2024 will be the year of the vCISO. An incredible 45% of MSPs and MSSPs are planning to start offering vCISO services in 2024. As an MSP/MSSP providing vCISO services, you own the organization's cybersecurity infrastructure and strategy. But you also need to position yourself as a reliable decision-maker, navigating professional responsibilities, business needs and leadership requirements. A new webinar by Cynomi, vCISO platform leader, hosting CISO and vCISO veteran Jesse Miller from PowerPSA Consulting, provides MSPs and MSSPs with an effective 100-day plan to build themselves up for success.
The webinar provides a tangible five-step 100-day action plan that any MSP/MSSP can follow when they engage with a new vCISO client. It also provides guidance on vCISO goals and pitfalls to avoid. By watching the webinar, you can position yourself as a strategic and long-term partner for your clients. They will see you as capable of driving security transformation and managing security continuously and dynamically.
Some of the main highlights covered in the webinar:
vCISO Goals
When starting as a vCISO, it's important to understand the vCISO's goals and use them to guide you throughout your role:
- Establishing, overseeing and managing organizational security in a flexible and robust manner.
- Fostering trust with security goals through alignment, to get leadership and stakeholder buy-in.
- Making security a business enabler, contributing to compliance, operational efficiency, a competitive advantage, financial responsibility, and more.
Pitfalls to Avoid
At the same time, stay clear of pitfalls that can disrupt your ability to provide high-quality services. Some tips for avoiding pitfalls include:
- Stay strategic and resist the temptation to put out fires.
- Maintain objectivity and avoid getting caught up in organizational politics.
- Use automation, not manual processes. Those are time-consuming, error-prone, and inefficient compared.
- Ensure compliance to avoid grave legal and reputational consequences.
- Delegate and build the infrastructure rather than doing everything yourself.
- And more
The 5 Phases: Your 100 Day Action Plan
Phase 1: Research (Days 0-30)
Welcome to your new client! Start by researching the current state of the organization's security posture and business objectives. This involves building relationships with stakeholders and the IT/security team, reviewing management practices, policies and configurations, and assessing vendor management processes and third-party risks. These actions will help you understand the potential vulnerabilities and the effectiveness of existing security controls and procedures.
Phase 2 Understand (Days 0-45)
Now, it's time to bring your findings together. This starts with conducting a security risk assessment with a standard onboarding questionnaire and scanning tool. Then, use all the information from the assessment and from phase one to create a clear picture of security maturity and the security posture. After presenting this posture and existing gaps to management, you will be able to develop a list of short-term and long-term needs based on risks and business objectives. In the list, make sure to demonstrate the business value of your security investments. When possible, use automation for efficiency.
Phase 3: Prioritize (Days 15-60)
The third step is about shaping actionable plans.Draft short, mid and long-term goals and develop the plan and required budget to achieve these goals. Identify 2-3 quick wins that will improve security and your organizational stance and share all these deliverables, together with a risk register, with management.
Phase 4: Execute (Days 30-80)
Now is the time to execute. This will establish your vCISO credibility and set the tone for ongoing security management. Once you have stakeholder and management buy-in, communicate your plan across the board, creating a sense of shared responsibility and success. Start executing the tasks that will help you achieve your goals: implementing automated systems, the quick wins you identified, high-priority policy creation, and new tools and products. As soon as possible, set up the reporting cadence to help you demonstrate improvement. And as always, in a fast-moving environment, be prepared to adjust as needed.
Phase 5 - Report (Days 45-100)
Reporting is key for demonstrating success. Collect data that reflects progress and success, like reduced incident response times or fewer successful phishing attempts. Make sure to communicate this data to management in a way that shows the business impact, successes and challenges, and security progress. On top of this frequent reporting, conduct an additional full assessment after 3-4 months to demonstrate progress and identify any new or unresolved vulnerabilities. Based on these reports, continuously adapt and improve your processes and controls to keep security measures effective and relevant.
Your Next Steps as a vCISO
Making meaningful choices, measuring your impact, and maintaining a flexible mindset will set you up for success on your vCISO journey. To get more insights, understand how this plan comes together and to get a complete list of tasks and a checklist to guide you throughout your first 100 days, watch the webinar here.