In the past few years Managed Security Service Providers (MSSPs) have increasingly added virtual Chief Information Security Officer (vCISO) services to their portfolio. In fact, the past six months have, in my opinion, have seen enormous growth here, just based on informal, daily browsing of LinkedIn posts. It makes sense, because certainly a vCISO line of business can be lucrative for MSSPs but is not without potential problems such as creating conflict of interests. Vetting a vCISO service is important so that your small or midsized business (SMB) receives correct consulting and not given bad advice which can actually put your SMB in a worse security posture than before engagement. So what can an SMB do?
First, the SMB must understand the Three Lines of Defense (3LoD) model. Basically, the first line is operational IT security management, such as maintaining firewalls, SIEMs, and patching. It is highly focused on the configuration of technical controls. Second line is risk management and is concerned with all information security controls, not just cyber (technical) ones. One basic example is the information security policy suite. Second line ensures risks are properly evaluated and proper controls are implemented to reduce those risks to below the institution’s risk tolerance. In large organizations, this is where the CISO operates. Conversely, for SMBs, the vCISO should be proficient in second line. Third line is audit and makes sure that first and second line are doing what they claim to do with regards to protecting information and infrastructure and that such protective efforts align with one or more specific frameworks and/or best practices.
One problem occurs when separation of duties is not maintained. For example firewall administrator should not be the one responsible for reviewing firewall rules, a system administrator should not be responsible for user access reviews, and so on. By not separating these duties, the opportunity to commit and hide fraud exists; that is why effective security frameworks require separation of duties as a basic practice. MSSPs who offer virtual CISO services are crossing both first and second line roles. If they do not effectively manage that, there is opportunity for fraud.
But it can get worse. I have seen posts on LinkedIn promoting MSSPs adding virtual CISO services to their offerings not primarily to increase service to clients, but rather as an inside sales approach. Let me explain how this works: an SMB contracts with an MSSP for virtual CISO services. The first step a vCISO should undertake when engaging a new client is to determine the “as-is” of the security environment by conducting a gap analysis against an applicable framework (e.g. CMMC, HITRUST). The gap analysis may then be leveraged to uncover gaps that, not by coincidence, the MSSP has services to resolve the gap. For this reason, the only way to eliminate this bias is for the MSSP to state up front that they will not offer to resolve any gaps found that require technical services such as managing a SIEM. Yet, this is exactly what some are pushing MSSPs to do: add vCISO services as a pathway to ensure additional sales. That is not ethical.
Additionally, since the MSSP is more focused on upselling, the vCISO may downplay other potential gaps that the MSSP does not have services to resolve. Engaging a biased virtual CISO, therefore, can result in bad advice and unknown gaps, in addition to potential costs for technical solutions that may or may not be needed.
This is not to say that all MSSPs operate in this way; there are many who do not. Those are the ones who understand the value of unbiased consultants. A simple check would be to ask for a requirement that the MSSP cannot provide services to resolve gaps. If the MSSP balks at such a suggestion, they may be leveraging the vCISO to upsell.
Carefully vet your virtual CISO service; your businesses’ security posture relies on having a trusted partner. vCISO Services can be that partner. For more information, visit us at https://vcisoservices.com or email us at email@example.com