The Secret To Implement Your vCSO OfferingAs vCSO—that is, a virtual chief security officer—you have some big shoes to fill. You’re the key person contributing to the design and approval of an organization-wide security strategy. That means you will be responsible for the end-to-end lifecycle of security operations within the organization. Some of the highlights might be:

  • Evaluating the IT threat landscape for your client.
  • Devising policies and controls to reduce intolerable risk.
  • Creating a strategy that makes sure people, process and technology are being addressed toward security goals.
  • Lead audits to validate that the strategy is working as expected.

None of these are small feats! In addition to everything listed above, you will also make sure stakeholders—leadership and board members—are onboard with the necessary security funding and resources needed to meet your security outcomes. You will be key in establishing partnerships with external vendors and other experts to make sure your client is prepared for ongoing threats. You are ultimately where the buck stops for managing information security initiatives across all departments of the organization and make sure that business practices embrace those initiatives.

But how do you initiate a CSO offering that your clients will understand and be excited about?

This is a huge hurdle. Developing a CSO program is more than just sitting down and devising a complete program over the course of a weekend. It takes time to figure out what exactly your clients need and what they are looking for as deliverables. Since most of them may not even know what a CSO role would be within their organizations, you probably will also have to get them to see what the experience and outcome would look like in a way where they can see a direct benefit.

That’s where an established CSO framework comes in.

Your vCSO framework will probably need to consist of (at minimum) the following components

Risk-Based Decision Making and Communication

Showing and putting cybersecurity risk in the right context for decisionmakers is NOT an easy task! ‘Winging it’ or creating on the fly will not go well. In this session, we will go through a decision-communication model to guide you and your team through high value vCSO engagements.

incident Response: Working Through the Worst-Case Scenario

Your clients may have never thought many scenarios would come to fruition (data breaches, ransomware attacks, even natural disasters). But with a more uncertain world, how can they continue to go without thinking about business-shuttering events? In this session, we will walk through common tabletop exercises leaders appreciate input from a CSO and help you lead your client organization’s thought on disaster planning. We will also provide you a decision-matrix to work through incident response.

Why Their Asset Management Is Not Buttoned Down

Organizations struggle to understand what assets they have and whether they are at risk. This opens the door for exploitation. Asset management is one critical sub-discipline within security hygiene and posture management that a CSO needs to have a handle on. In this session we will help you discover, categorize and analyze all assets from a security perspective. This means understanding the likes of asset locations, owners, configurations, vulnerabilities, and then figuring out which ones pose the biggest risks. These assets may be inside the organization, in data centers, or deployed to the cloud. They may be walking around, or within an employee’s head. We will help you synthesize a manner to handle all of this critical information and implementing a system that will make it easy to capture and address asset-based security concerns.

Making Sure Maintenance Is Happening And Prioritized

It is exceptionally hard to make sure everything is happening when it should. Maintenance is one of those issues that often get overlooked. As the CSO, you will be the one to make sure that maintenance items—especially key items—are being addressed. And when they aren’t, helping come up with strategic solutions to get them solved. That doesn’t mean you rolling up your sleeves. It means you defining a solution and the steps to get to that solution. In this session, we will highlight the key maintenance items you will want to have a handle on, how to communicate on-going maintenance to an audience that simply doesn’t care (unless it creates a problem) and how to retrack sidetracked maintenance-based projects. Remember, your MSP may not be responsible for the maintenance…you may have to be tactful to get it accomplished without destroying relationships with other key stakeholders.

Their Physical Security Matters More Than You Think

Securing premises and devices from physical attacks can be just as challenging as defending against cyber threats. Making sure your client’s userbase sees security in action in their physical workspaces is critical to reinforce security hygiene on their networks. At its core, physical security is about keeping their facilities, people and assets safe from real-world threats. This includes physical deterrence, detection of intruders, and responding to those threats. In this session, we will go through common physical security items to evaluate and present to decisionmakers.

Creating and Maintaining Policies and Procedures That Will Actually Stick (i.e., that will Work!)

How do you devise policies that will actually help users understand WHY they are in place? Is your goal to simply have a pile of policies that no one really uses, or do you want to create the policies that effectively get organizations compliant with those policies? Same goes for procedures that those support policies. As a CSO, you will be given the responsibility to help guide your organization’s privacy and security-related policies and procedures. In this session, we will go through choosing policies that fit your client’s mission. We will also review a methodology to annually review and refresh policy and procedures and determine how they fit with compliance constraints.

The CSO role within your client organizations is becoming more than a “just nice to have” position. It’s purely a necessity right now. With cyber insurance not capable of transferring much of their business risk when it comes to data security, your high value clients WILL need someone overlooking their security strategy. This is a HUGE opportunity right now for you as a provider to help them with a solution that will not only get them to operationalize security within their businesses but will offer you a high margin forward-thinking solution that will make a big impact on the organizations where it is implemented.

To help MSPs address this need, we have designed a framework based off 3 years of CSO operations within MSP clients. This framework is exclusive to the MSP community and has worked to build companies ranking at the top 10% of their industry’s security standards.

More information on this MSP-revolutionizing program can be found at www.galacticscan.com/vcso.