Breaking the Cycle: How Context Switching Impacts vCISOs and What to Do About It

Breaking the Cycle: How Context Switching Impacts vCISOs and What to Do About It

After more than two decades in tech and security, I recently joined Cynomi as the company CISO. Over this period of time, I’ve served as an in-house CISO, as a member of larger CISO communities, as  an advisor and as a vCISO, across a number of industries.

One of the stark differences I’ve experienced between CISOs and vCISOs, is the need to context switch. A vCISO or MSP/MSSP, has to jugge clients, tasks and security roadmaps, not to mention running their internal business. But that juggling, professionally known as “context switching”, impacts productivity. I’ve even seen cases where it cost a provider their business sustainability and impacted future growth.

I’m not here to spread FUD, but rather to bring ideas and solutions. Below are tools, tips and technologies that I’ve used or seen others using effectively. Meaning, they have been proven to help overcome context switching for vCISOs. They drive efficiency, help provide better security and compliance services and create opportunities for scaling. Try them yourself and let me know if they helped you as well.

What is Context Switching? Brief Reminder

A context switch is when a computer’s operating system changes from executing one task to another. To do so, the computer saves the state of the current task and loads the new one, so that the CPU can execute it. While this is a key feature of modern operating systems, it also has a negative impact on system performance.

Similarly, when humans go through the mental process of shifting focus from one task, topic, or activity to another, it also affects performance. We have to reorient our attention, recall details about the new task and re-engage with it. This could result in reduced productivity, increased errors and stress and fatigue.

Context Switch is Draining

When humans switch tasks:

1. Our brains must drop the current task and pick up where we left off on the new one, creating a cognitive load.
2. Some of our focus may remain tied to the previous task, slowing down performance on the new one.
3. It takes time to re-familiarize ourselves with the new task or context.

According to Gloria Mark, Professor in the Department of Informatics at the University of California, Irvine, it can take 23 minutes to refocus after a task switch. If you’re juggling multiple priorities, this adds up, resulting in fewer deliverables within the same time frame.

The Challenge of Context Switching for vCISOs

The diverse, dynamic and technological nature of security and compliance responsibilities makes context switching particularly challenging for vCISOs. For each client, vCISOs have to deal with unique:

• Tech stacks and product roadmaps
• Security technologies, tools and frameworks
• Risk tolerances
• Security maturity levels
• Threats and vulnerabilities
• Compliance regulations (if you’re working in different industries)
• Security plans
• Stakeholders: IT, executives, auditors
• Strategic business priorities
• Culture

Plus, just like any external consultant, vCISOs work with multiple organizations, requiring the ability to hop between different clients, tasks and details.

This means that vCISOs need to be able to manage multiple concurrent security and compliance priorities. For example, incident response planning for one client, compliance reporting for another and strategic discussions with C-level executives for a third. All while adapting them to each organization’s risk appetite, business strategy, regulatory requirements, IT architecture and culture. They also need the ability to govern the use of multiple tools across different environments.

From a strategic point of view, vCISOs need to uphold each client’s security posture and planning. This includes knowing the details of existing gaps, creating and managing the plan to overcome them and overseeing the progress.

Just as importantly, vCISOs need to be able to adapt their communication, tone and technical depth style for each stakeholder in each company. This might mean interacting with dozens of people in a professional context on a weekly basis.

Finally, the cybersecurity field is evolving quickly, with new threats and vulnerabilities emerging daily. vCISOs need to be able to translate the impact of these risks to each client’s ecosystem, as well as the new tools and technologies evolving to address them.

While these are all complexities in-house CISOs face as well, their focus is on one company. This means one CEO, one risk assessment to address, one architecture, one business culture and one security posture to improve. They hold the complete company picture and are immersed in it. vCISOs, on the other hand, deal with multiple such perspectives, and sometimes only have a limited view into the inner workings of the company.

The Impact of Context Switching on Your Business

Context switching is not only an inconvenience. Rather, it has a significant twofold impact. First, there’s the security impact. Frequent context switching increases the likelihood of inconsistencies and errors, such as applying incorrect policies or overlooking specific client requirements. These can result in misconfigurations, not patching on time, leaving vulnerabilities and more. On a more strategic level, mental fatigue can reduce the ability to make the right security decisions that will bolster clients’ security posture.

