousand dollars a year, driven by your size and complexity, program maturity, regulatory expectations, and internal leadership. Budget from the dollar value of the risk you are trying to reduce, not from a flat rate.
Should a vCISO have admin access to our systems? No. A vCISO should have read-only access. Admin or domain admin access creates a conflict of interest, because a vCISO should advise and oversee rather than configure systems and sign off on their own work.
Tags: vCISO, Risk Assessment, Cyber Risk Quantification, Board Reporting, Vendor Management, Credit Unions
About the author
Randy Lindberg is the founder and CEO of Rivial Security. He has spent about 25 years across security leadership roles, including security leader for an Air Force base, a four billion dollar bank, and eight years as a virtual CISO for a software company. He built Rivial around quantifying cyber risk in dollars so security leaders can report to boards and examiners in terms the business understands.
Built for lean security teams in highly regulated industries
Quick Answer: AI governance starts with the Govern function of the NIST AI RMF. That means establishing an AI policy, updating existing cybersecurity...
Quick Answer: NCUA examiners prioritize a mature, quantitative risk assessment methodology above all else, regardless of your credit union's asset...
1 min read
Here are the key takeaways from this blog: New NCUA Rule Requires 72-Hour Reporting: As of September 1, 2023, all federally insured credit unions...