The First 10 Days of a vCISO’S Journey with a New Client
“In a quaint village nestled between rolling hills and dense forests, a young apprentice named Eli was learning to throw pottery from a master potter. On the first day by the riverbank, the master potter emphasized nature’s lessons of patience and persistence, likening flowing water to the dedication needed to shape clay – and the growth of the flowers along the river bank to the growth of the apprentice’s skill.
Observing nature, Eli noticed seeds sprouting and plants growing, reflecting on how skills require care and attention to flourish. Inspired, Eli practiced diligently, learning from every detail and mistake, much like nature’s way of evolving. He practiced every waking hour. By the tenth day, Eli’s hands moved with a fluid grace, transforming raw clay into beautiful pottery.
As they admired the sunset, the master potter smiled, noting that true mastery lies in embracing each moment of learning, akin to nature’s continuous cycle of growth and adaptation, and in only ten days, Eli had blossomed, understanding the rhythm of patience and evolution.”
What can truly be accomplished in ten days? Could an apprentice truly become a master in that time or is ten days a metaphor for a lifetime of work?
This question probes the nature of mastery and growth, suggesting that while substantial progress can be made in a short period of time, true mastery often represents a longer journey.
Becoming a master in any field typically requires years of dedication, practice, and experience. The ten-day timeframe in the parable can be seen as a metaphor for the concentrated effort and accelerated learning that can happen when one is fully immersed in a task. But it somehow also symbolizes how significant growth and transformation can occur in a short period when one is highly focused and guided by an experienced mentor. True mastery is a lifelong pursuit that extends beyond a brief, intense period of learning.
So is it with the vCISO. A vCISO can transform their skillset through periods of intense learning, enabling them to stay ahead of emerging threats, adopt the latest security technologies, and continuously refine their strategic approach to cybersecurity. But it is up to the vCISO to spend the time and effort in becoming the greatest possible resource for an organization.
Countless books and articles detail the path to becoming a successful CISO or virtual CISO, but this writing does not aim to cover all those necessary qualities. Instead, it focuses on the most valuable activities that can be undertaken within a critical two-week (10 working day) period to significantly enhance an organization’s security. While an experienced vCISO must develop skills over a lifetime of work, the “10 days” parable may be an indicator of how intensive his or her learning curve – which perspective will show through with the right vCISO.
Budget of Time
The virtual Chief Information Security Officer is working on a budget of time. The vCISO is unlike a full-time CISO in that there is a time-boxed border around the work the vCISO does as a contractor and therefore, time is of the utmost importance. Every day of engagement must “move the needle” and the first 10 days can provide a good measuring stick of how the engagement will go over the long term.
10 Days Before Engagement Starts
To effectively vet a vCISO before starting an engagement, an organization should undertake a comprehensive evaluation process. First, the organization should clearly define its specific needs, objectives, and expectations, identifying key areas such as risk management, compliance, incident response, or security strategy development.
Verifying the vCISO’s credentials and experience is crucial, including checking for certifications like CISSP, CISM, GIAC, CRISC, CEH or CISA (amongst others) and reviewing their professional background in similar industries or organizational sizes. Evaluating their expertise and skills through technical interviews or assessments helps gauge their problem-solving abilities and technical proficiency. Requesting case studies and references from past clients or employers provides insights into their performance, reliability, and professionalism.
Furthermore, assessing the vCISO’s communication skills and cultural fit is essential to ensure they can articulate complex security concepts to non-technical stakeholders and collaborate effectively with executive leadership teams as well as technical teams.
Reviewing contractual terms and service level agreements (SLAs) ensures that the scope of work, deliverables, and engagement terms align with the organization’s expectations. Arranging an initial consultation or project kick-off allows the organization to discuss its current security posture, challenges, and goals, providing an opportunity to evaluate the vCISO’s approach to problem-solving and strategic planning.
Additionally, verifying the vCISO’s legal and regulatory knowledge ensures they understand relevant requirements such as GDPR, HIPAA, NYCRR, CCPA/CPRA, and industry-specific standards, and their experience in ensuring compliance and handling regulatory audits.
