Managed Service Providers & Managed Security Service Providers: Ways to Enhance Interaction with Your Cybersecurity Customers Through vCISO Reporting
If you work as a virtual Chief Information Security Officer (vCISO), you play a key role in overseeing your client’s cybersecurity tactics and risk management. This involves various aspects, such as investigation, execution, and communication. Recently, we released an extensive guide for vCISOs called “Your First 100 Days as a vCISO – 5 Steps to Success”, which encompasses all stages required for a successful vCISO collaboration, complete with recommended steps and practical examples.
Given the success of the guide and the interest shown by the MSP/MSSP community, we have decided to delve deeper into specific aspects of vCISO reporting, offering further insights and examples. In this post, the emphasis is placed on crafting engaging narratives within a report, a factor that significantly contributes to the overall value proposition for MSPs/MSSPs.
This post reviews the key points from a recent hands-on workshop we conducted, discussing the essentials of an impactful report and how it can boost interactions with your cybersecurity clientele.
The workshop was conducted in collaboration with Jesse Miller, who co-authored the First 100 Days playbook and is the founder of PowerPSA Consulting and the PowerGRYD. Jesse, a seasoned CISO/vCISO and cybersecurity strategist, is dedicated to assisting service providers in maximizing their vCISO profitability. You can access the complete webinar, including detailed insights and real-world cases, here.
Unveiling the Untapped Value in Reporting
According to Miller, “Delivering outstanding performance is one thing, but it’s equally crucial for your customers to perceive it that way.” This is where the focus of reporting should lie. An efficient reporting mechanism is the essential icing on the cake of a seamless journey for the client within a successful vCISO program.
Contrary to popular belief, as divulged by Miller, reporting isn’t primarily about showcasing the tasks performed by the vCISO for the client. Instead, its true value lies in positioning the client as the protagonist of their cybersecurity voyage. Consequently, the vCISO reports should center around the client and their organizational objectives, rather than the actions of the vCISO. The main aim of any report is to facilitate a strategic business discourse centered on security.
Advantages of vCISO Reporting
Delving into the aforementioned purpose, vCISO reporting brings forth numerous advantages for both the vCISO and the client:
For the vCISO –
- Aligning the vCISO with client expectations
- Enhancing the client’s understanding of their security and compliance status
- Fostering a shared vision between the vCISO and the client
- Building consensus on a path for improvement (versus just issuing one-sided recommendations)
- Linking initiatives to business outcomes
- Boosting retention and sales
For the client –
- Maintaining control over their security destiny
- Charting their security progress based on business objectives, empowering them to shoulder the risks arising from their decisions and actions
- Simplifying the decision-making process
- Reducing noise levels
- Enhancing efficiency and scalability
- Accessing convenient resources for tactical implementation
- Recognizing the substantial ROI delivered through their vCISO investment
Crucial Components of a Well-rounded vCISO Report
In order to leverage the benefits outlined above, it is recommended to structure a report encompassing four key segments:
- Section 1: Comprehensive Summary – A brief overview, key metrics, and noteworthy highlights.
- Section 2: Hands-on Evaluation – Evaluating the performance of controls, narrating data stories, and laying the groundwork for upcoming recommendations and initiatives in subsequent sections.
- Section 3: Strategic Evaluation – Reviewing the roadmap, initiating a business-centric discussion, presenting recommendations, and outlining the RCT (Resource, Commitment, Time) for the next phases.
- Section 4: Future Ventures – Current projects in progress, risk mitigation, and bolstering the sales pipeline.
Now, let’s delve deeper into each of these sections.
Section 1: Comprehensive Summary
The initial part of the report offers an overview and brief recapitulation, teasing contents of the report and sharing high-level metrics. It’s also the space to address pertinent issues or concerns, like uncovering intruder access and addressing unresolved queries.
By kickstarting the report with a concise focus on outcomes, vCISOs can effectively convey the narrative they aim to articulate. This also allows Executives and Business Leaders to grasp the initial essence of the report for an overview, leaving the technical experts to delve into granular details later.
For instance, in a sample report by Cynomi, we can observe the introductory fragment of the comprehensive recap, featuring the posture score, coupled with a brief elucidation of its implications and allusions to potential risks.
Section 2: Hands-on Evaluation
This section permits the articulation of narratives using data. Given the plethora of data available for inclusion in reports, it’s essential to select the most relevant data to craft a compelling storyline.
Remember, the primary objective is to position the client as the hero, demonstrating how they can achieve their business goals through their security strategy.
For instance, a technically inclined audience may delve into the minutiae of the security situation.programs. Nonetheless, a high-ranking decision maker may struggle to grasp the narrative from the same dataset. It is hence advisable to automate the data collection process, and subsequently organize and refine the data to suit the specific type of clientele being addressed.
This segment can also showcase advancements and tailored suggestions for diverse decision makers, incidents related to security and strategies to combat them, suggested courses of action to bolster business operations (such as mergers and acquisitions), and more.
For instance, within this segment of a model report by Cynomi, the virtual Chief Information Security Officer (vCISO) can delve into the status of various policies and domains that require enhanced security measures. Subsequently, the report unveils the scanning results that serve as evidence for this analysis.
Step 3: Strategic Assessment
The strategic assessment section aims to craft a prioritized security roadmap. To construct this narrative, it is crucial to establish connections between the risk evaluation, the security strategy, and the suggestions. This involves developing a framework where the high-level risk evaluation identifies weaknesses in security measures, such as vulnerability control, malware prevention, or incident handling. Subsequently, the recommendation document should explicitly outline the necessary solutions for deployment, while the roadmap should prioritize actions, effectively outlining a journey.
Key pointers:
- Avoid spreading fear, uncertainty, and doubt. Instead, adopt a “compliment sandwich” strategy, commencing and concluding with positive feedback.
- Prior to requesting clients to invest funds, demonstrate how suggestions and initiatives can save them money and bolster their business operations.
- Utilize the RCT (Resources, Cost, Time) framework to aid clients in decision-making.
For instance, in this report from Cynomi, the vCISO can depict the level of compliance adherence and leverage it to formulate recommendations and a strategic roadmap.
Step 4: Future Endeavors
As we conclude, it is time to deliberate on future initiatives. Since clients have finite resources, this section aids in organizing tasks and prioritizing them based on a business-oriented consensus.
This segment also serves to safeguard both the client and vCISO from risks. By showcasing progress on a monthly basis, for instance, it reinforces to auditors and regulatory bodies that the client is exercising due diligence, a protective measure for both the vCISO and the client.
Lastly, this section instills accountability among clientele. By transparently illustrating the business impacts of endorsing proposed recommendations, the vCISO empowers the client to make informed decisions and assume ownership of the associated risks.
What Comes Next?
Reporting constitutes a fundamental component of a comprehensive vCISO strategy that nurtures trust with the client. Making the client the focal point showcases your dedication to their well-being. When this dedication is substantiated through reporting, it propels the scalability and prosperity of the vCISO role, contributing to the success of your enterprise.
For additional insights and case studies, view the complete workshop here.
For further expert advice and established methodologies for vCISO, peruse the manual “Your First 100 Days as a vCISO – 5 Steps to Success”.
For daily strategies on boosting your vCISO revenue, follow Jesse Miller on LinkedIn or engage with the PowerGRYD community.
About Author
