2024 will be the year of the vCISO. A staggering 45% of MSPs and MSSPs plan to begin offering vCISO services in 2024. As an MSP/MSSP providing vCISO services, you own the organization’s cybersecurity infrastructure and strategy. But you also need to position yourself as a trusted decision maker, juggling professional responsibilities, business needs and leadership requirements. A new webinar by CynomivCISO platform leader, home to CISO and veteran vCISO Jesse Miller of PowerPSA Consulting, provides MSPs and MSSPs with an effective 100-day plan to prepare for success.
The webinar provides a tangible, five-step, 100-day action plan that any MSP/MSSP can follow when engaging with a new vCISO customer. It also provides guidance on vCISO objectives and pitfalls to avoid. By watching the webinar, you can position yourself as a long-term, strategic partner for your customers. They will see you as capable of leading the security transformation and managing it in a continuous and dynamic way.
Some of the main highlights covered in the webinar:
vCISO objectives
When starting out as a vCISO, it’s important to understand the vCISO objectives and use them to guide you throughout your role:
- Establish, supervise and manage organizational security in a flexible and robust manner.
- Promote trust with security objectives through alignment, to gain buy-in from leadership and stakeholders.
- Make security a business enabler, contributing to compliance, operational efficiency, competitive advantage, financial accountability and more.
Pitfalls to avoid
At the same time, avoid pitfalls that can compromise your ability to provide high-quality services. Some tips for avoiding traps include:
- Stay strategic and resist the temptation to put out fires.
- Maintain objectivity and avoid getting involved in organizational politics.
- Use automation, not manual processes. These are time-consuming, error-prone and inefficient compared.
- Ensure compliance to avoid serious legal and reputational consequences.
- Delegate and build infrastructure instead of doing everything yourself.
- And more
The 5 Steps: Your 100 Day Action Plan
Phase 1: Research (days 0-30)
Welcome to your new customer! Start by researching the current state of your organization’s security posture and business goals. This involves building relationships with stakeholders and the IT/security team, reviewing management practices, policies and configurations, and evaluating third-party risk and vendor management processes. These actions will help you understand potential vulnerabilities and the effectiveness of existing security controls and procedures.
Phase 2 Understanding (days 0-45)
Now it’s time to put your findings together. This starts with conducting a security risk assessment with a standard onboarding questionnaire and scan tool. Then, use all the information from the assessment and phase one to create a clear picture of your security maturity and approach. After presenting this position and existing gaps to management, you will be able to develop a list of short- and long-term needs based on business risks and objectives. In your list, be sure to demonstrate the business value of your security investments. Whenever possible, use automation for efficiency.
Phase 3: Prioritization (days 15-60)
The third step involves defining actionable plans. Develop short, medium and long-term objectives and develop the plan and budget required to achieve these objectives. Identify 2-3 quick fixes that will improve security and your organizational position, and share all of these findings, along with a risk register, with management.
Phase 4: execution (30-80 days)
Now it’s time to execute. This will establish your vCISO credibility and set the tone for ongoing security management. Once you have buy-in from stakeholders and management, communicate your plan at all levels, creating a sense of shared responsibility and success. Start performing the tasks that will help you achieve your goals: implementing automated systems, identifying quick benefits, creating high-priority policies, and creating new tools and products. As soon as possible, set reporting cadence to help you demonstrate improvement. And as always, in a rapidly changing environment, be ready to adapt as needed.
Phase 5 – Report (Days 45-100)
Reporting is critical to demonstrating success. Collect data that reflects progress and successes, such as reduced incident response times or fewer successful phishing attempts. Be sure to communicate this data to management to showcase business impact, successes, challenges and safety progress. In addition to this frequent reporting, conduct an additional comprehensive assessment after 3-4 months to demonstrate progress and identify any new or unresolved vulnerabilities. Based on these reports, continually adapt and improve your processes and controls to keep security measures effective and relevant.
Your next steps as a vCISO
Making meaningful choices, measuring your impact, and maintaining a flexible mindset will set you up for success on your vCISO journey. To get more information, understand what this plan looks like, and get a complete list of activities and checklist to guide you through the first 100 days, watch the webinar here.