vcso-third-party-assessment-trustWhy if you’re not building a third-party analysis into your solution, you might be eroding trust with high value vCSO clients.

Your job as a vCSO—that is a virtual Chief Security Officer—is to focus on what’s important. What’s important to the business. Their immediate concerns, risks, and threats.

As you get your program started, I want you to think how you communicate what’s important to your clients. You will likely take on many of the responsibilities in the vCSO toolkit, such as working through incident response planning, telling stories that relate back to their issues, and budgeting for an effective cyber stack that makes sense for their environment. But if you also tack on your own security assessment—one that was performed by your MSP—you likely will get some raised eyebrows.

Your client that wants and needs a CSO’s shoes to help their security program is not going to be 100% comfortable with you assessing your own work. They likely have someone doublechecking their accounting work. An outside firm that maybe quarterly oversees their team’s work with a fine-tooth comb just to validate that they are doing things above board. Why wouldn’t they expect the same from something as critical as their data security.

What I’ve come to realize over the course of years focusing on leading clients through security is that performing my own security assessments on my own work doesn’t work well. They actual erode some trust with clients and add to the suspicious black box that many non-technical leaders see as their cybersecurity investment.

What they want to understand is that your team is doing enough to protect them in the event of an attempted cyberattack. And having a third-party show them results—even if there are some addressable items that can be strategically worked through—will put them in a better position to continue to invest in the right cyber stack and feel at ease with you leading them on their security journey.

This is especially important today when business leaders are on the fence to invest in cybersecurity. They see no return on their investment and often do not even understand why they’d ever want to invest in products. Until you show them WHY from a perspective outside of your team’s, they may not approach the problem with a completely open mind toward the problem.

Helping hundreds of MSPs communicate the value of their cyber stacks to clients, what we found is that having a third party run assessments dramatically increases their buy in to your solutions. They are able to better define the problem as something urgent and necessary, rather than something urgent to you as a vCSO.

How should you integrate a third-party assessment into your vCSO offering:

  1. Perform an assessment at least quarterly—get a re-evaluation of your client network at least quarterly to help communicate changes in their environment and refocus the conversation.
  2. Make recommendations based on third-party results—use the third-party assessment to guide where their security program should head. This is the exact method doctors use when evaluating health results. They provide their patients with facts based on results and guide them down a path of realization. That’s essentially what you are doing in your role as vCSO. Using the third-party facts to guide and facilitate an effective security program.
  3. Identify problems and show their remediation—I know many MSPs that are concerned that third-party reports can expose problems within their managed network. What I’ve seen is having continual conversations with your client and showing continuous improvement on issues is by far more effective than sharing a completely clean bill of health report every meeting. Report issues are great facilitators of conversations you should be having to keep them engaged in the cybersecurity conversation.
  4. Your biggest opportunity to do this is RIGHT NOW. The buying cycle for security is NOT YET defined. Until you start showing them their opportunities in a way that doesn’t make them guarded, you won’t have a lot of luck progressing their security stance. A third-party assessment is one of the easiest ways to address this.
  5. Having a consistent cadence to your reports—keeping third-party assessments a continuous expectation for your client helps them realize that you really have their back. It is the most effective way at keeping them engaged in your solutions and focused on making security better within their organization.

How do you start your vCSO program? We have found a vCSO framework that works well within MSP operations.

Need help getting third-party assessments? ClientWatch helps MSPs with an easy recurring process for security assessments for their clients.