As a vCISO, you are responsible for your client’s cybersecurity strategy and risk governance. This incorporates multiple disciplines, from research to execution to reporting. Recently, we published a comprehensive playbook for vCISOs, “Your First 100 Days as a vCISO – 5 Steps to Success”, which covers all the phases entailed in launching a successful vCISO engagement, along with recommended actions to take, and step-by-step examples.
Following the success of the playbook and the requests that have come in from the MSP/MSSP community, we decided to drill down into specific parts of vCISO reporting and provide more color and examples. In this article, we focus on how to create compelling narratives within a report, which has a significant impact on the overall MSP/MSSP value proposition.
This article brings the highlights of a recent guided workshop we held, covering what makes a successful report and how it can be used to enhance engagement with your cyber security clients.
The workshop was delivered in partnership with Jesse Miller, co-author of the First 100 Days playbook, and founder of PowerPSA Consulting and the PowerGRYD. Jesse is a long-time CISO/vCISO and infosec strategist who has made it his mission to help service providers crack the code for premium vCISO profits. You can watch the entire webinar, with more details and real-world examples here.
According to Miller, “It’s one thing to do a great job, it’s quite another for your client to see it that way.” This is where reporting should focus. A tight reporting process is the cherry on top of a connected journey for the client in a successful vCISO program.
However, as Miller reveals, reporting is not primarily for the purpose of demonstrating the activities the vCISO performs for the client, which is a common misconception. Rather, the real value lies in making the client the hero of their security journey. Therefore, vCISO reports should focus on the client and their organization’s goals, not the vCISO’s activities. The ultimate goal of any report is to enable a business strategy discussion that revolves around security.
Drilling down into the aforementioned purpose, vCISO reporting provides multiple benefits for both the vCISO and the client:
For the vCISO –
For the client –
To uncover all the benefits listed above, it is recommended to create a report that covers four sections:
Now let’s dive into each one.
The first section of the report provides an overview and summary, teasers for the rest of the report and high-level metrics. It is also where “hot-stove” items can be addressed. For example, informing about an attacker foothold and answering any open questions.
By providing a brief initial section focused on the outcomes, vCISOs can concisely share the story they are telling. It also allows Executives and Business Leaders to join the first part of the report for an overview, leaving the practitioners to dig into the granular details later on.
For example, in this sample report by Cynomi, we can see the first part of the general recap, showing the posture score, together with a brief explanation about what it means and alluding to the risk.
The second section allows telling stories with the data. Since there’s a wide range of data that can be pulled into the reports, it’s important to ensure the right data is used. This will allow the creating of the right story.
Remember, the idea is to make the client the hero, showing them how they get what they want for the business from their security program.
For example, a highly technical audience can get into the granular details of the security programs. However, a high level decision maker will not be able to understand the story from the same data. Therefore, it’s recommended to automate the gathering of data, and then collate and prune the data for the type of client that’s being presented to.
This section can also show progress and recommendations tailored for various decision makers, security incidents and how to address them, recommended actions to support business processes (like M&As), and more.
For example, in this section from a sample report by Cynomi, the vCISO can drill down into the status of the various policies and domains that need to be better secured. Later on, the report also shows the scan results that are the evidence for this analysis.
The strategic review section is intended to create a prioritized security journey. To build this story, it’s important to link the risk assessment, the security roadmap and the recommendations. This means creating a system where the high-level risk assessment finds delinquencies in security controls, like vulnerability management, malware control, or incident response. Then, the recommendation report should clearly state which solutions need to be deployed and the roadmap should list priorities, i.e. creating a journey.
Pro tips:
For example, in this Cynomi report, the vCISO can show the state of meeting compliance and leverage this for the recommendations and roadmap.
In the end, it’s time to discuss future initiatives. Since clients do not have endless resources, this section helps queue up work and prioritize it based on a business-led consensus.
This section also helps protect both the client and vCISO from risk. For example, showing progress month over month helps show auditors and regulatory bodies the client is performing due care. This protects both the vCISO and the client.
Finally, this section creates accountability among customers. With the vCISO clearly showing the business outcomes of accepting proposed recommendations, the client can make a business decision, and own the risk for that decision.
Reporting is part of a holistic vCISO approach that creates trust with the client. Making the client the hero shows them you have their best interests at heart. When this is verifed through reporting, it drives vCISO scale and growth, making your business successful.
For more explanations and examples, watch the entire workshop here.
For more pro tips and proven practices for vCISO, read the guide “Your First 100 Days as a vCISO – 5 Steps to Success”.
For daily insights on how to supercharge your vCISO profits, follow Jesse Miller on LinkedIn or join the PowerGRYD community.