With information security regulations and cyber threats increasing daily, virtual Chief Information Security Officers (vCISOs) have become an increasingly attractive option for companies looking to protect their information and customers. But how can managed service providers ensure their vCISO offerings stand out?
On a recent episode of the Apptega Cybersecurity Podcast, Ascend Technology’s SVP of cybersecurity services, Heather Lantz, discussed the evolution of the vCISO role and a modern approach to information security. Lantz said, “When I started in the industry, I had clients saying they didn’t want to hear from me because, in this space, no news is good news. It's not like that anymore, though. Auditors and compliance are really driving this change and companies need to keep up.”
Today, if a company doesn’t have an internal, comprehensive information security team (and likely even if they do), a vCISO should be at the top of the list of security needs. But in a busy (and still growing) industry, what are the qualities a strong vCISO offering?
The Ideal vCISO Profile
Consulting is a role that requires more than merely the relevant hard skills and certifications. As a vCISO, one must navigate the client relationship as an outsider to the company while also ensuring that all safeguards and controls are implemented.
Essentially, vCISOs have all the responsibility to protect the client without having full control or decision-making power. They have to consult with their partners and clients to understand where they want to go and what kind of risk tolerance they have. When hiring, Lantz says, “I look for the relationship builders because if you have a relationship, you can get a lot farther with any of our clients.”
The Three Cs: Consistency, Clarity, Communication
When considering virtual infosec services, companies rarely look for a “person behind the curtain” approach. Building relationships is essential to gain client trust and establish authority. According to Lantz, “Consistency, clarity, and communication are key to client relationships and buy-in.”
To help with building this relationship, vCISOs must be consistent with their deliverables and communications and provide clarity around exactly what needs to be done to achieve compliance. Consistency helps build a predictable client relationship and ensures clients are audit-ready and compliant through ongoing checkpoints and monitoring.
Furthermore, proper communication in the context of cybersecurity requires being upfront and clear. This isn’t a profession that can afford to sugarcoat. vCISOs must communicate gaps and threats appropriately and quickly to mitigate risks and remediate problems. The sooner the better when it comes to addressing concerns. Clear, timely, and honest communication keeps everyone on the same page, which encourages smoother audits and, more importantly, better coverage and protection for the business.
Meeting the Company Where They’re At
When pitching vCISO services, it’s important to consider that different clients require different approaches. Establishing strong client engagement early on helps everyone truly understand what is needed and the approach best tailored to each individual situation, whether that be a deliverables-first approach or one that prioritizes thought leadership and cutting-edge techniques.
Lantz approaches initial communications by asking for the date of the last risk assessment and walking through the results to start the consultant-client relationship off on a strong foot and define the client’s security posture. From there, the conversation naturally turns back to what the consultant is able to provide and the specific problems they can solve.
Walking a company through the next steps based on its capabilities also offers an opportunity to shore up deliverables and ensure the vCISO offerings align with the client’s expectations from the first conversation.
As a vCISO, the ideal situation is to be able to present clients with the exact steps you took to protect their systems and data and ward off a potential breach. vCISOs frequently encounter difficulties in demonstrating their value to clients. However, by employing a team that can effectively communicate with clients and articulate the preventive measures implemented to secure an organization early on, the vCISO-client relationship can be seamless and mutually advantageous.
If you’re interested in learning more, you can listen to the full conversation here.