Last Updated on October 2, 2018
Over the last few years I have noticed that clients often struggle to understand how to obtain maximum value at the minimum possible cost from a virtual Chief Information Security Officer (vCISO). I think part of that confusion is they view a vCISO as being the person that builds the roadmap, then builds the cybersecurity program per the roadmap, and finally actually operates it. Analogously, you can pay an architect to develop the blueprint for your office building, lay out the plumbing and electrical designs, install the toilets, carpet the halls, build the cubicles, and spackle and paint… But that will produce a suboptimal result at great expense.
When building a cyber security program, ideally the vCISO acts as an “advisor” who builds the roadmap for your program (Information Security Management System). “Implementers” (various subject matter experts) will then translate that roadmap into actionable policy and processes; e.g., the Third-Party Risk Professional who builds the Vendor Risk Management Program, or the Business Continuity Specialist who conducts the Business Impact Assessments.
Once your cyber security program is built, the vCISO’s role shifts again. While vision is still an integral element of his/her work, governance of the cyber security program now becomes equally important. Orchestrating and governing the work of the “implementers” and “operators” (those who execute the policies developed by the implementers) is critical to ensuring the program operates as intended and achieves the organization’s security objectives.
Therefore, the key to procuring the right skill sets and “amount” of vCISO, implementer, and operator services/effort is understanding where you are in the development of your cybersecurity program. Clients approaching Pivot Point Security for vCISO and/or VSO services are often in one of three distinct phases. Each of these phases has distinct needs, and each requires a different approach to successfully working with a vCISO.
In order of how commonly we see them, these phases are:
- Address urgent Issues, then build a roadmap/program
- Build a roadmap/program, then execute it
- Program in place; now need to optimize it
Address Urgent Issues, Then Build a Roadmap/Program
Organizations often experience a “tipping point’ event where information security and compliance go from being a moderate pain point to a significant one. Typical drivers are a new compliance requirement of note (e.g., GDPR, NIST 800-171, 23 NYCRR PART 500), an “incident of note” (a breach or service disruption, a “failed” regulatory or customer audit/review), or increased scrutiny by a key client that is often driven by changes in services being offered or the clients you are offering them to. The short-term issues to address are typically: get compliant with a particular standard, implement the security controls required to credibly address client requests/findings, and achieve ISO 27001 certification or get SOC 2 attested.
In this phase, you really don’t initially need much vCISO support, as you already have a short-term “roadmap.” But you really need the expertise and bandwidth necessary to implement that roadmap. That is, you need “Implementation” services more so than you need the advisory services that a vCISO traditionally provides.
In such situations, we generally recommend Implementation Services from our broader VSO offering. Implementers are the subject matter experts who have the deep expertise necessary to execute the roadmap that you (or the vCISO) have developed. They may be on your team or our team. A small amount of vCISO oversight is generally valuable as well, to verify the existing roadmap and provide enough ongoing direction to ensure that short-term implementation will dovetail with the longer-term objectives/roadmap.
As implementation of the short-term roadmap is nearing completion, the amount of vCISO effort required ramps up to guide the roadmap toward the longer-term cybersecurity program vision. At the same time, the level of implementation services ramps down, as most of the “heavy lifting” has been accomplished. At this point, your requirements look a lot like that of “Build a Roadmap/Program, Then Execute It” phase.
Build the Roadmap/Program, Then Execute It
This phase generally occurs before (or after) the tipping point referred to above. If before, it is often the result of a slow, steady ramp-up of information security client concerns and/or client demand. It can also be the result of an organization losing a key member of its IT/IS team. Increasingly, the resource shortage and escalating salaries for high-level information security resources is also a driver.
At this stage, the initial requirement is more vCISO-weighted. Critical to establishing the roadmap is to understand the scope and context of your organization, the information it handles, your vendors, customer contractual obligations, regulatory requirements, and anything else that impacts information-related risk and your risk treatment decisions.
Ideally, you will establish a risk-based model and conduct an initial risk assessment so the roadmap can be risk prioritized. As the roadmap nears completion and you move into a more “execution” focused phase, the level of vCISO effort ramps down a bit and the level of implementer work effort (your team or ours) ramps up.
While a good vCISO can “implement” most of a program, it isn’t generally the most cost-effective or optimal way to do so. For example, the vCISO may identify the need for a Third-Party Risk Management Program, but it would be less expensive and likely produce a better product to have a subject matter expert that is totally focused on TPRM build the program.
Operate and Optimize the Cybersecurity Program
One your cyber security program is largely in place, it’s time to “operate and optimize.” We generally end up operating as a vCISO in this situation, after having helped the client through one or both of the previous phases.
Increasingly we are seeing clients request support after they have gone through a SOC 2 or ISO 27001 certification effort (or a large compliance effort like GDPR or PCI) and are looking for some additional expertise and bandwidth to keep the program running and continue to evolve it. In this scenario, the vCISO typically plays a greater role in establishing ongoing direction; and in liaising with management, regulators, customers, and information technology/security team members.
Further, there is an increased need for governance and ongoing validation that key security controls/processes are occurring, security metrics are being achieved, and certification/contractual/regulatory commitments are being kept. Implementer services (your team or ours) are generally minimal unless there are notable changes to the cybersecurity program. Operator services (your team or ours) ramp up as key processes are being performed per the program’s policies. For example, reviews of critical third parties are being conducted, incidents are being investigated and documented, security awareness training is being administered, and change management processes are being followed. This is the state you want to reach, and when you do, it’s where you will hopefully stay from that point forward.
Knowing where you are in this three-phase lifecycle will help you procure the right level of vCISO (“advisor”), “implementer” and “operator’ services to efficiently and effectively address your near- and long-term objectives.Learn About Our vCISO Services
To connect with experts about how best to integrate a vCISO into your organization, contact Pivot Point Security.