Preparing Your IT Team to work with a vCISO: a Step-by-Step Guide

by

Nicholas McCourtAccording to recent reporting from Channel Futures, the market offering for virtual Chief Information Security Officer (vCISO) services is set to expand by 480 percent between now and the end of next year. In fact, most MSPs say they will soon offer senior cybersecurity consultants for their clients. 

The reason why is no mystery. Despite more sophisticated cybersecurity practices, cybercrime is still at an all-time high. Three-quarters of cybersecurity incidents happen to smaller businesses. And let’s not forget, the bar for entry for hackers is lower than ever, thanks to the democratizing power of AI.

Companies are under more pressure than ever to have enterprise-level cybersecurity, and they’re turning to the world of cybersecurity consulting to get it. For most companies, working with a vCISO is a scalable, affordable way to get highly qualified cybersecurity leadership for your company. 

If you’re considering working with a vCISO, you’re in great company. But the quality of your relationship will depend on starting smart. Let’s discuss everything your internal IT team needs to know to make the most of its vCISO engagement. 

First, let’s discuss what your vCISO should be able to do for you. 

Step One:  Get Clarity around the Services Your vCISO Will Cover

 

Start by asking if you’re getting an actual person assigned to you or whether you’re contacting a help desk. It’s essential to have a dedicated security professional who can understand your business and how an information security program can best support it. 

When you have a vCISO on your regular team, that person will oversee your cybersecurity. Remember, this person will not handle ongoing patching, onboarding/offboarding for cybersecurity tools, or the like. You will need another resource for handling the day-to-day operations of your cybersecurity tools and platforms—whether that’s your internal IT staff or contract MSP resources. 

Your vCISO should provide mission-critical leadership around your cybersecurity efforts, including: 

  • A complete security assessment with written recommendations 
  • Continuous assessment of your systems on a monthly basis
  • Formal advisement on a yearly cybersecurity plan with budgets and implementation timelines 
  • A comprehensive overview and review of your cybersecurity policies and procedures, as well as the writing of any additional information and security documentation you need
  • Incident response planning and leadership, including tabletop exercises
  • Security monitoring and reporting for your c-suite that matches up to your organization’s information security KPIs
  • Preparation for cybersecurity audits by your regulators, vendors, cyber risk insurers, and potential customers
  • Leadership of your incident response, remediation, reporting, and forensic analysis

 

Before you begin your engagement with your vCISO, discuss exactly what services they will provide and how they expect to interface with your security vendors and IT staff. 

Step Two: Assess Whether This vCISO Is a Good Match for Your Organization

 

A reputable vCISO will come well-armed with degrees, certifications, and years of experience in their field. Specifically, they will have a bachelor’s and/or master’s degree in computer science, IT administration, business administration, or a related field. Most will have a CISSP Certification (Certified Information Systems Security Professional) or another relevant credential such as a CISM (Certified Information Security Manager) or CISA (Certified Information Systems Auditor).   

Ask about their qualifications. More importantly, ask how many companies they have helped in your industry vertical. Your vCISO must understand your industry’s regulatory frameworks and unique IT challenges.  

Of course, it always pays to ask yourself: Does this vCISO align well with my company’s work style and overall security goals? They need to be a strategic, procedural, and cultural fit to work well with your company. Having this discussion upfront can prevent a mismatch. 

Step Three:  Establish Working Roles and a Chain of Command

 

Now that you’ve determined what your vCISO will do, it’s time to get specific about how and how often this work will be done. Nail down issues such as: 

  • How often will meetings occur between our vCISO and our IT Leadership 
  • What internal IT leader will meet with the vCISO regularly for day-to-day needs 
  • How often will your vCISO provide reporting to our board/executive leadership
  • What team members should help your vCISO prepare your organization for any audits or regulatory reviews 
  • The escalation path for security incidents 

 

When everyone knows their role, your engagement will go much more smoothly. 

Step Four:  Pull Relevant Documentation for vCISO Review

 

When you begin an engagement with a vCISO, the first order of business will be conducting a thorough cybersecurity assessment. To do that, they’ll need to access documentation about every part of your IT operations. Here’s what you’ll need to provide them with: 

