Best Practices for Working with a Virtual CISO

by | Jan 20, 2025 | Blogs

Best Practices for Working with a Virtual CISO

 

Hi, my name is Tony Asher. I’m the lead cybersecurity consultant at Asher Security, and we help small and medium-sized businesses reduce their risk and increase their cybersecurity maturity.

 

Now today, I want to review six best practices when working with a virtual CISO, and these are really going to help raise the value of your virtual CISO engagement and make it valuable for everybody.

 

Recurring Meetings

Number one is set up recurring meetings. This is a big showstopper, and by setting up recurring meetings with your virtual CISO, you’re going to save yourself a lot of time and burden, because when you don’t set up recurring meetings on a regular schedule, regular cadence, what you end up doing is reaching out to them or they reaching out to you, and you’re trying to compare availability.

 

You might get one meeting on, and the next thing you know, a week or two goes by, and now you’re fumbling because both of you are busy to find another one-hour slot to meet and catch up. So, number one thing is agree at the beginning what your meeting cadence is going to be and set up recurring meetings for the term of the engagement even beyond. There is no harm in setting up a year of one-hour meetings every other week with your virtual CISO.

 

It’s a priority, and it gets it on the calendar, and you can both agree ahead of time.

 

Process

Number two best practice when working with the virtual CISO is ask what their process is. Ask the virtual CISO what is your process to identify and reduce risk at our company.

 

By listening to that virtual CISO and taking time to understand what their process is, it’s really going to reduce some friction and frustration. Usually, our clients hire us because they’re not cyber security experts, and when we don’t get a chance to explain what our process is, it can feel like we’re not doing anything. But what we’re actually doing is highly technical, in-depth work that may have been ignored or not understood by that client.

 

When that client gives us an ear and we’re able to explain what it is and maybe give an analogy or tell a story about why we’re doing that, it makes much more sense, and sometimes we even get giggles from the client that they now understand why we’re doing the things that we’re doing and how it’s going to make an impact in their risk reduction.

 

Goals & Priorities

Number three, express what your goals and priorities are. There was a reason why you decided to work with a virtual CISO.

 

There was something on your mind. The number one reason people work with us has been a high amount of stress from their executive leadership to improve their cyber security program is being put on the shoulders of IT leaders who are excellent at technology but are not experts in cyber security. That’s why they ask for partnership and for us to come in and support them in their success.

 

But that’s not always the case. Sometimes companies are trying to get a certification or attestation, whether that be a NIST 800-171 or a SOC 2 Type 2, or maybe they’re trying to comply with some privacy regulations that they got involved in a partnership or a contract and now they feel a deadline to be held accountable for that. So, make sure that you express what your priorities are to that virtual CISO so that you both have success.

 

We would never want to fail one of our clients because we didn’t know what it was they actually wanted to do when they engaged with us. So, although we want to apply our process, we always want to prioritize what the client’s after too. And many times, I’m saying like nine out of ten times, they’re actually the same thing.

 

If we’re trying to identify high-priority risk and we see that their website is vulnerable, but they were trying to increase their client reputation because somebody that was going to engage with them or buy their product used a third-party reputation software and it gave them a poor score. What we’re doing is actually going to improve their score and that improved score is actually going to help them reduce friction during their prospecting lead and sales process.

 

 

Patience

The number four best practice in working with a virtual CISO is patience.

 

And you might have kind of heard that as a subtlety here as we’ve reviewed the first three. Patience is really important. If I were to go to the doctor and that doctor was an expert in neurology or heart surgery and they attempt to give me a diagnosis over something that’s happening.

 

When I listen to those experts in the medical field, I actually don’t even know what they’re saying. And we can be guilty of that too. But once we get done saying what we need to say and we should use brevity, we like to assess the client and we don’t want to treat clients like they don’t know.

 

We tend to start at a highly technical level and then we’ll come back and explain it again so it makes more sense. And I have no problem continuing to have that conversation and building it into analogies and stories where it finally does make sense. But my point here and number four best practice in working with a virtual CISO is be patient with them.

 

Listen to what they’re trying to communicate to you and why. And always express that you don’t quite understand and ask that virtual CISO to continue to explain it until it does make sense. At the end of the day, you are basically taking class from someone who’s an expert in their field and they’re willing to educate you.

 

And that’s not going to go away. You’re going to carry that with you for the rest of your career. It’s going to be highly valuable.

 

 

Map Actions to Risks

Number five, map actions to risk reductions. One of the tendencies that I feel like we have in cyber security is to react to what’s going on the front page of the news. Oftentimes I see IT leaders bear this burden of executives seeing this news and asking them what are they doing about it.

 

What we need to get better at as professionals and practitioners is the part of the process in which we identify risk and then we prioritize risk. When we prioritize risk after we do that we can finally go from strategy to tactics and start to decide the best way to remediate or mitigate that risk to lower it. Those are the actions that we’re going to take.

 

We don’t want to do that in reverse order and just start doing things that sound like a good idea. Do things that are recommended on a website or the front page of the news. We want to make sure that what we’re doing is directly aligned with the risk that we have mapped, prioritized, and communicated.

 

When we do this successfully, not only can we promote what we’re doing from a cyber security program, but we can also respond to questions from the audit committee or the executive board, the risk committee, about why aren’t we doing these things? Why haven’t you done this? So and so did this. Why haven’t we? And if your answer was that’s a really great thing to do and that’s actually on our list, but it’s going to be further in the future because we need to focus on these larger risks, those executives are always satisfied with that answer. And that way you have a why when you’re asked those questions.

 

Take Notes

Finally, number six of the best practices for working with a virtual CISO is to take notes. Document the progress that you’re making together. Hopefully your virtual CISO can help you with this, but at some point, you’re probably going to be asked to give a presentation.

 

You’re going to be asked to update the executives and the stakeholders that have invested in your program to improve your cyber security, and they’re going to ask what have you been doing. And by taking notes while you’re engaging with a virtual CISO, month or bi-weekly, you’re going to have a list of things that you’ve been working on and making progress on. You can review those notes and very easily translate that into a one-page PowerPoint presentation to communicate what it is you’ve been doing.

 

Time goes by fast, and if we don’t do this, sometimes you can invest with a virtual CISO for months or maybe even a year. And when you’re asked what did that lead to, you can’t really remember all of these meetings and all that history amongst everything else that’s been on your mind as a technology leader, and it can be very scary and very frustrating to try to vet out that value. So, number six, take notes and document progress.

 

So those are my six best practices with working with a virtual CISO. I hope that would help. If I forgot something or if you have another recommendation, make sure to let me know.

 

7 Ways to Improve Your Cybersecurity Reporting to Executives and the Board of Directors

A guide for cybersecurity leaders that will help you gain the reputation of a solid leader, while preventing you from making the mistakes I made when I was projected into reporting. This guilde will equip you and remove the stress and anxiety so that you can be clear and bold in your opportunity to prove you're the right person for the role, and your plan is on track!

You have Successfully Subscribed!