How to Change Your Virtual CISO (or how to avoid it to begin with)

There’s been an interesting trend in the virtual CISO industry over the last several months.

I've had conversations with three banks who were looking for a new virtual CISO due to their existing providers inability to continue the service.

The need was for various reasons, such as an upcoming retirement of the owner, the loss of a key person, and one provider just going out of business unexpectedly.

While I believe the virtual CISO industry and profession are still in the growth phase, I always felt that we would begin to see some shakeout activities in the coming years. Well, it's starting to happen now. And I suspect that it will be accelerated by some of the economic woes on the horizon.

So, in the next several years, we're going to see consolidations, we're going to see retirements, we're going to see firms refocus their business and abandon virtual CISO offerings altogether. We're going to see businesses lose key people that never really had a good continuity or succession plan. And we’re going to see providers that just aren't that serious about virtual CISOs services, and the quality will suffer.

It's part of the maturity process of any industry, but there are some things you need to be aware of before you make that move.

If you have a vCISO and need to change

If you have a virtual CISO and you're thinking about a change (or being forced into it), understand that it's not going to be easy for several reasons:

• You’ll have to change some processes – Good virtual CISO firms are built around people AND processes. They're not just a temp service. That’s why some vCISO firms are failing: because they never took the time to build out and professionalize the business. If you move to a new provider, expect that they will come in and want to change some of your processes. That's a good sign. I can tell you right now, virtual CISO services work much better when there's a process that they bring with them.
  
  
• Understand that the scope may not align exactly – I've witnessed a lot of virtual CISOs that are doing some things in their scope that's really outside the realm of what a CISO should be doing. Examples are pen testing, configuration and monitoring of security tools, and auditing. You may have been extremely happy with the scope that you had, but for a virtual CISO firm to professionalize and become a business that can scale, they have to be laser focused on the scope.
  
  
• The price may be different – We've looked at some scope and the corresponding prices that we’re being asked to match and our response back to the bank is “no wonder they’re going out of business!” You want your virtual CISO to be profitable and you want it to be structured in a way that's a win win. That may mean a price change from what you were used to paying.
  
  
• You will need to go through the onboarding process again – Yes, I know it's a little bit painful, but don't expect your new virtual CISO to come in with the same understanding as what the previous one did (who's been working with you for the last three years).
  
  
• It can take some time - Once you find out you need to make a change, don't delay. While we've signed contracts and started the onboarding process with new customers in under a week, that's the exception not the norm for a community bank. It typically takes 60 to 90 days to review solutions, review contracts, get buy in from your board, do vendor due diligence, and have a signed contract with a service that's ready to start. Don't delay if you know a change is coming. Start looking now.

But wait, this can all be avoided?

The good news is that if you don't have a virtual CISO that you're working with right now, this can all be avoided during the selection process when you're starting out. Here are some of the questions you should be asking about the providers that you're considering:

• Are they serious about the virtual CISO line of business (or is it just ancillary to their major lines)?
• Are they financially sound?
• What does their succession plan look like?
  • Can they substitute in other staff for both short-term and long-term gaps?
  • Do they have standardized processes, or will that new person have to learn everything from scratch?
• Do they have references you can speak to?
  • This one might be a little unfair because I am absolutely spoiled by the amazing people that we have working in our team and the amazing customers that we have that sing our praises on a regular basis. But if you want to avoid having to change your virtual CISO down the road, your references should be telling you that the service is amazing and that it simplifies their lives. If they tell you the service is “slightly above average”, that may be a warning sign.

As the industry matures, we're going to see more and more change when it comes to virtual CISO service firms. While I highly encourage you to follow these tips to avoid it, to begin with, if you've already committed to a virtual CISO and it's not working for you (or you’re just curious about what else is out there), let us know: chris@bedelsecurity.com