May 3, 2019

Posted by John Verry

Reading Time: 4 minute(s)

Engaging a vCISO: 4 Key Questions (Plus Advice from Mike Tyson)

May 3, 2019

Table of Contents

Last Updated on January 4, 2024

By the time someone jumps on a phone call with us to discuss our Virtual CISO/Virtual Security Team offering, they generally understand its value proposition. But often they’re fuzzy on the mechanics of how it works: How much “vCISO” do we need? What will the vCISO be responsible for? How does the vCISO interact with management, clients and/or regulators? How much will this cost exactly and what is the pricing structure? How often do we meet with the vCISO? Add to that about a dozen more questions you’re probably wondering about yourself if you’re reading this.
It’s easier to visualize how a vCISO works if you start with the simple tenet that “information security is about having a plan.” This concept is fundamental to all major information security/technology frameworks. For example:

ISO 27001 Clause 6 is about “Planning” and covers key concepts including “addressing risks and opportunities” and “information security objectives and planning to achieve them.”
COBIT mirrors the “addressing risks and opportunities” concept with its concepts of “value preservation” (addressing risks) and “value creation” (opportunities).
NIST requires System Security Plans that “provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements and delineates responsibilities.”

From the starting point of “having a plan,” information security—and your vCISO discussion— can be (over) simplified to these four foundational questions:

View our free cybersecurity resources »

View Now!

Do you have a plan?
What resources do you need to execute your plan?
How will you verify and adjust the plan’s effectiveness?
Repeat

1) Do you have a plan?

Do you have a plan already? Or do you need the vCISO to work with you to develop your plan?
It doesn’t have to be a formal plan. All you really need is a reasonably good understanding of your current security practices, plus a short list of priorities that you want to address in the next three to twelve months.
Your plan can initially be as simple as one or two high-level objectives, such as:

“We have a client that is requiring us to achieve ISO-27001 certification.”
“We need to become GDPR/CCPA compliant.”
“We are migrating our document management system to a cloud service provider and need to make sure it is done right.”

If you don’t have a plan, you and your vCISO will need to work together to develop one. That generally involves the following activities:

Understanding Scope (e.g., critical information being processed, relevant laws and regulations, client contractual obligations, physical locations, technical infrastructure, key vendors, management’s objectives/expectations)
Understanding current information security controls (i.e., what is the extent/rigor/maturity of your current information security practices?)
Conducting a Risk Assessment (i.e., what are your key information related risks, and which ones are not yet being managed to a level that is acceptable?)
Developing a Risk Treatment Plan (i.e., the short-term information security plan you will be executing together with your vCISO)

2) What resources will you need to execute the plan?

What resources, bandwidth and expertise do you need to execute your “short-term” plan?
A vCISO answers part of your resources question—but he or she is unlikely to be the complete answer.
A “true” vCISO is a senior-level executive who will help you establish and maintain the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected. The vCISO can execute pieces of the plan, but much as you wouldn’t want to pay an architect to install sheetrock, you are not going to want your vCISO to document incident response procedures.
A good vCISO provides actionable guidance for a team to execute, whether that is your team or external resources. If your internal team is short on resources (time and/or expertise), working with a vendor like Pivot Point Security that offers a “Virtual Security Team” style vCISO engagement can provide significant value by flexing in these resources as needed.  In a sense, you get access to a team of security SMEs for the fractional cost of a vCISO. This can greatly reduce the number of vendors you need to onboard and manage to execute your information security plan.
Understanding your plan, your timeline and the resources needed to execute it will help you shape the work effort and expectations you have for the vCISO/Virtual Security Team:

Who will manage the project?
Should we meet weekly, bi-weekly or monthly?
Who will liaise with key stakeholders (e.g., senior management, customers, regulators)?
How will we track/report project status to key stakeholders?

3) How will you verify and adjust the plan’s effectiveness?

How will you verify that you are achieving your security objectives, and what resources will you need to do so?” Verifying the effectiveness of an information security plan is critical and might involve:

Security Metrics
Vulnerability Assessments/Penetration Tests
Internal Audits/Control Assessments
Incident Response Tests
Third-Party Audits (e.g., a customer, regulator or ISO 27001 auditor)

4) Repeat (ongoing risk management and tuning)

Who is responsible for managing ongoing risk and tuning your vision/plan accordingly?
Mike Tyson once famously said:

“Everyone has a plan until they get punched in the face.”

In information security, that punch is a “change of note” (think Zero Day or attack or GDPR compliance). If you architected a perfect plan and operated it with 100% effectiveness and nothing ever changed in your environment or the outside world, you would never need to adjust your plan. Unfortunately, all information security practitioners know the only constant is change: new threats evolve, new regulations are released, customer expectations change, technology changes, your products/services change, your vendors change…
These and similar issues require a review of your current risk assessment to determine whether the information security controls in place are sufficient to effectively manage this “evolved” risk.
Hopefully, thinking through the lifecycle of your information security plan and the elements you are going to need support on gives you some insight into what engaging a vCISO would be like for your business.

Considering hiring a Virtual Chief Information Officer?

There are many benefits to bringing in outside information security talent into your organization, but it must be done right to realize success.
Download our vCISO Roadmap now!

Download Now!

What's Next?

To hear this practical, best-practice oriented show with Temi Adebambo

Click Here

Pivot Point is now part of CBIZ. Click Here for more information.

Blog

Engaging a vCISO: 4 Key Questions (Plus Advice from Mike Tyson)

1) Do you have a plan?

2) What resources will you need to execute the plan?

3) How will you verify and adjust the plan’s effectiveness?

4) Repeat (ongoing risk management and tuning)

Considering hiring a Virtual Chief Information Officer?

What's Next?

What do you think? Is Digital Business Risk Management the Future of Attack Surface Management?

Search our Blogs

Virtual CISOs and Community Banks—Perfect Together

What is Hedera Hashgraph and How Does It Solve Blockchain Privacy Issues?

Data Privacy Compliance in Higher Ed: Now is the Time

What is a TISAX Simplified Group Assessment and Who Can Use It?

CMMC Proposed Rule Changes: What’s Changing and How to Prepare

What is Kubescape and Why Should We (as Cloud-Native Developers) Care?

Container and Kubernetes Security: A Nontechnical Introduction

What is a Container and Why are They So Popular with Developers?

What is the New Jersey Data Privacy Law, and How Can We Streamline Compliance?

The EU AI Act: 9 Top Questions Answered

SOC 2 Reports – Which Trust Services Criteria Do You Need?

6 Key Takeaways from the 2023 SOC Benchmark Study

CMMC Proposed Rule: New Guidance on CMMC Level 3

The New CMMC Proposed Rule—Answers to Your Top 9 Questions

ISO 27001 Accreditation: Why It Matters for Cloud Service Providers

How to Measure the Value of Information Security

2 Principles to Revolutionize Security Awareness Training

What is Cyversity and How Can It Improve Diversity on My Cybersecurity Team?

Empowering Diversity in the Cybersecurity Industry

What is the Digital Operational Resilience Act (DORA) and How Will It Impact My Business?

How can we help you?

Services

Compliance

Insights

Pivot Point Security