Steps to implementing a virtual CISO into your organization.
Good morning, my name is Tony Asher. I’m the lead cybersecurity consultant at Asher Security and we help small and medium-sized businesses mature their cybersecurity program and reduce their cyber risk.
This is a topic that we’ve talked about many times. I want to help you today by giving you six points on how to implement a virtual CISO into your organization. And the first one starts with alignment.
Alignment
Informal process of getting to know the different candidates that you might want to work with and invite to be a part of your cybersecurity program. This is probably the most important phase of working and implementing a virtual CISO in your organization. You really want to get to know them, how they work, their experience, their customer references or testimonials, their certifications, their history within the field, what kind of organizations have they worked with, what kind of size organizations have they worked with, and what kind of technologies have they worked with.
I do this to my clients too, but not just their expertise, but also their character. This is one of the foundational times that you’re going to spend before you sign anything to get to know that virtual CISO before you actually start implementing them into your organization. If everything goes well, it’s step number two, and that’s legal.
Legal
There is a lot of legal work. It might not feel like a lot of legal to other people, but it does to me. And this includes having the virtual CISO sign your company’s non-disclosure agreement, also called an NDA.
An NDA is a formal agreement that makes sure that what is your data remains, your data, you’re the owner of it, what they create for specifically you, you’re the owner of, and that your data should not be exposed through them, that due diligence should be performed. And then if that goes well, a master service agreement or an MSA. And this is really the longer contract on how the two companies are going to work together and how they agree to service one another, what’s included, what’s not included, what those fees are, what the net payment terms are.
A lot of paperwork, some good things to spend some time. But in my experience, when you go to hire a virtual CISO, the NDA and the MSA can take roughly six to eight weeks. So, if you want to hire one fast, just kind of be in mind that it’s going to be at least from the time you hit the go button to probably two months before that virtual CISO can really start getting their hands on helping you with your cybersecurity program.
Pricing
The number three step to implementing a virtual CISO in your organization is really pricing. This is an opportunity to agree on what’s included, what are they going to charge you? Is this a project fee? Is this an hourly fee? Is this a retainer fee? Or is this some kind of ongoing subscription? That’s the way we work at Asher Security is just an ongoing subscription payment that includes a bundle of time and services. What you want to do is you want to have a discussion about what happens if you want that virtual CISO’s help and it’s not included in that bundle of hours or bundle of services.
What then? What if they go over the hourly allowance included in that price program? Is it going to be the same price or is it going to be an escalated price? Get your term on that. And then number four thing to consider when implementing a virtual CISO is really the scope of their services. Many virtual CISOs like myself are purely service-based.
We contribute our experience, our knowledge, our certification, our expertise in a consulting form that builds the program and reduces risk. What that really means is I’m not selling technology. So, you’re going to want to ask a virtual CISO if they recommend a technology, should you buy it through them? Are they a reseller? Are they going to be asking you to buy things through them? I don’t know if that’s important to you or not.
That’s something that we decided is important to us to not be a reseller. We actually depend on our VARs and resellers and the client’s resellers to really perform a wide variety of service and value that would bog us down and pull us away from our area of expertise so we can stay focused. Another area that kind of gets diluted and confused when implementing a virtual CISO in organizations is really about the monitoring and the service response and the alerting.
When you talk about security alerts, is your virtual CISO going to look at those alerts? If they are, is there a certain hour range that they are going to, Monday through Friday, 8 to 4? Are they going to look at them after hours? Are they going to look at alerts that came in after hours the next day? Are they going to help in your incident response? All these alerting and correlation rules typically fall into an area we call a managed security service provider or an MSSP. That historically is not a part of virtual CISO’s responsibility. They’re responsible for scoping what the MSP would be responsible for, having oversight, accountability, and governance, and making sure that that MSP correlates or can provide value with that customer’s needs and technologies. This is an area you’re going to want to get straight and agree on before.
Communication
The number five step to implementing a virtual CISO in your organization is really about communication. Agreeing on a regular cadence to meet and discuss not only how they’re doing and the milestones and the progress, but the virtual CISO is going to need your time.
So just go into those meetings with an expectation that it’s a give and take. They’re there to serve you, at least I am and most virtual CISO’s I know. It’s really about you.
It’s helping you be successful. But to do that, we need to have a lot of information. We have a lot of questions.
It’s very complicated. We’re going to try to contribute to those conversations, provide you stats, updates, benchmarks, relevant information, threat intelligence, but we’re also going to come with some questions to learn about your business, your technology, how you’ve historically done things. How frequent are you going to do that? What if you have ad hoc questions? And then finally, it’s really good to ask about expectations on communication.
If you have a question at three o’clock on a Thursday, should you call them? Should you email them? And what should your expectation be for their response to you? Typically, in my experience as a virtual CISO, I try to give my clients about a 24-hour expectation that I close my email most of the time because when I focus on a client and a project, I am 100% focused. And this is from at least an hour minimum up to four hours deep diving into their systems. And I don’t want to be interrupted by emails or things that make me confused about the value that I’m trying to provide for that client.
Even though my response time is going to be longer, the value and the focus is much higher with that client. But you need to get aligned with the virtual CISO you’re thinking about implementing and make sure that your expectations are aligned with theirs. And then number five or six, excuse me, we’re on to the last one, which is process.
And I want to show you this diagram I created here. This is called our virtual CISO matrix. And this is something I created really just to keep myself accountable.
And really what this is trying to communicate is where the value is with the virtual CISO you’re planning to implement in your organization. The bottom left-hand quadrant is the virtual CISO doesn’t have a process and the client doesn’t even know what their priorities are. We really have a low value quadrant here.
What you want to do is you want to talk to your virtual CISO and make sure that they have a process. If they have experience, they’ve built a process that they are going to apply to working with you as you implement them into your organization. For us, we have over 20 pillars that we focus on methodically.
And each one of those 20 has industry best practice. And at the same time, we’re interviewing business stakeholders to understand risk process, critical data, crown jewels, and we start to fill in our risk formula. We have a very specific process that is customized that we interrogate and very intentionally engage with that client.
So that would be the upper left-hand quadrant. Now on the lower right-hand quadrant, sometimes clients come to us and they have their own agenda. Sometimes we’re going to call, hey, we need to get this certification by next week because this client needs it.
Or we need to get a pen test because it’s outstanding on a SOC 2. Sometimes those clients are not interested in what our process is as a virtual CISO, which is fine. Sometimes we decide not to work with those clients because we do feel like we have a process that is highly valuable. And when the client drives the priorities as their priorities, we can also provide a low value.
And we never want to be in that situation where we don’t provide a high value. And that brings us to the upper right-hand column, which we call the dream outcome. When you work with a process that they’ve developed on how to identify and define risk, prioritize risk, and recommend risk mitigation and remediation and communicate that, at the same time they listen to you and you as a client bring in, this is why I’m coming to you right now.
Our priority is to gain external client approval through certification or attestation. Or we want to appease our audit committee or our risk governance board. We need to show them where we’re at on a maturity score.
We need to develop a roadmap for the next year or two on what our cybersecurity plans are. Those are the customer priorities. And when a customer brings their own priorities and they’re clear on what their goals are, and the virtual CISO brings their process together, we really have a high value dream outcome.
I hope that makes sense. And those are six areas that a virtual CISO can support being implemented into your organization. If you have any questions, I’ll leave them down below and I’ll try to answer them.
Recent Comments