Network and Infrastructure Data: 
  • Network Diagrams covering the organization’s network topology, including devices, subnets, and connections 
  • Server and Endpoint Inventory that identifies all servers, workstations, and other endpoints 
Security Policies, Plans, and Procedures: 
  • Security Policies, including acceptable use, incident response, and data protection policies 
  • Access Control Policies, permissions, onboarding/offboarding, and authentication mechanisms 
  • Management Policies that help govern business units 
  • Personnel Policies that help direct your employees in best security practices
Logs and Monitoring Data: 
  • Security Event Log Summary Reports for firewalls, intrusion detection/prevention systems, and other security devices 
  • User Activity Log Summary Reports related to user access, authentication, and authorization 
Vulnerability Assessment Data: 
  • Vulnerability Scans and Reports that have identified past weaknesses in systems and applications and the remediations done against these 
  • Patch Management Data showing the organization’s patching process and patch status 
Incident History and Response Data: 
  • Incident Reports showing past security incidents, their impact, and the organization’s response 
  • Lessons Learned, including how incidents were handled and what improvements were made 
Compliance and Regulatory Data: 
  • Compliance Documentation, including compliance reports, audit findings, and evidence of adherence to industry standards (e.g., GDPR, HIPAA, PCI DSS) 
  • Risk Assessment reports conducted by your company 
Physical Security Data: 
  • Access Controls: Evaluating physical access controls to data centers, server rooms, and other critical areas 
  • Security Cameras and Surveillance schematics showing the organization’s physical security measures 
Business Continuity and Disaster Recovery Plans: 
  • BCP and DR Plans that outline the business continuity and disaster recovery efforts your company has enacted, including testing results 
Third-Party Vendor Data: 
  • Vendor Assessment showing any third-party vendors’ security practices and their access to your systems 
Employee Training and Awareness Data: 
  • Security Training Records that review what security training topics employees have been taught and their relevant scores on these lessons 

 

Remember that the vCISO treats this data with confidentiality and uses it to identify risks, recommend improvements, and align security efforts with the organization’s business goals. 

 

Step Five: Agree on a time frame for the Assessment and Who Will Help the vCISO during the Process

 

As you can see, an accurate cybersecurity assessment is a comprehensive and potentially labor-intensive process, even with a vCISO’s leadership. Talk to your team in advance about who will provide all this documentation for them to review and who will be on call to answer questions.

If access to the back end of our system is needed for testing and review, provide the passwords. Establish gates in your assessment schedule for providing the information, the review period, and when you can expect to see the final report. 

Remember, once you’ve got this baseline assessment, a vCISO on a monthly retainer will continuously assess your cybersecurity operations as an ongoing process. This is important to maintain your progress and stay ahead of emerging threats. 

 

Step Six: Involve Your Whole IT Team in the vCISO’s Reporting

 

When the reports from your vCISOs—for their assessments, monthly monitoring, and quarterly recommendations—come back, who will receive the results? We recommend including your whole team on vCISO recommendations and establishing KPIs everyone can get behind. The transparency will benefit your team and help lead group solutions. 

If you’re running a small organization with most of your IT operations handled by an MSP, then making those results available to your MSP team is crucial.  

 

Step Seven: Establish a Department-Wide Implementation Timeframe to Address the Report’s Findings

After an assessment, your vCISO should provide a roadmap for the cybersecurity improvements you need to make. This will undoubtedly involve your internal team and wider MSP resources. Sit down with your team to double-check the plan’s feasibility, secure a budget, set deadlines, and agree on a path forward. When everyone buys in up front, there’s less confusion later. 

Working with a vCISO: Teamwork is Key.

 

Collaborating with a vCISO can significantly enhance your organization’s cybersecurity posture. That’s why we generally recommend your vCISO has ties to leadership not just in IT but also in Finance, Human Resources, Marketing, and Operations.

By preparing your senior leadership to interface with your security operations, you establish clear communication and align goals that center cybersecurity in your company. Remember, the vCISO is not just an external consultant but a strategic asset committed to safeguarding your business in the digital age. Why not make the most of it? 

If you’re interested in getting a contract cybersecurity leadership for your organization, we’d love to help. Our national vCISO practice has helped dozens of companies future-proof their cybersecurity and set their businesses up for success. Contact us for a free consultation. 

Nick McCourt is a vCISO, CISSP at Integris.

Keep reading

vCIO vs. vCISO: What’s The Difference? 

vCIO vs. vCISO: What’s The Difference? 

Managing your IT operations is a big job, especially if you're a small or mid-sized company without the resources to hire a full internal IT staff. In these cases, most companies hire a managed IT service provider to fill the gaps. Yet, knowing who to hire and what...

Retainers for vCIOs and vCISOs: A Comprehensive Guide

Retainers for vCIOs and vCISOs: A Comprehensive Guide

If you're running an IT department at a small to mid-size company, you know— the demands on your infrastructure are greater than ever. Cyber threats are growing at an alarming pace, primarily fueled by the accessibility of AI to hackers. Cloud productivity, system...

When Do We Need a vCISO?

When Do We Need a vCISO?

According to recent reports from CIO magazine, cybersecurity is still the number one concern in keeping IT managers up at night. With historically high labor shortages for cybersecurity talent, you may wonder, does it make sense for my company to contract with a...