Confirming the vCISO’s availability and commitment to dedicating sufficient time and resources to the engagement is crucial, as is ensuring their commitment to continuous learning and staying updated with the latest cybersecurity trends and threats.
Finally, performing a trial engagement can provide a practical assessment of their performance and fit within the organization before committing to a longer-term contract. By thoroughly vetting a vCISO through these steps, an organization can ensure they select a qualified, experienced, and compatible security leader who can effectively enhance their cybersecurity posture.
Day 1
On day one, a vCISO should focus on laying a solid foundation for their role by engaging in critical introductory tasks.
The day begins with meeting key stakeholders, including executives, IT leaders, and security team members, to understand their expectations and establish effective communication channels. This helps the vCISO get acquainted with the organization’s culture, mission, and values, ensuring that their security strategy aligns accordingly.
Reviewing existing security policies, procedures, and incident response plans is essential to comprehend the current security posture and identify immediate gaps or concerns. Additionally, examining recent security audit reports, risk assessments, and compliance documentation provides insights into past and present security issues.
Gaining a high-level overview of the organization’s IT architecture, including networks, systems, applications, and data flows, allows the vCISO to identify key assets, critical data, and potential high-risk areas requiring immediate attention.
Conducting a preliminary risk assessment to pinpoint the most pressing threats and vulnerabilities, and prioritizing these risks based on potential impact and likelihood, sets the stage for a more detailed analysis later. Addressing any urgent security issues or vulnerabilities that require immediate action helps establish short-term goals and objectives for the first week, ensuring quick wins and building momentum for longer-term initiatives.
Finally, developing a communication plan to keep stakeholders informed about the vCISO’s activities, findings, and progress, and scheduling regular check-ins and status updates, ensures transparency and builds trust with the team. By focusing on these tasks, a vCISO can quickly get up to speed with the organization’s security landscape, establish critical relationships, and lay the groundwork for effective security management.
Days 2 – 5
On days 2 to 5, a vCISO should focus on conducting a thorough assessment and laying the groundwork for a strategic cybersecurity plan to ensure a successful engagement. On day 2, the vCISO should continue with in-depth meetings with key stakeholders across various departments to gather insights into the organization’s critical assets, ongoing projects, and specific security concerns. This includes collaborating with IT, legal, compliance, and risk management teams to understand their perspectives and requirements. Additionally, the vCISO should review and analyze existing security policies, procedures, and incident response plans to identify strengths and weaknesses.
By day 3, the vCISO should initiate a comprehensive risk assessment to identify and evaluate potential threats and vulnerabilities within the organization’s IT infrastructure. This involves conducting vulnerability scans, penetration tests, and reviewing past security incidents to understand the current threat landscape. The vCISO should prioritize these risks based on their potential impact and likelihood, creating a risk register that will serve as a foundation for future security initiatives. Concurrently, the vCISO should start mapping out the organization’s compliance requirements, ensuring that all regulatory and industry standards are being met.
On day 4, the focus should shift to developing a strategic cybersecurity roadmap. This roadmap should outline short-term and long-term goals, addressing the most critical risks identified during the assessment. The risks identified should be captured and tracked in the risk register to follow the progress around the risks.
The vCISO should propose actionable steps and recommend specific technologies, policies, and procedures to enhance the organization’s security posture. This plan should also include a timeline and resource allocation (including a RACI chart to indicate who is Responsible, Accountable, Consulted, and Informed), ensuring that the organization can realistically achieve these objectives. Engaging with the executive team to present and refine this roadmap is crucial for securing buy-in and support.
By day 5, the vCISO should begin implementing immediate, high-priority actions from the strategic roadmap. This could include quick wins such as updating critical software, enhancing endpoint security, or implementing stronger access controls.
Additionally, the vCISO should establish a regular communication cadence with stakeholders, including setting up weekly or bi-weekly meetings to provide updates on progress, discuss challenges, and adjust plans as needed.
Building a strong foundation of trust and collaboration with the team is essential for the ongoing success of the engagement, ensuring that everyone is aligned and committed to improving the organization’s cybersecurity resilience.
Days 6 – 10
On days 6 to 10, a vCISO should focus on deepening their engagement with the organization and ensuring the initial groundwork is effectively translated into actionable steps.
