Recently I had the interesting experience… chatting with a handful of potential Virtual Chief Information Security Officer (vCISO) clients over the last few weeks, each expressed they wanted to replace their current vCISO providers. Whenever we are asked to replace another service provider, we are always careful to drill in to really understand what went wrong with the previous engagement. It’s important to us and our clients that we determine if we are the right partner for that client at that time.
On review, as is often the case, the key issue was the original vCISO providers failed to meet the customers’ expectations. That is often what makes vCISO engagements so challenging: there is a lot of ambiguity about what a vCISO is and what he or she does.
Where vCISO Relationships Go Wrong
I think a lot of the ambiguity and resultant disconnect between clients and vCISO providers is that:
- vCISO services companies view vCISO as a leadership role (“Chief” is in the title :>)). The vCISO is thus responsible for liaising with key stakeholders (senior management, key clients, regulators), establishing security policy and direction, and managing/governing the security operations of the organization. Viewed another way, the vCISO is accountable for ensuring that information related risk is well managed. (I’m a Composer.)
- Clients often view the vCISO as a leadership and strategic implementation role. Some even view it as including components of operational security. (No—you’re a Composer, Conductor, and Orchestra member!)
What Do You Want From Your vCISO?
It’s important when you are considering vCISO services that you really think through your security requirements. For example:
- Do you need someone to architect and govern your cybersecurity program?
- Do you need someone to execute your Incident Response Plan or Third Party Risk Management Program?
IMHO, I think the first point relates to a vCISO. Their job is to ensure that all of the key functions of a strong cyber security program (e.g., network security, application security, physical security, Identity & Access Management) are operating effectively.
I think the third point is not a vCISO role. This is an operational level role. A CISO could do this, but they wouldn’t want to, and you wouldn’t want to pay their rate to perform this function.
Successful Information Security Requires Structured Accountability
If you are considering engaging with a company that provides a CISO as a service, the approach I recommend is to develop an “Accountability Chart” that identifies who is responsible to address the three key roles (Architect/Build/Operate) for each security function in your organization:
- Lead, manage and govern (Architect)
- Translating the Architect’s vision into actionable policies/plans/programs for the function (Build)
- Executing policies/plans/programs (Operate)
A vCISO is far from a silver bullet. They can bring a lot of value in establishing a Cybersecurity Plan, but they need internal and/or external support to build the program and operate it effectively.