chief information security officer

Questions to Ask a vCISO

CISO as a serviceCISO (Chief Information Security Officer) services can be an excellent business solution, but it doesn’t come without challenges. Many companies rush into finding vCISO services and end up with a relationship they did not expect. If your organization is considering going this route for your cybersecurity initiatives, you’ll want to compare providers. Start your hiring a CISO-as-a-Service by asking potential partners these questions.

Why Should You Consider Hiring a CISO-as-a-Service?

There are many reasons that companies choose to hire a CISO-as-a-Service. It allows companies of any size to have a robust, best-in-class cybersecurity strategy and plan. It’s an affordable approach to managing cybersecurity activities and enables organizations to mature their cybersecurity posture. Many startups or leaner enterprises don’t have the option to pay a high salary for a CISO.

You can engage a CISO-as-a-Service provider to provide strategic and tactical support. There’s no training time involved in hiring a consultant, so there’s no delay in getting started.

Time to Ask the Right Questions

There are many options for CISO-as-a-Service for businesses. However, they aren’t necessarily equal in their capabilities, experience, or breadth of services. Some providers also treat the service as one-size-fits-all, and that’s not in anyone’s best interest. Every company is unique and has its own sets of risks and challenges. To best compare the offerings, ask the right questions.

1. Do they have experience in your industry and the compliance regulations specific to it?

Highly regulated industries, such as healthcare and finance, have specific needs when it comes to CISOs and cybersecurity. There are laws and regulations to which you must adhere. If that applies to your business, it’s imperative to ask about their past experience with these compliance measures. Without specific experience, you may find the provider hitting a learning curve, which could cause delays and exposure to risk.

2. Do they have audit experience?

On day one, the CISO-as-a-Service should perform audits to understand where your cybersecurity is and where it needs to go. These are fundamental activities, but this doesn’t mean every provider offers them or has experience with them.

The most important audits are a data Breach Prevention Audit (BPA) and a CMMC (Cybersecurity Maturity Model Certification) audit. Ask the provider about how they conduct the audits and what the deliverables will look like. Request samples of these audits if available.

3. Have they developed and implemented strategic security plans?

The main objective of hiring a CISO-as-a-Service is for the firm to develop a strategic security plan and then implement it. When assessing vendors, dig deep into their experience with these two things. It’s one thing for a provider to say they’ve created plans in an abstract way. It’s another when they have specific examples of doing so for other customers and what they have helped them achieve.

For a CISO-as-a-Service to be legitimate and reputable, they don’t need a long list of well-known brands as customers. What they do need is case studies and data that show they were able to execute on developed plans. Viewing a high-level cybersecurity roadmap example can instill great confidence that the company has the experience to lead your security efforts.

4. Do they have expertise in strategic and tactical roles?

As noted, a CISO-as-a-Service can serve both a strategic and tactical role. In most cases, businesses want to leverage both. They must have expertise in both areas. Here are the differences:

  • Strategic CISO-as-a-Service roles assist leadership teams with cybersecurity strategies that align with business objectives. This strategy includes one-, two-, and three-year roadmaps. You’ll receive guidance and recommendations on cybersecurity best practices to prevent incidents and breaches.
  • Tactical CISO-as-a-Service roles actually execute the tasks within the strategy. The CISO-as-a-Service acts as a project manager to offer oversight on these activities.

5. Is there one point of contact?

Typically, CISO-as-a-Service isn’t one individual. Rather, it’s a team of experts that have knowledge in multiple areas. That’s certainly the model you want to find because it means you have access to a group of experts. But what helps is having one point of contact to discuss tasks and deliverables. A dedicated project manager helps keep things organized and streamlined so you’re always up to date.

6. What kind of reporting do they offer?

Reporting is key to cybersecurity. From regular reporting, you learn about vulnerabilities, threats, user behaviors, and more. At a minimum, you should receive monthly reports on these concerns and what the CISO-as-a-Service has deployed.

