“Approximately 64% of global CISOs were hired from another company” according to the 2021 MH Global CISO Research Report. The reasons are because of talent shortages, the role is still new to some companies, and companies have not created a succession plan to support internal promotions.
To overcome these challenges, companies can look to Virtual Chief Information Security Officer (vCISO) or a vCISO as a service provider. Companies should consider both the vCISO candidate and the additional “as a service” capabilities that the Provider brings to support the security program. This article covers what to look for when selecting a vCISO and vCISO as a service provider.
What to look for with the candidate
Businesses will want to align their CISO requirements with the skillset and background of the candidate vCISO. For example, the business may want a vCISO with security architecture experience when they are deploying a managed firewall service. Alternatively, if the business has a need to build a Security Operations Center (SOC) then a vCISO with SOC deployment experience might be preferred. While experience in a focused area is beneficial, a vCISO will have the following fundamental skills that align and preferably expand past the business security needs.
- Provide executive-level advisory and presentations.
- Create and track a risk register with identified cybersecurity gaps.
- Ability to develop, implement, and manage cybersecurity roadmap.
- Run tabletop exercises to identify business unit priorities and create alignment.
- Respond to third-party due diligence requests.
- Hardware and software assets as well as data identification and risk analysis.
- Reporting on metrics and key performance indicators (KPIs).
- Deliver and report on vulnerability and penetration testing.
- Oversee reporting, steering, and committee meetings.
- Review and update incident response plans.
- Identification, mitigation, and remediation activities for security related events.
- Policy and procedure development, updating and creation.
- Budget and planning development.
- Develop and run security awareness training.
What to look for in a vCISO as a service provider
vCISO as a service expands the vCISO from an individual contributor into a team that is engaged to lead a program or initiative. For example, instead of having a vCISO with SOC building experience, the entire team is brought in to create the program and build the SOC. Building a relationship with the Provider helps businesses quickly engage resources to support these larger types of initiatives. As the relationship grows, the business builds trust and expands into a valuable partnership. Below are items to consider when trying to find the right trusted partner.
- Access to a team of experts for a specific topic or concern through collaboration and sharing between the provider’s internal vCISO committee.
- Provide a diverse group of professionals that allow the customer to get a vCISO who can quickly engage within the customer’s timeline and budget.
- Leverage the diverse experience gained by the provider because of their engagements in different industries and business sizes from small business to global enterprise.
- Strategy frameworks and resources to build a security program and help create a succession plan.
- Meet the customer timelines and budgets through different levels of retainers and engagement models.
- Addressing security topics and strategy objectively while providing unbiased recommendations to security challenges.
- Coverage area to support regional, national, and global footprints.
The vCISO role is a flexible model to help customers manage cost, enhance quality of their deliverables, and reduce the time it takes to deliver on security activities. Engagements can be for a specific project, to provide coverage while a permanent CISO is identified, or to take on the role full-time. These benefits strengthen the relationship between customers and service provider which in turn, create the trusted partnership that is needed for stronger security.