The Role of the vCISO in the Modern Enterprise

Mitch Evans and Larry Kinkaid, leaders on BARR Advisory’s cybersecurity consulting team, were recently joined by Eric Etherington, founder and CISO at SecuritEE.IO, for an expert discussion on the role of a virtual chief information security officer (vCISO) in a modern enterprise.

During their talk, the trio explained how working with a vCISO can help an organization build a strong security foundation to propel future growth and shared practical advice for business leaders on what to expect when working with a vCISO.

When you’re selling to enterprise organizations, they don’t care whether you’re a one-person-show or a multinational corporation; they’re going to have certain expectations for your platform in terms of data security, Etherington said. 

An experienced vCISO can translate customers’ and prospects’ requests into easily digestible language and help your team effectively communicate the controls and processes you’ve put in place to meet their expectations.

“I work with a lot of companies in the healthcare space,” Etherington said, noting, “HIPAA and HITRUST and those kinds of certifications weren’t necessarily written in the language of what you should do on your SaaS platform, so you need an experienced person to come in and interpret that for you.”

In fact, Etherington said educating the sales team is among his top priorities when working with clients as a vCISO. “They don’t need to know things inside and out [or] every SOC 2 control that we’re going to have, but they can know the five to 10 security [talking points] that make the company look good, that they can rely on and sell off of,” Etherington said.

“What I find in a lot of my clients is that they know more about security than they probably realize,” said Kinkaid. “But I know more about compliance,” he said, calling compliance the “language” of security. “So I can decipher the expectations of the stakeholders.”

Kinkaid went on to recommend that cloud service providers include a trust center on their websites to improve transparency with stakeholders and demonstrate adherence to cybersecurity compliance standards like ISO 27001 and HITRUST CSF.

The goal, according to Etherington, is to empower sales professionals with the confidence to bring security up first, instead of feeling intimidated by the conversation. “Let’s have things ready to go to answer that security person’s question right away, and let’s do it in a way that we’re going to get it right the first time,” he said.

Kinkaid offered a similar take: “It’s so telling when a salesperson is avoiding the security conversation versus hitting it head-on.”

According to Evans, a virtual CISO can also offer a fresh perspective and help business leaders map out a pragmatic path to compliance.

“We know how to apply an approach that works for each organization. And that could be whether you’re highly regulated or barely regulated,” Evans said. For organizations in low-risk environments, that might mean forgoing a certain security attestation in order to ensure sufficient resources are allocated to your top priorities. 

It’s important to right-size the program for where a company is and where they’re going, Etherington said. “What do we need to be doing today to set us up for six months or a year from now?”

Evans opined: “We can do all the tactical policy procedure, help you through an audit, but really where the value comes in is…our experience over time.”

Combined with a strong professional network, that experience helps vCISOs provide valuable insight to business leaders on which security tools and software would be a smart investment for their organization. “I know products that I do prefer, some that I may not, some that are up and coming,” Kinkaid said. “I get to workshop different kinds of products and tools and approaches.”

Perhaps most importantly, adding a vCISO to your security and compliance team early on can help your organization build a culture of security from the ground up. 

“People want to do the right thing, but you need to show them sometimes what that means,” Etherington said, noting that employees are more likely to buy in to best practices when security “becomes part of the mission early.”

For Evans, one of the most rewarding aspects of the job is differentiating security awareness education across roles, “making security fun and interesting for each type of employee, so that they don’t make those mistakes that we’ve all heard about.”

Ultimately, the role of the vCISO in today’s business world is to help cloud service organizations define actionable strategies for safeguarding sensitive data and achieving their long-term compliance goals.

“When it comes to compliance, I think the most important thing is to have a strategy,” Etherington said, adding that it’s easy for start-ups to bite off more than they can chew. “That’s why on a lot of my engagements, I work with [the attest services team at] BARR, because they’re very good about helping clients have a strategy.”

To hear the full conversation, access the webinar now on-demand. 

Ready to start charting your organization’s path to cybersecurity compliance? Contact us today to learn how we can help.