The demand for vCISO services is on the rise as companies are seeking cost-effective solutions for reliable cybersecurity surveillance. In fact, 61% of mid-sized businesses do not have in-house cybersecurity staff providing proof that there is more room for growth for MSPs and MSSPs and their services. To fully capitalize on these opportunities, outlined are five steps MSPs should follow within the first 100 days when engaging with a new vCISO client to ensure that they provide reliable vCISO services. The five steps act like a waterfall as each step flows into one another and cannot be completed without starting the next step.
Step 1: Research (Days 0 – 30)
To fully understand the client’s needs and security gaps, you must perform thorough research and discuss with the board of directors to acknowledge your client’s specific wants and needs regarding their security requirements and desires. Management should also be encouraged to comprehend this material and acknowledge the importance of cybersecurity as it may aid in its implementation of essential measures.
This first step involves five tasks that are crucial for vCISO’s success:
- Meet with stakeholders and management: This is where the discussion begins in identifying the client’s pivotal assets.
- Identify Critical Assets: Establish the key aspects of the business including identifying which line-of-business applications are in use. This is essential for efficiency and productivity, cost management, risk management, strategic planning, as well as training and support.
- Assess Data Storage: Perform audits regarding the allocation of data and where the data is stored.
- Evaluate the Impact of Downtime: Review the implications of key systems being down over various time frames such as 7 days, 14 days, etc.
- Understand Business Impact: Discuss the opportunity cost resulting from these potential downtimes or data losses and what effect they have on the business.
Gaining knowledge at this stage is critical for the success of the plan. It is important to meet with all departments, stakeholders, management, IT, relevant teams and associates to effectively identify and obtain access to the corresponding tools and systems. At this time, review vulnerability management reports and conduct threat intelligence research pertaining to the client’s industry and the threats targeting them. Also, analyze all past security incident reports and how they were processed as well as review vendor management processes and identify any third-party risks.
Effectively performing these tasks and gathering the data will allow the current security environment to come to light for your respective client.
Understand (Days 0 – 45)
This is the step that helps you clearly see the client’s security position, identify potential risks, and determine the necessary precautions and measures to eradicate them. Once you have identified the client’s current security status, the findings from the risk assessment can help determine the appropriate security needs.
It’s recommended that this procedure includes a formal gap analysis to emphasize the differences between the current status and the security position. You should also utilize established cybersecurity frameworks like NIST to gauge the organization’s security measures against industry regulations.
Your findings should be presented from three points of view:
- Risk Without Services: Display the client’s risk levels without any security procedures.
- Risk With Basic Services: Demonstrate how basic security services reduce risk.
- Customized Risk Mitigation: Provide the client with a customized plan created for them to achieve a desirable level of security while outlining steps to further reduce risk.
Prioritize (Days 15 – 60)
In this step, use a framework that prioritizes the most critical security issues above all, ensuring the client’s most vulnerable areas are promptly taken care of. Identify the SMART goals (specific, measurable, achievable, relevant, and time) for the organization and create a detailed plan that specifies the necessary steps, timelines, responsible parties, and expected outcomes along with documenting identified risks, probability, and impact on security and budget.
Key points to include:
- Immediate High-Impact Wins:Direct the focus toward the top three actions to improve security immediately.
- Long-Term Improvement Plan:To avoid overwhelming clients, you must create a year-long improvement plan highlighting any additional necessary actions.
Once the goals and long-term plan are completed, they should be shared with management, ensuring transparency from the top of the organization to the bottom.
Execute and Monitor (Days 30 – 80)
In this step, the overall goal is to execute your strategic plan as well as establish your vCISO credibility and set a standard for ongoing security management. You must earn stakeholder and management buy-in by explaining the strategic plan, its plans, and its overall impact on the organization. Once they acknowledge and back the plan, you must implement automated systems to handle everyday tasks such as automated password reset and report generation, accounting systems that require dual approval for money transfers and a state-of-the-art vCISO platform.
You must focus on impactful wins that can help build momentum and demonstrate early successes. You should regularly perform updates and policy refinements to ensure you have the knowledge and access to the latest security services provided. Setting a cadence for external scanning and reporting is also recommended to demonstrate improvement and risk reduction over time. By constantly reviewing the management and adjustments made for your remediation plans, you’re ensuring the security remains effective and responsive.
Report (Days 45 – 100)
In the final phase of this plan, validate the strategy’s effectiveness and ensure ongoing support from the board of directors and management as well as underline the importance of comprehensive reporting for MSPs and their respective clients. It is important to note that when delivering a report always start with the good news to build confidence and then address the areas that need improvement. Measure success by collecting and analyzing data that reflects the success of the completed plan such as reduced incident response times, a decrease in the number of phishing incidents or the security improvements and compliance postures.
Ensuring that security measures align with business needs and showing value to the board of directors is the ultimate goal when creating a continuous improvement cycle. Doing so will help MSPs position themselves not only as trusted advisors but also help develop strong and profitable client relationships.
vCISO services hold significant potential for expanding the capabilities of MSPs and MSSPs, enabling them to deliver CISO-level security expertise to organizations of all sizes. Offering vCISO services is well within reach for many MSPs and MSSPs; they just need to follow these key steps while leveraging the right tools to define and streamline the process effectively. This approach not only enhances their service portfolio but also meets the growing demand for comprehensive security solutions in today’s digital landscape.
About the Author
David Primor, Co-Founder and CEO of Cynomi. He is a Lt. Colonel (ret) in IDF unit 8200, and previously technology director of Israel’s cyber authority, David spent decades dealing with state-level cyber threats. David leads the Cynomi team and runs the occasional marathon in his free time.
David holds a BSc. In electrical engineering from the Technion, Israel and completed his PhD at CERN.
David can be reached online at https://www.linkedin.com/in/david-primor-b2165582/ and our company website https://cynomi.com