A vCISO is responsible for the cybersecurity strategy and risk management of their client, which includes multiple disciplines from investigation to execution to reporting. We recently published a comprehensive playbook for vCISOs, “Your First 100 Days as a vCISO – 5 Steps to Success.” The playbook covers all the phases, recommended actions, and step-by-step examples required for a successful vCISO engagement.
Due to the success of our playbook and requests from the MSP/MSSP community, we decided to dig into specific parts of the vCISO report to provide more detailed information and examples. In this article, we focus on how to create a compelling story within the report that will have a significant impact on your overall MSP/MSSP value proposition.
In this article, we share highlights from a recent guided workshop we ran to discuss the elements of successful reporting and how you can use it to enhance engagement with your cybersecurity clients.
This workshop was conducted in partnership with Jesse Miller, co-author of the First 100 Days playbook and founder of PowerPSA Consulting and PowerGRYD. Jesse is a long-time CISO/vCISO and information security strategist whose mission is to help service providers unlock the secrets of vCISO premium profits. You can watch the entire webinar with more details and real-world examples here.
The hidden value of reporting
According to Miller, “doing great work is one thing, having your client recognize it that way is quite another,” which is where reporting should be focused. A tight reporting process is a key component of maintaining client connections in a successful vCISO program.
But as Miller makes clear, the primary purpose of the report is not to show the activities the vCISO performs for the client, which is a common misconception. Rather, the real value is in making the client the hero of their security journey. Therefore, the vCISO report should focus on the client and their organizational goals, not the vCISO’s activities. The ultimate goal of the report is to enable business strategy discussions with security at the center.
Benefits of a vCISO Report
Digging deeper into the aforementioned objectives, vCISO reports provide multiple benefits to both vCISOs and their clients.
For vCISO –
- Ensuring vCISOs are aligned with customer expectations
- Ensuring that clients understand their security and compliance posture
- Building a shared vision between vCISO and client
- Build consensus on paths to improvement (rather than unilaterally imposing recommendations)
- Linking initiatives to business outcomes
- Drive retention and sales
For clients –
- Controlling your security destiny
- Design your security efforts around business outcomes and empower yourself to manage the risks associated with your decisions and actions
- Simplify decision making
- Noise Reduction
- Bandwidth and Scale
- Easy buttons for tactical execution and resource acquisition
- Help your clients see the positive ROI they are getting from their vCISO investment
Four Key Sections of a vCISO Report
To uncover all the benefits above, we recommend creating a report that includes the following four sections:
- Section 1: Overall Summary – Overview, top-level metrics, and “hot stove” items.
- Section 2: Tactical Review – We’ll discuss how we implemented the controls, the “story” of the data, and set out our recommendations and initiatives in the next sections.
- Section 3: Strategic Review – Reviewing the roadmap, holding business-led discussions, recommendations and mapping RCT (resources, commitments, time) for next steps.
- Chapter 4 Future Initiatives – The work in progress is protecting against risk and building sales funnels.
Let’s take a closer look at each one.
Section 1: Overall Summary
The first section of the report provides an overview and summary, a preview of the rest of the report, and some high-level metrics. It may also be here to address any “hot stove” items, for example providing information about an attacker’s foothold or answering any open questions.
Providing a short, results-focused first section allows vCISOs to succinctly share the story they want to tell, and allows executives and business leaders to get an overview at the beginning of the report while practitioners can dig into the details later.
For example, this sample report from Cynomi displays the attitude score at the beginning of the overall summary, along with a brief explanation of what it means and a reference to risks.
Section 2: Tactical Review
The second section allows you to tell a story with data – there is a wide range of data that can be brought into a report, so it’s important to ensure the right data is being used so you can tell the right story.
Remember, the goal is to make your client the hero and show them how they can get what their business needs from a security program.
For example, a highly technical audience may be able to dive deep into the details of your security program. But high-level decision makers may not be able to understand the story from the same data. Therefore, we recommend automating the collection of data, and collating and organizing it to suit the type of client you are presenting to.
This section also shows progress and recommendations tailored to various decision makers, security incidents and how they are being handled, recommended actions to support business processes (e.g. M&A), and more.
For example, in this section of the Cynomi sample report, a vCISO can drill down into the status of various policies and domains that need to be secured. The report later also displays scan results that provide evidence of this analysis.
Section 3: Strategic Review
The Strategic Review section is intended to create a prioritized security journey. To build this story, it’s important to link your risk assessment, security roadmap, and recommendations. In other words, you need to create a system where a high-level risk assessment finds gaps in your security controls, such as vulnerability management, malware control, and incident response. Then, in the recommendation report, you need to clearly outline the solutions that need to be deployed, list the priorities in your roadmap, and create your journey.
Pro Tip:
- Don’t spread FUD, but rather adopt a “compliment sandwich” approach that starts and ends with positive feedback.
- Before you ask your customers to spend money, show them how your recommendations and actions will reduce costs and support your business.
- We use RCT (resource, cost, time) mapping to help our clients with decision making.
For example, this Cynomi report shows vCISOs where they are in compliance and can use this for recommendations and roadmaps.
Chapter 4 Future Initiatives
Finally, it’s time to discuss future efforts. Since clients don’t have infinite resources, this section helps them queue and prioritize work based on business-driven consensus.
This section also helps protect both the client and the vCISO from risk – for example, showing month-by-month progress shows auditors and regulators that the client has done its due diligence, which protects both the vCISO and the client.
Finally, this section establishes accountability between clients: by clearly demonstrating the business outcomes of the vCISO accepting the proposed recommendations, clients are empowered to make business decisions and assume the risks associated with those decisions.
What’s next?
Reporting is part of a holistic vCISO approach to building trust with clients. Making your client the hero communicates that you have their interests at heart. Validating this through reporting helps vCISOs scale and grow, and their business thrives.
For detailed instructions and examples, watch the full workshop here.
For more vCISO pro tips and proven practices, read our guide, “Your First 100 Days as a vCISO – 5 Steps to Success.”
For daily insights on how to supercharge your vCISO bottom line, follow Jesse Miller on LinkedIn or join the PowerGRYD Community.
