Chapter 1: Before you start delivering services: Goals & pitfalls to avoid
Before diving into the activities themselves, here’s a reminder of the vCISO’s goals and organizational risks. This list should serve to guide you throughout the first 100 days and beyond.
As a vCISO, your job is both strategic and operational, requiring a careful balance between security priorities and business objectives. This chapter outlines the key goals you need to focus on during your first 100 days and highlights common pitfalls to avoid. By keeping these guiding principles in mind, you’ll not only set yourself up for success but also ensure that your efforts align with the long-term needs of the organization.
Primary goals
As a vCISO, your primary and most important goal is to establish and maintain the organization’s security posture in the dynamic threat landscape. The role requires an understanding of technological security requirements, the organization’s business objectives, and the balance between them. A vCISO is a key player in establishing a robust, yet flexible, security strategy.
Pitfalls to avoid
Being a vCISO is a demanding and strategic role, which makes it crucial to stay focused on your key goals (outlined above). However, certain pitfalls can derail your efforts, so it’s essential to be aware of them and avoid them whenever possible.
Not getting leadership buy-in
One of the common challenges faced by vCISOs is not securing leadership buy-in. This can manifest in various ways, such as leadership questioning the cost of a vCISO, asking, “Can we make this cheaper?” or “What can we get for half the price?”
2 reasons for this are:
- They don’t fully understand the risks. If they don’t understand the severity or implications of these risks, they are less likely to allocate the necessary budget or resources. This is why it’s crucial to ensure that everyone has a shared understanding of and vocabulary around risk. For instance, when you label something as a “critical risk,” does that mean a billion-dollar impact or a million-dollar one? Does it indicate an imminent failure? What does “critical risk” mean in your context? Is it a low-impact event that occurs once every 10 years?
- They didn’t plan for this budget. Often, organizations fail to allocate a budget simply because it wasn’t part of their initial planning process. This can lead to slower progress, stretching a one-year project into two or more. Without proactive planning, it’s difficult to secure the necessary resources later on, as there may be competing priorities or unanticipated constraints. It’s essential to create a roadmap early on that not only identifies the risks but also outlines the financial investment needed to address them. When the budget isn’t planned for, it can result in significant delays, compromising both the speed and efficiency of risk mitigation efforts.
Putting out fires
As a vCISO, your primary goal is to stay strategic, but it’s easy to get caught up in reacting to immediate issues rather than focusing on long-term planning. For instance, as the security expert, company staff may frequently turn to you with security concerns and questions. However, you might not always be familiar with the existing protections or fully grasp the business implications, which can slow down your strategic tasks like governance and gaining leadership buy-in.
Getting caught up in organizational politics
Maintain your objectivity and focus on achieving security outcomes. As an outsider, you have the advantage of not being drawn into internal disputes, which can compromise your effectiveness. Since you may be unfamiliar with the internal dynamics or the history of the individuals involved, it’s vital to remain impartial and avoid the appearance of taking sides. Your focus should always be on adhering to laws, regulations, and best practices while building relationships to achieve security goals.
To mitigate the risk of bias, conduct stakeholder interviews from the top down, starting with CEOs and board members. Beginning with IT managers or middle managers might expose you to internal politics, potentially skewing the insights you present to the CEO. A top-down approach ensures that your assessments and recommendations remain unbiased and aligned with the organization’s strategic objectives.
Juggling too many industries
Having an Ideal Customer Profile (ICP) is crucial for tailoring your vCISO services to the specific needs and risk profiles of your clients. Spreading your services across too many diverse industries can dilute your expertise and increase the risk of errors. Trying to keep up with industry trends and regulation changes across multiple sectors can be overwhelming and ineffective. By concentrating on specific industries, you can replicate success and minimize risk through familiarity and targeted knowledge.
You can allocate specific CISOs to cover distinct sectors within your company, such as one CISO for healthcare and another for financial services. However, if you have only one vCISO for all your clients, don’t expect them to be an expert in every industry.
This approach helps manage complexity, increase efficiency, and ultimately improve profitability.
Using manual processes instead of automation
Automation is essential in cybersecurity. Manual processes are time-consuming, error-prone, and inefficient compared to automated systems that ensure standardization and keep you on track. When delivering services for multiple clients, using automation becomes crucial.
Forgetting about compliance
Ensuring compliance involves aligning the organization with relevant laws, regulations, and industry standards, which is essential for avoiding significant legal and reputational risks. Compliance is often a requirement for certain clients, making it a critical component of your role. Effective risk management naturally includes maintaining compliance, so it’s important to never overlook this key responsibility.
Being too dogmatic
Security measures should support business objectives, not hinder them. While maintaining a flexible, open-minded approach is important, there are times when being dogmatic is necessary.
For example:
- Security: Employees might resist multi-factor authentication, but it’s a critical security measure that must be enforced.
- Communications/ Team interactions: Avoid imposing rigid structures or rules that inconvenience the team. One example involved a virtual CISO who insisted on 30-minute calls with the team twice a day, which proved to be unworkable. Remember, you’re there to serve the business, and it’s crucial to be a cultural fit for the company. Adapt to their needs and work seamlessly within their environment.
Focusing too much on tools
Spending too much time managing security tools and configurations detracts from your ability to be strategic and scale your services. Prioritize oversight and strategic guidance to maximize efficiency and value for your clients. For more on how to adopt a strategic risk management approach, refer to Course 2.
Avoiding difficult conversations
Being flexible doesn’t mean avoiding challenging established norms or practices if they present security risks. This often involves difficult conversations with stakeholders to effectively articulate and manage risk. There will be tough decisions and discussions—this is a necessary part of the role. It’s crucial to know when to escalate issues based on policy guidelines. If there’s no policy guiding your actions, evaluate whether there’s a real problem.
Remember: As a virtual CISO, your role is to advise on risks, not make decisions for the company. Your job is to uncover risks and recommend actions, while the company makes the final decision on how to handle them.
Forgetting to integrate data from other parts of the business
Leverage your industry-wide expertise and experience to ensure comprehensive data integration across all business areas. Efficient integration facilitates quicker, more informed decision-making and enables faster response times to security incidents, such as patch management, blocking suspicious IP addresses, and disabling affected user accounts.
- The primary goals of a vCISO are to establish, oversee, and manage organizational security, to foster trust among the organization with security goals, and to make security a business enabler.
- Key pitfalls to avoid include not getting enough leadership buy-in. This is a common challenge for vCISOs, often due to a lack of understanding around cybersecurity risks or inadequate budget planning. Another key pitfall is getting distracted by short-term issues, or “putting out fires,” which can shift focus away from long-term strategic goals and diminish effectiveness. Other key pitfalls include getting involved in internal politics, relying too much on tools, not leveraging automation, avoiding difficult conversations and juggling too many industries.