How to Develop vCISO Security Services
Increasingly stringent data privacy regulations and the high consequences of a data breach are two chief sources of demand for virtual chief information security officer (vCISO) services.
But a common mistake made when considering offering such services is approaching it like any other IT investment. In reality, vCISO services require a different skillset, different certifications, and even a different technology stack.
Meeting Client Needs with vCISO Services
Organizations looking to establish a vCISO practice should look at initiatives that don’t require a significant upfront investment, that will strengthen partnerships between your MSP and your small businesses clients, and that will provide opportunities to cross-sell new products sooner. When rolled out correctly, vCISO services establish relationships for MSPs that, as they mature, provide avenues for providing more expensive security services based on customer needs.
When establishing a new vCISO practice offering security services, consider offering the following:
1. MSP Audit/Assessment (Health Check)—Review your small business clients to verify they are making full use of MSPs and provide any recommendations for better aligning IT security needs with MSP offerings. Also, discuss upfront financial planning for the delivery of these security services.
2. Security Program Assessment—Conduct a review of clients’ current security practices against a selected risk management framework such as ISO/NIST. This will help you build an understanding of issues to help a client overcome or allow you to provide recommendations to other vendors. The list of assessment findings can be used by you to help the client create a strategic plan of prioritized initiatives to mature their security portfolio.
3. Security Score Card—Run a business impact analysis assessment for the client. Identify business-critical assets you can help protect. This assessment report should establish a risk baseline for the client and factors which might affect it.
4. Executive Cyber Threat Profile Analysis—This question-based analysis with the executive management team can be conducted as a tabletop exercise. Help your client’s leadership team identify the threats they face and use it to help them make informed resource allocation decisions.
5. Threat Analysis via Dark Web, Deep Web, and Open Source—Offer threat intelligence services and user dark web tools to analyze the footprint of the company, its executive leadership, and strategic partners on the dark web. Prepare your findings in a report to executive leadership.
6. Cyber Threat Profile Analysis—This report should review and analyze cloud infrastructure security and IT risks, and also involves a cybersecurity maturity assessment.
7. Compliance Planning, Assessment, and Management – Assist in developing a program to help your clients achieve the critical regulatory compliance measures to absolve or reduce their liability in the event of a breach. These include the NIST Cyber Security Framework (CSF), CSF Security Control Maturity Mapping, NIST (800-53ver4, UCTI, 800-171, CUI), a PCI DSS assessment, and a GDPR data privacy assessment.
Implementing these services as a part of your vCISO offerings will put you in an excellent position to succeed, when paired with the right people, experience, technology, and certifications. The assessment services especially will help you help your clients understand how resilient they are to cybersecurity incidents and provide a map of the revenue-generating services you’re able to offer.