During this period, the vCISO should begin implementing the strategic cybersecurity roadmap developed earlier, prioritizing key initiatives such as enhancing network security, establishing robust access controls, and fortifying data protection measures.
Collaboration with IT and security teams is crucial to ensure these measures are implemented smoothly and effectively. The vCISO should also enable training sessions and awareness programs to educate employees about cybersecurity best practices, fostering a culture of security within the organization.
Additionally, setting up continuous monitoring and incident response mechanisms is vital for proactive threat detection and management. Regular check-ins with executives and stakeholders to provide updates on progress, discuss any challenges, and refine strategies ensure alignment and support for ongoing initiatives. By the end of this period, the vCISO should have established a clear, actionable security framework, demonstrated quick wins, and built strong relationships with the team, paving the way for a successful engagement.
10 Days and Beyond
The first 10 days of a vCISO engagement are the most critical because they set the foundation for the entire cybersecurity strategy and establish the tone for future collaboration. During this period, the vCISO conducts essential assessments, identifies key vulnerabilities, and prioritizes immediate actions to safeguard the organization’s assets.
By quickly building trust, aligning with the organization’s goals, and demonstrating expertise, the vCISO can effectively lead the team towards a robust security posture. This initial phase is crucial for establishing momentum, fostering a proactive security culture, and ensuring long-term success in mitigating cyber risks.
What can be accomplished in the vCISO’s first 10 days that could help put the organization on a new path – or, if not accomplished – may signal the need for a new vCISO candidate, organization, or methodology to replace the one that’s not being properly managed? These questions need to be asked in order to determine whether or not success can be achieved and measured in quantifiable and qualifiable ways through various Key Performance Indicators (KPIs).
Success or Failure
If a vCISO does not perform the necessary activities in the first 10 days—such as conducting thorough assessments, engaging with key stakeholders, developing a strategic cybersecurity roadmap, and addressing immediate high-priority risks—it may suggest a misalignment with the organization’s needs and objectives.
This initial period is critical for establishing a solid foundation, and any significant missteps or delays could jeopardize the organization’s security posture. In such cases, it might be necessary to consider replacing the vCISO to ensure the organization is protected and that a more suitable candidate is in place – someone who can effectively manage and enhance the cybersecurity program.
The first 10 days of a vCISO engagement are critical because they set the stage for the organization’s entire cybersecurity strategy. During this period, the vCISO conducts a comprehensive assessment to identify vulnerabilities, engages with key stakeholders to align security efforts with business objectives, and develops a strategic roadmap to prioritize actions and resources. Immediate attention to high-priority risks demonstrates effectiveness and builds trust, while establishing governance and policies ensures a strong framework for ongoing security management.
Successfully executing these tasks within the initial days not only enhances the organization’s security posture but also signals the vCISO’s capability to lead effectively. The parable of the potter’s apprentice is a way to visualize the effort that needs to be put into the practice of becoming an effective vCISO. Failure to achieve these objectives may indicate misalignment, lack of direction, or inadequate risk management, necessitating a reassessment of the vCISO’s approach or the overall strategy within 10 days.
About the Author
Pete Green, vCISO, Cybersecurity Consultant and Reporter for Cyber Defense Magazine. Pete Green has over 20 years of experience in Information Technology related fields and is an accomplished practitioner of Information Security. He has held a variety of security operations positions including LAN / WLAN Engineer, Threat Analyst / Engineer, Security Project Manager, Security Architect, Cloud Security Architect, Principal Security Consultant, Manager / Director of IT, CTO, CEO, and Virtual CISO. Pete has worked with clients in a wide variety of industries including federal, state and local government, financial services, healthcare, food services, manufacturing, technology, transportation, and hospitality.
Pete holds a Master of Computer Information Systems in Information Security from Boston University, an NSA / DHS National Center of Academic Excellence in Information Assurance / Cyber Defense (CAE IA / CD), and a Master of Business Administration in Informatics.
Pete can be reached online at [email protected]%20, @petegreen, https://linkedin.com/in/petegreen and through https://www.cyberdefensemagazine.com.