7. Do you have Incident Response Plan experience?

If you don’t currently have an Incident Response Plan (IRP) or haven’t revisited it in a while, this need will shift to your CISO-as-a-Service. Make sure this deliverable is part of their services. They can quickly develop an interim one, then work to craft a formal IRP and ensure all parties are aware of it and know their roles.

8. How do they stay up to date with cybersecurity trends?

Cybersecurity threats are always evolving. Threat actors use sophisticated phishing techniques, and hackers deploy many attempts to penetrate networks. You need a team that has a pulse on what’s going on right now in the security world. Ask potential partners how they stay up to date and learn about new challenges, solutions, and tools.

Ready to Hire a CISO-as-a-Service?

If you’re planning to hire a CISO-as-a-Service, be sure to ask these questions as you evaluate vendors. Our solution is comprehensive, cost-effective, and delivers value for your business. You can get started by booking a discovery session with me today!

A CISO Isn’t a Technical Role

CISO roleThe role of CISO (Chief Information Security Officer) is a relative newcomer to the C-suite. Its importance has grown considerably in the last decade as cyber threats became such a high risk. As companies decided they had real challenges with information security, the CISO gained more power to protect their data and digital interests.

There is no debate over the importance of having a CISO on staff, but I’m going to make a possibly controversial statement. A CISO isn’t a technical role. I don’t mean that those with this title shouldn’t have technical acumen, but there are other skills relating to leadership and strategy that matter more than being an expert on every aspect of cybersecurity.

In this post, I’ll make a case for why it isn’t a technical role and define the most critical CISO skills.

Who Are Today’s CISOs?

The path to CISO has evolved significantly in the past 25 years. In the early days, a CISO was compliance-focused, and the functions were purely in the IT bucket. Then risks became a bigger concern, and the job became much less tactical. CISOs were involved in policy and procedure development and creating frameworks.

In the past five years, CISOs have become a central leadership role. They have responsibility for a large portfolio, from cloud strategy to IAM (identity and access management) to mergers and acquisitions. They are the determiners of risk and its priority.

What Challenges Do CISOs Face?

To better understand the skills that matter for CISOs, it’s helpful to know where they are struggling. These insights are from the Global CISO Study.

  • Only 19% state they are highly effective at preventing security breaches.
  • 30% of those surveyed said lack of resources (people and technology) is an obstacle to better security.
  • Regarding talent, 91% said attracting and upskilling were critical for success, while 89% said retaining existing employees was.

Based on this data, I can make some assumptions. CISOs aren’t exceptionally confident in their security posture. They also have lots of concerns regarding staff. They don’t have enough, can’t attract them, and have a hard time keeping them. The cybersecurity job market is flush with opportunity, but that’s somewhat of a negative.

As I’ve talked about before, the demand for these roles created a swarm of paper tigers. These are folks with certifications in cybersecurity who don’t have the skills or experience to handle the demands of the job.

A CISO is like any other C-suite role. They have to build out a team, except now the org chart has more and more layers. This elevation, just like other executives, means they aren’t executors. They set the strategy, make the big decisions, and hopefully hire the right people.

A Less Technical “Outsider” CISO Simplifies Cybersecurity

The concern with a “technical” CISO is they may have come from a paper tiger culture. Lots of CISOs got the job because they had the certifications and degrees. Those hiring them weren’t technical. So, when such a person used overcomplicated language and complex cybersecurity frameworks, the CEO was like, “You’re hired.”

Unfortunately, that path could be making your cybersecurity weak and your network ripe for exploitation. These individuals posture, typically don’t listen to others, and have less-than-optimal communication skills.

Whereas if the CISO is less technical and not an internal ladder climber, it could simplify and improve cybersecurity. These “outsiders” are likely to have more clarity and do the thing they really need to do — lead.

