A vCISO provides executive leadership, with the expertise to help you build your security strategy. While a vCISO will take the helm, there are things you can do to prepare to work with a vCISO and set them up for success, ultimately increasing your time-to-value. Optimal readiness involves preparing the people and the facts as well as communicating effectively.
Your new vCISO will likely ask questions to obtain all of the following information, but if you’re prepared with it upfront, you can accelerate and optimize the engagement. We recommend you invest time in both gathering answers and preparing the people to deliver further info.
Make sure you can convey what your business does. How do you make money? What risks could cease operations? For example, a logistics company facing a systems shutdown would be unable to move freight. For others, the loss of sensitive data could be catastrophic.
Be able to communicate with the new security board member what those risks are. While it may seem like a fairly simple task, some organizations haven’t taken the time to think about and document what’s mission critical.
What is the current state of your security controls, as far as you know? Are those controls documented? Share anything quantifying your controls, including:
Your vCISO will need to investigate to see if your security investments are adequate. Deliver the info they need by quantifying your security investments, which may require some research. Organizations might know their total IT budget, but lack clarity into the specific IT security budget.
Your new cybersecurity board member should be provided with as much material as possible so they can start asking the right questions. Arm them with the right tools and info so they can deliver value to your board.
In addition to gathering the facts, make the right people available so your vCISO can get up to speed quickly. Make sure everyone understands who the vCISO is, what they’re doing, and why they’re there. This is key and enables progress to happen much more quickly.
We recognize that not every organization will have employees dedicated exclusively to the following functions, but these people should all be included.
A vCISO must speak the board’s language. They must relate to the board to get their points across, but also listen to other board members and staff to learn as much as possible in a short time.
Speaking to boards can be daunting. I’ve previously spoken to boards and, after receiving blank looks, realized I needed to change my phrasing and simplify the technical language. Your new security board member can support your IT staff and help with that ‘translation,’ reframing IT principles into accessible business language. They’ll bring concise advice that translates risk to people who don’t have a technical background in order to help them make decisions. This includes explaining IT initiatives and clarifying the impacts, positive or negative.
Your vCISO has a crucial role to play in communicating to your board and colleagues. Help set them up for success and hit the ground running by communicating upfront to the vCISO the crucial information they need.
When speaking to boards, I always come with examples. I’ll share some of my experiences at other organizations, including things we tried that didn’t work well. I’ll also relate their situation to something happening in the world.
Sometimes referred to as, “Storytime with Tony,” I relay stories of threats and what’s being done to address these issues by security companies, the federal government, and law enforcement. One board was particularly interested in hearing about ransomware globally and the steps we’re taking to mitigate their risks. It’s helpful to understand that these threats are real and impactful, particularly if it happened to a company that’s similar, whether a similar size or the same industry.
Netrix Virtual CISO (vCISO) services can help your organization implement and maintain practical, effective information security programs that are in lockstep with your risk tolerance and are deeply aligned to your business strategy. Contact us to discuss if we could help ensure your business is always protected from even the worst cyber criminals.
To learn more about our vCISO services, click here.