If you have ample experience, are interested in on-going training, looking to educate your client community and protect users, a CISSP is optional when offering a vCSO solution.
CSO doesn’t need a CISSP, rather—they need experience to lead and manage a security program!
I’m sure you’ve read that in order to be a Chief Security Officer (with the CSO behind your name) you need a variety of additional letters—specifically CISSP. While the CISSP does have value in communicating that you know your stuff, it is entirely a false predictor for a successful CSO. When it comes to offering your vCSO solution to high value clients, you will most definitely want to be thinking about where your successes come from as a CSO—and they better be demonstrated rather than simply on paper!
What does a CSO really need to get the job done? Many key high value experiences absolutely required to lead a security are devoid of the skills tested on the CISSP examination:
Communication skills— having done the CSO role for many years now, I can tell you that communication is your biggest asset. If you know all the tech, can fill out a scantron sheet with all the right answers, but cannot get yourself to talk to other perspectives within the business, you’ll be a complete and utter failure at the CSO job. Stick with that analyst position and keep your head down. If the leadership team or the C-Suite doesn’t appreciate or understand their risks and cannot make sound decisions to address current threats, you’ve failed. You will be an asset interpreting all the technical and disseminating that information into actionable priorities.
Leadership qualities—This comes without question. The CSO is a leadership position. You will need to make sure the technical team is able to follow through on their promises. Hold people and teams accountable to getting the job done.
Strategic understanding of where security meets technology within a business context—Security does not work in a vacuum (even though many of us might wish it did!). You will need to understand how their business works and ask questions of security solutions to make sure they facilitate buy in from your clients’ teams.
Understanding the core of the business and its functions— You will be head-to-head with other C-Suite individuals. Instead of simply dictating a way forward, you will need to get to know and understand other perspectives. The security head is the relatively new seat to the table. Unless you appreciate that and can come at your security problem as one that includes everyone else’s issues, your solutions will fall short.
Yes, you will need to have some security chops—or the ability to understand, address and resolve security issues. You will be expected to spearhead the organization’s risk management strategy, which may comprise of a variety of oversight on maintenance, compliance, security controls and security solutions.
NONE of these qualities require a certificate. ALL of them require experience running and growing a business. ALL of them are reflective in the core of MSP operations. If you’ve been improving and securing your MSP, the vCSO role is for you!
You will be the champion for developing and maintaining an enterprise security program. Be the resource that moves their incident response protocols and operations. You will make sure a security training program adequately meets their needs. And you are the one to show progress on security initiatives, discuss current threats in an easy-to-understand way to business leaders.
For all of the above critical CSO responsibilities, I strongly believe an MSP that is neck-deep in technical operations for tens to hundreds (or even thousands) of businesses is a great fit for the CSO leadership role—EVEN without a 5-letter CISSP behind your name.
Your experience cleaning up IT messes, your on-going education in Security Operations (SecOps), your interest in doing the right thing on your clients’ behalf and your ability to synthesize an advanced cyber stack that your team routinely evaluates and checks far exceeds any piece of paper certifying your individual security abilities.
The fact that you are able to delegate to your team, make sure projects progress and ensure that your clients understand their risks give you the precise qualifications for the CSO job.
When doing a quick Google search for the requirements of a good CSO, here is a quick list that I was seeing over and over again:
Coordinating security efforts to protect all facets of a business (IT, HR, Communications, Legal, Facilities Management, etc.).
Your team is already doing this supporting SMBs on a daily basis. All you have to do is step up your engagement with leadership representing these critical business areas and ensure that the solutions you have in place are meeting their needs from a compliance and data security standpoint. (Hint: we will cover this in our vCSO bootcamp).
Manage implementing security policy and standards. Follow guidelines and procedures to ensure their network security meets specific standards.
This is where reporting comes in to help! vCSOs will rely on on-going reporting to make sure—and communicate—the state of security within their client environment. By using an on-going analysis, you will easily communicate and prioritize initiatives to client leadership, then work with the IT team to make sure you have milestone initiatives completed in a timely manner. Most of the actual leg work and follow up are things your teams do on a daily basis.
Make sure assets are physically secure, monitor access control systems and video surveillance.
Again, this is something that many of you already do. And if you don’t, it’s something you can simply implement a checklist to review on a quarterly or annual basis to help your client adhere to a standard of physical security (Note, you will also run with a checklist here from vCSO bootcamp).
Make sure your client network security, network access, education awareness adhere to policies.
Again, this is simply going through a checklist to make sure your ducks are in a row. The most challenging part here will be organizing your report and readout to ensure you are communicating where gaps lie (Something vCSO bootcamp will tool you with) and have solutions to address any outlying gaps (something on-going analyses will help you with—including prioritization).
Work with the executive team to develop security initiatives and security spending.
If you are handling managed contracts, you likely already have a cadence to meetings. All this means is a regular discussion on security and prioritizing initiatives each quarter. When you boil this down, the gist is that you are simply getting a few projects managed. We will go into detail in managing and prioritizing these projects within the vCSO bootcamp.
Oversee incident response and investigation of breaches and helping with data breach recovery.
You should already be doing incident response planning within your MSP, so you already should have the experience to start helping your clients with incident response. We have the templates to help you with this. Incident response is simply working through scenarios and identifying the steps involved in getting their business running again. When it comes to dealing with actual responses, realize that you don’t have to do everything. You probably will bring in experts that deal with incidents day to day. You simply are asking the right questions and have the tools to communicate or explain the situation to your client. You are the trusted advisor, NOT the hands doing all the work. Your work is simply to explain and make decisions easier. You are not the one making the final decision or pushing the red button. You are simply helping make sure others on the leadership team are able to understand how to make the soundest decision.
Bottom line: If you’ve been running an MSP for some time, you most definitely have the experience business are desperately looking for in the CSO positions. You might not have a master’s degree in cybersecurity and might not have 5 letters after your name, but you DO have all the experience those different “qualifications” might provide from a business case to hiring you and your security-centric team over someone with a whole bunch of letters after their name.
The fact that you—as a leader within your MSP—are thinking about security so seriously to be engaging in vCSO services plays testament to your commitment to your clients and dedication to keeping them secure.