But even more importantly, the business impact of context switching impedes your ability as a vCISO to maintain and grow your business. If clients perceive that your attention is divided and that communication is inconsistent, or they sense recurring errors, they may feel their security is not a priority. This can damage relationships and confidence in your ability to protect their organization. You could lose them as a client, as well as the referrals they bring recommending you to others.

Proven Tips for Overcoming Context Switch

Reducing context switching is crucial if you want to maintain productivity, ensure strong security outcomes and build your company. Here are some practical tips you can follow:

1. Prioritize Tasks Based on Risk and Impact

As a general rule, start with what brings value and impact. Evaluate tasks and incidents based on their security implications and urgency. You can use a risk register to help prioritize them and support your decision-making. Address high-risk tasks (e.g., active threats) before routine activities. Answer C-level queries before tactical questions. Create reports to show posture and ongoing progress before moving on to the next security pillar (unless it’s an active threat).

2. Batch Similar Activities

One of the challenges of mental shifting is refocusing on different types of tasks. Deep work like learning about a new compliance framework requires different cognitive skills than answering emails. Perform similar tasks in dedicated blocks of time to reduce mental shifts. For example, review all client security dashboards during a morning session, then focus on client communications in the afternoon.

3. Adopt Effective Communication Practices

Almost cracking a new client strategy but then being interrupted by an alert for a client meeting is the ultimate professional anti-climax. Go asynchronously. Encourage clients to provide updates or requests in writing, allowing you to respond during planned intervals. Meetings still matter, so schedule regular (e.g., weekly or bi-weekly) check-ins to address that need while reducing ad hoc meetings and interruptions.

4. Document Everything

Replicability and standardization reduce friction. Keep detailed playbooks and set processes for common scenarios like incident response, compliance audits, or vendor assessments, as well as detailed notes for each client. These can help streamline processes while also enabling you to share them with other team members, so they can perform them instead of you, reducing your cognitive load.

5. Delegate and Build Teams

Build small, specialized teams for each client to handle routine security tasks. Delegate operational tasks to team members or external vendors, allowing you to focus on strategic priorities.

6. Use a vCISO Platform

A vCISO platform is an automated platform that provides and generates everything required to provide vCISO services at scale. This includes risk and compliance assessments, security gap analysis, tailored policies, strategic remediation plans with prioritized tasks, tools for ongoing task management and risk management, security progress tracking and customer-facing reports.

As such, a vCISO platform acts as the central cybersecurity and compliance management hub and is the one source of truth for the vCISO, for each client individually and for all clients together.

Due to these capabilities, a vCISO platform allows vCISOs to easily create and manage multiple clients. They can track security and risk postures, monitor compliance and security framework complacency, prioritize and manage tasks, allocate resources and generate reports that quickly show the value of their vCISO services. All, from a single dashboard for all clients.

These capabilities take away most of the challenges of vCISO context switching:

• Priorities and current security and compliance statuses for each client are clearly presented and managed. vCISOs are always updated on the latest mapping, gap, task status or progress, without the delay that accompanies retrieving the information.
• This also makes it easy for vCISOs and teams to understand what to work on next. Rather than having to remind yourself about important gaps to address or what was the next task discussed with the client, the information is readily available.
• Switching between clients also becomes easier. Comprehensive visibility into all clients from a single dashboard eliminates the need to switch between tools used to manage each client separately. 
• A single dashboard of all clients and their current gaps and task management status makes it easy to prioritize clients and see which one to address next.
• Communication with stakeholders is also simple and streamlined, since reports are easily generated and any question can be answered in just a few clicks.
• Unlike a spreadsheet or emails, automations and standardizations eliminate the need to manually update client accounts or employees, alleviating one more task to (context) switch to.
• Finally, a high quality of work is ensured through the security and compliance tasks the platform takes care of, like generating policies.

Plus, the vCISO platform provides additional advantages the help overcome some of the inherent challenges of context switching:

• Anyone on the team can quickly use the platform, enabling easy delegation of tasks and the workload.
• Enhanced productivity due to automations and standardizations when performing security and compliance tasks increases productivity and grows revenue.
• Seeing the full picture of clients’ security gaps helps vCISOs upsell their services that can address them, to further grow their business.

Context switching drains productivity and focus, especially for vCISOs juggling multiple clients, frameworks and stakeholders. Follow these actionable strategies to relieve the toll on your performance and to grow your business. Learn more about how a vCISO platform can help you as well.