They aren’t distracted by trying to be the smartest person in the room. Instead, they listen and communicate well. They defer to experts about the technical stuff or the newest tools to automate. The truth is cybersecurity strategies don’t need to be complicated to work. Simple is actually better in many cases. And simple comes from people skills, not technical ones.

What Are the Most Important CISO Skills?

An article in Forbes by Darren Death named the Top 10 Skills a CISO needs to be successful (full disclosure, he is a CISO). Here’s the list with my own commentary on each skill.

1. Communication and Presentation Skills

Every leader needs to be a master communicator. Having excellent communication skills is not the same as being articulate or liking to talk. Communication is about listening. When someone is a strong communicator, they engage in conversation with others to learn, not refute. Additionally, communicators use language carefully for clarity.

Presentation skills are equally important. At that level of role, you have to present findings to the rest of the C-suite and board. These presentations must explain where the company is and where it needs to be in cybersecurity to get the funding and resources required.

2. Policy Development and Administration

Policies are the responsibility of a CISO, but technical prowess isn’t needed. What is necessary is developing things that are implementable at scale. What they create must meet the company’s goals and any legal requirements.

3. Political Skills

A CISO needs to be able to interact and persuade. They also need to know what the rest of the executive team needs and their cybersecurity concerns. This is where more of those great listening skills come into play.

4. Knowledge and Understanding of the Business and Its Mission

A CISO’s highest task is to keep what’s important secure. They can’t do this well if they don’t understand the business, its operations, and the missions it seeks to deliver. Grasping the big picture is essential for an effective CISO.

5. Collaboration and Conflict Management

Cybersecurity is not an island unto itself. It involves every area of the business. A great CISO creates partnerships with all those stakeholders. A culture of collaboration can go a long way to improving security. Being able to resolve conflict is also a plus because different parties have competing priorities and opinions.

6. Planning and Strategic Management

Being a planner is also a necessity for the role. There are lots of moving pieces in projects, as well as many people. In planning, a CISO must also be strategic to support the business’s desired risk posture. They also need to be flexible enough in these to pivot when necessary.

7. Supervisory Skills

The CISO is only the top of the team. They have many folks under them that are implementing and executing. Thus, the role needs to be a proven supervisor who chooses to mentor and develop people. This is no place for a dictator.

8. Incident Management

Incidents will happen; preparation is crucial. The CISO should develop, test, and augment an incident management plan.

9. Regulatory and Compliance Knowledge

No matter the industry, there are regulatory and compliance obligations. A CISO should know these inside and out so everything the company does is in line with them. They’ll also need to stay on top of changes, which occur often.

10. Risk Assessment and Management

We end with risk ownership. Risk assessment and management is a never-ending part of the job. A CISO must be in tune with the fluctuating levels of risk and new and emerging ones.

If someone has these 10 skills, they are well-positioned to be a great leader in information security. If they happen to have technical skills, too, all the better. But a narrow focus on a technical CISO is likely to fall flat when what an organization needs is a communicator, mentor, and strategy expert.

CISOs Will Likely Be Culture Leaders, Too

PwC and Harvard Business Review survey on making cybersecurity a competitive advantage also notes that culture will soon be in the CISO bucket. If that plays out, the need for soft skills like those above will far outweigh technical ones. They’ll be setting the security culture, but that has a significant impact on organizational culture. Security, after all, is a responsibility for all employees. Further, when a company has strong cybersecurity, it can be a competitive advantage. It can attract more customers and revenue, reduce costs in other areas, and contribute to job satisfaction.

Cybersecurity and CISOs Are Positively Evolving

The abilities that matter the most for a CISO to succeed have little to do with technical aptitude. The role evolved dramatically and will continue to do so in a positive manner. The entire industry of cybersecurity is, too, and can benefit from these skills. To revolutionize your cybersecurity practices and the team behind it, you’ll learn a lot from my book, The Smartest Person in the Room. Get your copy today for a better cybersecurity future.

Check Out The Smartest Person in The Room