How to Get the Most Out of a vCISO


The virtual Chief Information Security Officer is a cost-effective way for small to medium businesses to add cyber security strategy and programs to their management and operations capabilities, and for larger organizations to get a fresh look at difficult problems.

Getting more out of your vCISO means starting with why the vCISO was hired (or about to be hired). Make the answer to the why question the driving principle. Stay laser focused it. It’s what will prevent you or the vCISO from turning the project into something it was never intended. With the why answer in mind, follow this advice to improve the relationship and get more out of the vCISO.

  • Understand the Statement of Work
  • Set Expectation of the Beginning of the Project
  • Stay in Contact
  • Request and Follow Advice
  • Codify Advice into Document(s)
  • Make Sure Project’s Results Feed Better Decision Making and Operations

In general, the vCISO was hired resolve cyber security issues, but if squeezing every ounce of value from the vCISO (not the same as working them to death) is a priority, then commit to these tasks; remembering to use the why driving principle as a focusing framework on each of them.

Understand the Statement of Work

This advice assumes the statement of work is about to be signed or has just been signed. And this is not the same as understanding what the vCISO/firm tells you they are going to do.

Make sure the statement of work (SOW) aligns with the why of it all. If you brought in a vCISO to perform a risk assessment, make sure the SOW reflects the work of a risk assessment and doesn’t just use the term “risk assessment”. Ask the consulting firm “What goes into a risk assessment, and what comes out of a risk assessment?” Push for clear, specific responses.

Too often, far too often in my experience, clients do not read or fully understand how the SOW establishes responsibilities, constraints, and objectives of everyone involved. Then the project proceeds with the various parties holding conflicting views and interpretations. Misunderstandings are a normal part of life but can create significant friction down the line in a consulting relationship if these differences are not brought to light and resolved early.

When dealing with a professional, the willingness to discuss those differences will be there. Don’t shy away from discussions and strong questions on the intended meaning and understanding of the cyber security terms contained in the SOW. Then make sure the SOW has comments, or rewrites, reflecting the agreed upon (or renewed) understanding.

If the SOW is already signed, and a confusion or conflating reads still remain, have those conversations, and when a mutual understanding is reached, have documents and emails written up requiring the signatures of the relevant individuals.

Both parties coming to an agreement on terms, what they mean and what work it entails, is essential for the next piece of advice: Setting expectations at the beginning of the project.

How to Set Expectation at the Beginning of the Project

Knowing the why of the project is the cornerstone of setting expectations. Your expectations are rooted in the why and this why needs to remain clear from the beginning of the process.

Example: You are growing small business. Over the last year you have gone from 10 to 25 employees and have doubled your revenue. Cyber security has always been at the back of your mind but now is a good time to look into it. You’ve done a little reading and concluded you’re not sure where your cyber risks reside, so you decide you need a risk assessment (the why). You bring on a vCISO. You and the vCISO come to terms in the SOW and all parties are ready to kick off the project. What happens next?

Here is a short list of expectations to set and manage:

  1. Process: How is everything going to play out? What are the phases and steps required to complete the project? What are the deliverables? What is expected content within the deliverables? etc.
  2. Responsibilities: Who is responsible for what? What are the components within the phases or steps, document collection, reviews, interviews, document writing? etc.
  3. Schedule: Set milestones. Understand what is getting done when.
  4. Obstacles: Discuss potential hurdles that could affect project delivery time or quality such as holidays, vacations, employee turnover, current legal action, etc. What hurdles has the vCISO seen before? How have they overcome them in the past? What were the lessons learned that may apply to the current project?
  5. Completion: When is the project over? Is there a final meeting? Will you get an opportunity to ask any final questions, especially if they have delivered a report?
  6. Post-Project: Think of this expectation as understanding the “total cost of ownership”. When it’s all done, what will you know you didn’t know before? What decisions are you better able to make? What process or operations now exists requiring management or maintenance to survive? Will you need to spend more money to resolve any issues?

This is not a lifelong, or multi-year partnership. At some point the project is going to end and you want to make sure you got everything you expected.

Set clear expectation and set them early.

Stay in Contact

Stay in contact to prevent “expectational drift”. Go to long without talking and cognitive biases will creep in and distort everyone’s understanding. People will start remembering what was “settled common understanding” in their own favor to the detriment of the project.

The false consensus effect is the tendency people have to overestimate how much other people agree with their own beliefs, behaviors, attitudes, and values

False consensus bias

Don’t go weeks without having talked to your vCISO. Maintain a regular weekly meeting schedule as part of the ongoing relationship. Use these meeting as much to maintain a coherent understanding of the expectations as much as using them to manage the project as a whole.

Besides, us cyber security folk always have something to say, because there is always something going. We just need a forum and a willing (sometimes) audience. A weekly meeting should be enough to maintain understandings, talk shop, and extract actionable advice.

Some consultancies try to protect (hide) their talent from the client behind a wall of project managers and client relation personal. Don’t let this happen.

However, almost as often as I have seen clients not read understand the SOW, I have also seen clients keep a distance from the vCISO. They don’t show up to meetings, don’t have questions, and are often, the clients who feel like they didn’t get everything they expected.

Request and Follow Advice

Keep advice requests on point (the why) but don’t let opportunities to get advice go unused. Each weekly status meeting is also an opportunity to ask advice. Did you notice some big new attack vector in the news and aren’t sure what to do about it? Ask.

Don’t ask questions just to appease curiosity, ask them because the answer has an impact on the security of your business.

When the vCISO responds take it under strong consideration. That is, follow the advice so long as it doesn’t have a detrimental effect on your business.

Codify Advice into Document(s)

A vCISO is more cost effective then a full-time CISO (or Director of IS), but they still cost good money, so don’t let the advice they give get lost in the memory hole. Most, if not all, engagements will include some kind of report. This step goes just a bit further. Either take good notes during the meetings capturing what they have to say or have them put the advice in a memo. For posterity if nothing else.

Memos canning the advice of a vCISO is a good idea even if it costs a little extra. Remember no one knows everything so whenever someone sits down to write something it forces them to think a little deeper on the issue, and you want your cyber security consultant doing some deep thinking on the issues at hand.

Feed Better Decision Making and Operations

In general, the result of any quality cyber security consultation (penetration testing, vCISO, etc.) is information to feed decision analysis processes or business operations. Cyber security, in large part, is the controls put in place to reduce the risks related to a business’s systems, processes, data, and ultimately the business’s ability to generate profit.

The vCISO, regardless of the specific project at hand, is there to help you understand and/or improve the interplay between the business, risks, and controls, so you can make better decisions.

Recent Posts