I have been a practicing virtual CISO (vCISO) for over six years. Prior to that, I held the Chief Information Security Officer (CISO) role in various organizations over more than ten years. I believe I’m qualified to render the opinion that just as the CISO role has evolved, so has the vCISO, as a consultant who is most effective when they challenge their clients.
What has also changed are the small or midsized business (SMB) drivers for contracting with a vCISO. When I began vCISO Services in 2017, I observed the SMB’s primary reasons fell generally into one of two buckets: they wanted a solid information security program (sometimes driven by prospect and customer requirements) or they needed to pass an audit, be it some framework or customer/prospect requirements (or both). While we won’t take on clients that are just looking to become compliant, as our mission is to build from the ground up holistic, risk-based information security programs, the latter often resulted in the former.
The virtual CISO space has grown rapidly in the past few years as SMBs recognize that they require the expertise of a CISO but do not have the budget to support the cost. According to salary.com, annual salary and bonus median for a CISO in the United States is over $290,000. While virtual CISO rates can range from $150 to over $500 per hour and is highly dependent on experience and effectiveness, it is a cost-effective way for SMBs to leverage deep industry experience – so long as the vCISO brings such to the contract.
CISOs and vCISOs that begin a risk mitigation conversation with either (or both) saying “no” or asking for funds for costly systems propose these as solutions without understanding the business and therefore show their lack of experience building and managing security programs. They do not take the effort to find risk mitigations commensurate with the business size, needs, and risk tolerance, and could be due to a lack of business acumen and information security skills. Such often leads to wasted time and ineffective risk mitigation efforts, putting the SMB in a worse information security posture.
We had a small client who came to us frustrated as previous efforts by other consultants to stand up a security program by drafting an information security policy (possibly from one or more templates) that laid out a program complicated beyond the needs of the business, filled with positions that the business had not created. The vCISO should have started by discovering the business goals, plans, and information flows. After we spent the effort to understand the business, we drafted a pragmatic information security policy that aligned well with their culture and risk tolerance, while effectively addressing information security risk for a company their size.
What was the difference? We challenged the business to have a risk conversation instead of a compliance one. The best virtual CISOs actively challenge their clients. Some won’t, as they are more interested in maximizing billable time and client engagement lengths. The attitude is often that if they tell the client what they want to hear, they will keep the revenue stream going.
It’s not one-sided; the relationship can fail the other way. The business is responsible for accepting the challenge, which often can be uncomfortable particularly if it involves gaps in current processes and controls. In one case, we parted ways with a client who was more interested in hearing what they wanted to hear instead of what they needed to understand. We stressed the required independence from information technology, who insisted that they could perform those tasks themselves, directly violating the Three Lines of Defense model. We could not continue as we focus on building security programs, and an organization that would not accept this foundation of an information security program would not be interested in building out an effective program beyond perceived compliance.
The challenge may be uncomfortable but is necessary for growth. A CEO of a company I once worked for called it “the brutal truth”. He preferred to hear the brutal truth over sanitized reports because he knew that in some way and at some time the brutal truth would come out. Better to deal with it in a controlled, proactive manner than reacting to an incident, or worse, as SolarWinds learned.
If you’re organization falls under the first bucket as mentioned at the beginning of this article, as part of your vCISO vetting process, don’t be afraid to ask them how they have challenged pervious clients. The best ones will be able to relay examples that they will passionately defend. It may lead to a period of uncomfortableness, but that is far better than some of the alternatives.
Originally posted at https://securetrust.io/cybersecurity-insights/vciso-challenging-your-business/
Image from OpenAI