Guidance to Expect from your vCISO

Recently we hosted a virtual event discussing the top 5 things CISO’s are talking about. Each month we will be taking a deeper dive into each item. This month we are looking at topic number three, the type of guidance to expect from you vCISO partnership. Our vCISO service is led by Jim Tiller, Nash Squared and Harvey Nash USA Chief Information Security Officer, he shares his take on partnership guidance. If you have additional questions, feel free to reach out to Jim.

---

Let me start by saying something you’re likely not expecting. When it comes to cybersecurity don’t let perfection get in the way of excellence. In fact, it’s closer to the saying “good is good enough.” Too often cybersecurity is shooting for perfection and having every base covered, which is not only impossible, but expensive and time consuming, and may not actually be effective. Finally, given the characteristics of today’s technologies, threat dynamics, and business fluidity what you’re working towards for today is, well, yesterday’s problem.

I’m not suggesting the same thing you can read in a thousand other blogs, such as: be innovative, do more with less, and move faster; peppered with a few references to AI and ML to catch your attention. Actually, I’m suggesting the opposite, and that is: be pragmatic, focus, get the basics right, and be outcome driven. And that is what guidance you should expect from your vCISO. 

If we operate on the principal that most companies interested in exploring the vCISO option will not have a dedicated CISO, then one could assume that cybersecurity is far from a luxury item. Meaning that investments in security are hard fought. Why? Because for many small to medium sized companies security is like insurance. It doesn’t move the business forward in an obvious and distinct way. In fact, most companies with substantial cybersecurity investments do not take pride in that fact. Especially when the cost of the security consumed the budget ear-marked for a new production line. You know, the kind that produce revenue.

The challenge of security, especially within the context of business, can be summarized simply as: focus. The cybersecurity space is nothing if not infinitely crowded. There is an endless supply of exposures and threats to exploit them, along with thousands of solutions at your fingertips. This endless sea of possibilities is why most cybersecurity professionals, especially at the leadership layer, are exhausted and burned out.

Being pragmatic, focused, and prepared to say, “we’ve reached a reasonable level of protection” is necessary to have effective and well-balanced security. You should be hearing from your vCISO how to not only focus energy, investment and time into measurable outcomes that are directly tied to actionable risk-based information, but also be discussing how any effort spent in a direction must be applicable to at least one other dimension of security. In other words, value from security related activities must have multiple points of value to the rest of the security program and of course the business. Pragmatic, focused, outcome oriented. 

It isn’t just about vulnerability CVSS scores, it’s about exposure. It isn’t just about a password policy, it’s about effective access control. It isn’t just about backups, it’s about resilience. vCISO’s should be helping you consolidate, compress, and focus your security objectives so that you’re addressing the exposures that represent the greatest opportunity for pragmatic, measurable, and sustainable controls. Moreover, your vCISO should be helping you identify areas of strength and how to leverage them in ways to address gaps. Lastly, the overarching tone should always be – getting the basics right. It’s far more effective to have the fundamentals functioning at a high standard than having everything being done at a very low standard.

It’s not being suggested that fulltime CISO’s aren’t driving in the same direction, far from it. But the key difference here is a vCISO by definition are fractional. More than implying the intensified need for efficiency, cost effectiveness, and being actionable for the company. All of which require focus combined with a high degree of ruthless pragmatism.