Over the past couple of years, there has been explosive growth in organizations providing virtual Chief Information Security Officer (vCISO) services. Unfortunately, there is no standard for offering such. This has resulted in confusion and ultimately increased risk for small and midsized businesses (SMBs) requiring quality information security risk management.
Some Managed Service Providers (MSPs), often Managed Security Service Providers (MSSP, a subset of MSPs centered on cybersecurity services) offer vCISO services. That number is growing and for good reason. MSPs can provide a one-stop shop for SMB security needs, covering both first and second lines of defense. Yet, this can introduce problems.
MSPs work on tight margins and are always searching for methods that can increase profitability. Unfortunately, this has resulted in some MSSPs implementing vCISO services as an inside sales vehicle, which is of course not ethical and is deceptive.
However, I know that MSPs can do this right, as I have experienced this firsthand. I began my vCISO career as a part time contractor for a well-managed MSSP whose founder understood the need of quality services and separation of duties. He should, as he was a CISO full time prior to embarking on his own business. Just as a CISO can report to a CIO if the conflict of interest is managed successfully, with transparency, so can MSSPs manage the potential bias.
I’m not alone holding this view. I recently conducted a LinkedIn survey (https://www.linkedin.com/feed/update/urn:li:activity:7150798707980980224/) asking “Should MSPs offering vCISO services sell solutions for gaps the MSP vCISO identifies?” My goal was to see who at least recognized the possible bias of offering solutions to gaps discovered by the same firm and, if so, could it be managed. The results were telling.
Close to 80% recognized there was significant enough financially incentivized bias to find gaps for which the MSSP offers solutions, with 29% indicating this conflict of interest was too great to provide effective service to the client. Nearly half believe the bias can be identified and managed. Almost a fifth responded it didn’t matter, that making the process easier for clients (having a one-stop shop) was the most important factor. Not all who responded “Other” explained in the comments, but those who did were at least cautious about the bias negatively affecting the SMB clients.
With half thinking the bias can be managed, this is a significant opportunity for both MSPs and SMBs, but MSPs must manage the bias. To do so, their virtual CISO services must address two criteria: quality resources and conflict of interest.
The virtual CISO discipline began simply with the premise that those who had been CISOs or in a similar executive position of information security risk management could offer this expertise to SMBs remotely on a fractional basis, and was already well established when I launched vCISO Services, LLC in 2017. My goal was to help SMBs improve their security posture by providing risk management services at an affordable cost, drawing from my years at the CISO level at several organizations.
However, it has become fashionable for some to declare oneself a “vCISO” with little or no information security risk management background. To illustrate, I searched LinkedIn profiles that contain “vCISO” (about 1900 results), then examined the first ten profiles.
The good news is that seven of the ten had what I would consider adequate information security risk management experience to help SMBs. However, the other three self-declared vCISOs lacked necessary skills. One’s current position was “Head of Sales” and another’s previous position was “Lead System Engineer”. The third was “Director of Information Security” which sounds impressive until seeing that their duties were solely technical.
MSPs offering vCISO Services must examine the resources’ work history. Self-proclaiming oneself as a vCISO isn’t enough to ensure your clients receive proper information security risk management service.
Conflict of Interest
I mentioned above how some MSPs leverage vCISO services as an inside sales vehicle, whether intentionally or not. This is due to lack of objectivity.
On a typical virtual CISO engagement, the first step is to perform an “as-is” gap assessment against some framework of the client’s information security environment, both cyber security (technical) and outside of cyber security (e.g., policies, governance). The vCISO may be tempted (or directed) to focus on cyber security gaps, particularly those that the MSP has solutions for. This introduces bias, resulting in three problems for the client. First, they may be sold on a solution to a risk that is not the highest priority; second, that solution may not be the best (functionality, cost, or both); and third, they may miss critical gaps in other areas.
The MSP can successfully address this bias (and many do) because they desire to provide a comprehensive solution to their clients. First, they can partner with a virtual CISO services firm or resource. This could be through white labeling. In this configuration, the client sees the virtual CISO firm or resource as part of the MSP where in reality they are independent of the MSP. This can still create conflict of interest though if the vCISO resource is inclined to recommend the MSP’s services to keep the contract in place. The vCISO should always tell all stakeholders not what they want to hear but rather what they need to, regardless of how it may impact the business relationship.
To eliminate any conflict of interest, gaps that the vCISO discovers cannot be remediated by purchasing MSP tools or services. This is truly separating second line from first line. This would have an impact on the MSP’s margin but be in the best interest of the client.
Small and midsized businesses need certainty that the MSP they are considering contracting with are focused on building their security programs foremost. The simple test is to see if they sell services their vCISO recommends. If they do, the SMB would be best advised to look for another MSP, one that is more client-oriented and less revenue focused.
Originally published by PurpleSec