vCISO vs vCISO - Not all are equal
“Competition whose motive is merely to compete, to drive some other fellow out, never carries very far. The competitor to be feared is one who never bothers about you at all, but goes on making his own business better all the time.” — Henry Ford
We know we’re not the only game in town. We recognize that there’s many organizations out there that offer vCISO as a service or even as a product. Lastly, we recognize that all are not equal. So how do you differentiate, what are you really getting, and how can you tell it’s really meeting your expectations when you hire a vCISO to support your cybersecurity objectives.
SideChannel recently had direct visibility that allowed us to better understand the difference we bring to our clients. At the end of 2021, a current client of ours finalized an acquisition of another company. With everything that comes with an M&A, supporting vendor contracts come along too. This newly acquired firm had a multi year contract with one of SideChannel’s competitors to provide a vCISO and oversee their cybersecurity program. In the days during diligence and post merger, our client decided that there was no reason to have multiple firms providing the same support and they looked us both over before deciding that SideChannel would be retained as the CISO. Let’s breakdown the two key differences that lead to that decision.
Auditing backgrounds are not enough to be a vCISO
Auditing is a needed skill and plays well into the requirements for compliance initiatives. But compliance is not security (yes, we’ve heard that enough, I know). Auditors tend to look at things in a black and white approach. Don’t take that as wrong or negative; it’s just how audits are addressed. Your goal with an audit or auditor is to have an independent 3rd party objectively look at the controls your organization says it has in place. You want your auditor to tell you when what you’ve implemented isn’t working as intended. This isn’t the sole function of a CISO.
The vCISO (and CISO’s) role is beyond auditing. In the next section we expand on the other key areas; but suffice to say that compliance is one part and auditing to meet compliance is an even smaller part. Companies want their CISOs to be able to understand the business they are in and build effective cybersecurity risk management strategies to support them. Business leaders want to have the ability to make decisions; as much of business is a risk vs reward discussion. An auditors approach here would not leave much, if any room, for the business to make decisions that stray from a “met” or “unmet” approach to controls in place.
When clients work with SideChannel, they gain a vCISO who understands how to navigate these risks while also meeting compliance initiatives. This is an initial reason that SideChannel is preferred over other firms providing vCISO services.
Leadership and experience are important for the vCISO role
The role of the CISO is one that leads the cybersecurity function for the organization. This is not the first role someone takes on when they get into cybersecurity or even mid career. This position is one that culminates years of experience, roles, and business acumen. At many organizations, this position is a Vice President, reports to a C-suite, and is in front of the Board regularly. You can see that the position of the CISO is not one to be taken lightly when staffed or filled. It’s a role of leadership and experience.
Key areas that CISOs support an organization include:
- Advising on all forms of cyber risk and plans to address them
- Board, management team, and security team coaching
- Vendor product and service evaluation and selection
- Maturity modeling operations and engineering team processes, capability and skills
- Board and management team briefings and updates
- Operating and Capital budget planning and review
Taking this all into account, we can see it’s not a role for junior or mid-career. This is the key reason that SideChannel is preferred over other firms providing vCISO services. Our clients have as their vCISO someone who’s been a CISO previously, and mostly at larger enterprise firms.
As Henry Ford highlights, we didn’t look to drive others out; we made a better service with better delivery and our clients see the difference.