Zofia Buzz




Put in more common terms – A “Virtual Chief Information Security Officer” (VCISO) is similar to “CISO as a Service.” With the VCISO, businesses contract for a specified person (assuming that is the offering.) “CISO as a Service” is a service where an organization might get any number of people to satisfy requirements and tasks. In practice, many companies offer hybrids of the two services.

Our Virtual CISOs are available on an “as-needed” or contracted hours basis and responsible for providing Cybersecurity or overall security support for the organization. These responsibilities can be as simple as validating existing policies, procedures, controls, responding to audit findings and developing a cybersecurity roadmap for a specific company.


There are multiple reasons why a company may decide to use a Virtual CISO

    • EXPENSE. Small- to Mid-sized organizations may not be in a financial position to allocate a high level of resources to a full-time CISO or Chief Security Officer position, or they may have outsourced computing technology resulting in a less-robust need for a full-time person.

    • TRAINING.Zofia Consulting VCISOs assist companies that might have a CISO that is under-trained, or over-tasked. In that case, Zofia Consulting VCISOs can operate as coaches and/or force multipliers saving corporate costs and reducing risk.

    • GAPS. Zofia Consulting VCISOs can assist companies experiencing a vacancy in a full-time position while the selection process is being worked and candidates are being vetted. Companies may also want to consider using a VCISO to support the technology assessment portion of a selection process. Having an experienced CISO work with your organization on a short-term basis could optimize your selection process time and increase the likelihood of selecting a valuable long-term employee.

    • COMPLIANCE. Zofia Consulting VCISOs provide an objective assessment of your current situation or to perform the duties of a CISO either on an interim basis or as needed based on regulations (some states are starting or considering requiring a named CISO in specific industries) to support the overall desire to strengthen the protection of organizational assets. Organizations also may experience confusion or anxiety with trying to comply with a myriad of new compliance schemes (ISO 27001, GDPR, NIST SP800-53 or SP800-171, RMF, PCI, HIPAA, ITAR, and many more.)

    • EMERGENCY. It happens. An unexpected breach or other incident can create chaos and threaten an organization. This is a time for “all hands on deck,” but some organizations find out they lack the skillsets to recover smartly and address the technical and regulatory requirements. Zofia Consulting VCISOs come to your aid quickly and work with your general counsel, incident response team (if available), acquisition support, and IT team to get your organization quickly, safely and legally back up to speed in full operations. Our VCISOs will also help prepare communications to the C-Suite and shareholders to shore up confidence in an organization’s ability to recover smartly.


The multiple benefits of a Zofia Consulting VCISO is the experience they bring to your organization through many years of real on-the-ground work experience – most have worked their way up through technology, business or the security discipline. Zofia Consulting VCISOs also carry certifications to indicate a level of knowledge obtained and validated by accrediting organizations.

Zofia Consulting VCISOs have a demonstrated wealth of experience (often in multiple disciplines) and it’s important to request one with experience in an area where your organization has an identified weakness. It might be in policy development or education and awareness, audit response, risk management or threat detection capability.

If an organization isn’t sure what capabilities they need, Zofia Consulting can perform an overall health assessment and identify areas that are strong and other areas that may require professional attention.

Zofia Consulting has a staff of experienced CISOs with a broad range of experience in multiple environments able to support your cybersecurity needs with our Virtual Chief Information Security Officer service, whether it is a monthly retainer, single engagement or staff augmentation. Learn more on our Virtual CISO page. To request VCISO support for your organization, please contact us.



Charles L. (Chuck) McGann, Jr., is nationally recognized information security professional and senior advisor to Zofia Consulting. Chuck leads the Virtual CISO™ Program at Zofia Consulting and focuses on small to mid-sized organizations providing guidance in solidifying Cybersecurity programs and compliance requirements. Chuck’s broad range of experience from Policy and Procedures creation and review through Incident Response and Threat Mitigation ensures companies are prepared to handle any variety of cybersecurity challenges.

Chuck is the former Corporate Information Security Officer (CISO) for the United States Postal Service (USPS). In this capacity, he secured one of the largest maintained intranets by any organization in the world, with over 200,000 workstations; over 45,000 retail terminals; more than 16,000 servers and over 220,000 Mobile Delivery Devices. The USPS infrastructure encompasses over 600 business applications that support all aspects of business operations as well as movement of the mail.

In his 28 years with the Postal Service, Chuck held numerous positions, Including: Manager, Information Systems, Acting Postmaster, Business Systems Analyst, Business Project Leader, Distributed Systems Security Specialist, Manager, Information Security and Incident Response Team Manager.

Over his distinguished career has received numerous awards and recognition. He belongs to various national, regional, and local organizations such as the Government Technology Research Alliances’ group, FBI InfraGard, National Security Agency (NSA), and Information System Audit and Control Association (ISACA) to name a few.