What makes a Good vCISO?
vCISO is short for virtual Chief Information Security Officer. There are good vCISOs and some who are not so good. What good vCISOs do and how they do it should not be a mystery to anyone; however, there’s a lot of confusion about this essential resource. Before we get to what makes a “good” vCISO, let’s tackle two common misconceptions:
- A vCISO is not necessary or essential for every organization. Truth is, credible information security leadership is essential for every organization. So, the question becomes “Who is providing credible information security leadership?” It’s either a full-time CISO (or similar role), a vCISO, or nobody. One of these options is the incorrect one, and you can decide for yourself.
- Information security is a wasted (or “non-value-added”) cost, including money spent on a vCISO. This is only true when you’re not doing it right, or maybe you’re not employing a “good” vCISO. Good vCISOs ensure that information security always provides value to the organization, making it a value-added cost.
A good vCISO is valuable for EVERY organization.
So, what qualities make a good vCISO? Here´s our list of the top ten qualities that every good vCISO possesses:
#1 – Role Conscious
A good vCISO understands and embraces their role. vCISOs do two things:
- Consult the organization to make good information security risk decisions.
- Implement the organization’s information security risk decisions.
That’s it, consult and implement. Of course, there’s a lot that goes into consulting and implementing, but this is the simplest way to define the vCISO role. Everything a good vCISO does fits within these two categories.
#2 - Business Acumen
A good vCISO will gain intimate knowledge about an organization, including its mission, its objectives, and its operations. Good vCISOs feel the weight of their recommendations and constantly challenge themselves to bring value through information security to organizational objectives.
#3 - Risk Management
Information security is risk management. Risk management is also fundamental to the vCISO role (See: #1 – Role Conscious). The better a vCISO can understand/assess risk, the better the vCISO will be at consulting the organization to make good risk decisions. Risk management, in simple terms, is:
- Assessment – the best assessments are holistic, objective, measurable, and provide context for good decision-making.
The worst risk decisions are those made without proper context.
- Decision-Making – accept, mitigate, transfer, or avoid; those are the only valid risk decisions.
- Implementation – the second part of the vCISOs role.
Then repeat the process for continuity and prudent information security management. A good vCISO understands that an organization should spend its next information security dollar on mitigating its most significant unacceptable risk.
#4 – Creative Thinking
A good vCISO always seeks creative ways to use information security to drive the organization’s mission and objectives. For instance, a good vCISO knows that complexity is the worst enemy of security. So, it only makes sense that simplicity is an ally (maybe our best ally). Following this logic, a good vCISO will seek opportunities to reduce complexity in processes and technologies. Where the vCISO can simplify these things, it results in less risk, but perhaps more importantly, more efficiency for the organization and likely increased profit. Common places where good vCISOs might look first for these opportunities are asset management, authentication processes, and technology consolidation/integration.
#5 - Communication Skills
A good vCISO can speak the language of business and translate information security concepts according to what motivates organizational leadership. Good vCISOs can articulate complex concepts by using simplicity and relevance. For instance, every organization should know these four things about their information security program:
- Where we’re at; in terms of information security risk, ideally represented by a credible and objective measurement/number. 2
- Where we’re going; based upon the prudent risk decisions made by the organization.
- When we’re going to get there; based upon the priorities set by the organization.
- How much it’s going to cost; based upon the risk decisions, priorities, and budget.
If a CEO, board member, owner, or executive knew little more than these four things, they would be in great shape! Hypothetical Example The organization’s S2Score (risk score) is 589 (scale of 300-850, not unlike a credit score) and they’re planning to be a 732 in 24 months at a cost of $89,000. In this case, the organization is practicing due diligence (opposite of negligence) with a justified budget.
#6 - Information Security Expertise
Within the context of risk management, a good vCISO possesses a deep understanding of information security frameworks, technologies, and best practices. This may include knowledge of threats, security protocols, and emerging trends.
#7 - Strategic Thinking
A good vCISO can align the cybersecurity strategy with the organization's business goals, understanding the balance between risk management and business innovation.
#8 - Leadership and Influence
Good vCISOs lead by example and can influence the organization’s culture, considering information security in strategic and tactical decision-making. Good vCISOs are adept at building and leading security teams, even in a virtual capacity.
#9 - Regulatory and Compliance Knowledge
A good vCISO knows that information security and compliance are not the same. They also know that neither of them is optional. The competitive advantage for an organization comes from the ability to blend information security and compliance, starting with information security. Good vCISOs understand the compliance requirements relevant to the organization's industry and can navigate the complex landscape of laws and regulations affecting information security and privacy.
#10 - Vendor and Technology Assessment
A good vCISO understands that:
It’s better to not spend money on information security than it is to misspend money on information security.
Good vCISOs do not recommend technologies and/or services that the organization can't utilize, or don't work, or aren't in the organization's best interests. Technologies and services must be aligned with the organization’s information security risk decisions which in turn must be aligned with the organization’s mission and objectives. A good vCISO can evaluate and recommend security technologies and services, ensuring that they’re all effective and efficient.
Conclusion
A good vCISO provides value, helping organizations navigate the ever-increasing complexity of information security in today’s business environment. Our advice:
- If you’re a vCISO service provider, ensure your vCISOs are “good vCISOs.”
- If you’re using a vCISO, hold your vCISO accountable for being "good.”
- If you’re in the market for a vCISO, ensure the vCISO chosen is a “good vCISO.”
About SecurityStudio
SecurityStudio trains, certifies, and empowers vCISOs to be the best they can be. We do this through our Certified virtual Chief Information Security Officer (CvCISO™) Program and our SecurityStudio platform. Please contact us if you’d like to know more about what we do and why we do it.
