The Great vCISO Transformation

 

Imperfect circumstances have created a perfect storm that will drive a rapid and significant shift in the delivery of cybersecurity consulting. Client demand and competition will force firms to think differently and use new technology. Where spreadsheets were the name of the game yesterday, those simply won’t work tomorrow. We cybersecurity consultants will soon need to provide more value with less people to thrive in this new security-scape.

 

At its core, the traditional model for delivering consulting is exchanging an expert’s time for an organization’s money. In the context of vCISO, a highly experienced, highly paid security professional spends some of their time each month working on an organization’s security program. The consultant gets a hefty hourly rate for their time; the organization gets expert guidance without having to hire a full-time expert. Everybody wins. 

 

Except everybody doesn’t win. Not anymore. This model is inefficient for the consultant and still relatively expensive for the organization. And there are several factors bringing this issue to light and forcing a change in the way cybersecurity services are delivered: a massive talent shortage, increasing attacks, changing regulations, and increasing demand.

 

If you haven’t tried hiring a skilled security person lately, consider yourself lucky. The cybersecurity skills shortage we were first warned about five years ago, and major companies are currently trying to fix, is real. It is painfully real. There are millions of unfilled security jobs around the world. The result for the rest of us is heavier workloads and burnout, which causes people to quit and makes the problem worse. Sadly, until now at least, technology hasn't eased the burden in many organizations, especially smaller ones. Mostly because current software is siloed in its approach and is basically a glorified spreadsheet online.

 

Let’s face it, the bad guys are still winning. 

 

The number of attacks has increased. The total financial impact of attacks has increased. Malware variants are increasing. In the arms race of cybersecurity, the good guys are losing the war.

 

It’s kind of obvious where this is going. Until we get better at managing cybersecurity, the attackers will keep winning. 

 

In the past 20 years we have seen dozens of laws and regulations designed to force organizations into caring about security. Some business leaders have implemented the guidance in earnest, others have not. Therefore, lawmakers will continue to implement new regulations because the bad guys are still winning. 

 

New breach rules have been shrinking the time organizations have between learning of an incident, and reporting the incident to authorities. 72 hours is not a lot of time when you’re knee-deep in responding to an incident. 

 

Insurance companies have also joined the party. Most are demanding that organizations have specific security controls in place before they will issue a cyber policy.

 

There is much being written about upcoming economic headwinds, a possible recession, and bursted financial asset bubbles. So much that we most definitely don’t need to cover any of that here. There are also uncomfortable realities occurring like obscenely high inflation. These signs might cause some consulting firms to stop hiring security talent.

 

But... cybersecurity is one of the few areas expected to increase in 2023. Cybersecurity Ventures anticipates 15% year-over-year growth through 2025. Those who think they’ll be fine with the consulting staff they have will be surprised to find they need to hire more people to deal with the increased demand for security services. Or risk losing clients to competitors that have capacity.

 

More attacks and changing regulations, along with a continued migration to digital and cloud solutions, are forcing organizations to demand more from their cybersecurity providers.

 

Consider that, in general, people ultimately want to stop worrying about security. Doing so hasn’t been possible because security professionals haven’t enabled them to do so. We as an industry have failed to speak in the language of business. We have failed to reduce technical jargon, and measure risk in financial terms. In short, we as cybersecurity professionals have been thinking wrong. We silo important cybersecurity management functions and deliver tech-filled executive reports that don’t build trust between the Board and the security program. Cybersecurity hasn’t been managed properly. We’ve built functional silos in the way we market and deliver individual services, report risk via useless ordinal scales, and clutter communications with technical jargon and vanity metrics. 

 

Not only is renting out a vCISO by the hour inefficient and expensive, the underlying cybersecurity management mindset across the industry is flawed. People generally think managing cybersecurity has to be difficult because it’s always been difficult. And we all know what happens to difficult, inefficient processes when disruptive software shows up.

 

To be clear I’m not talking about SOAR/XDR/MDR/etc which is the technical side of security. I’m talking specifically about the stuff between technical cybersecurity and the business. Cybersecurity functions like managing risk, managing compliance, deciding strategy, and the other things a vCISO would be doing. The technical side of our industry (SIEM, etc) got it right a decade ago. No need to discuss that any longer. But the management side of the industry, the vCISO stuff, is a different story. 

 

If there is a limited pool of talent available to hire and do the work, more attacks, more regulations, and more work coming on the horizon, our mindset has to change. 

 

Simply put, the future of cybersecurity consulting is leveraging cloud-based software to deliver services better. New technologies enable us to develop a new mindset that cybersecurity management doesn’t have to be hard, and allows us to deliver better security.

 

vCISO’s need to leverage software for a comprehensive, one-stop place to organize, monitor, and communicate client cybersecurity programs. Software that speeds up existing staff rather than slowing them down bouncing from siloed module to siloed module. Software that quantifies risk so better decisions can be made and adequate defenses can be constructed against attacks. Software that organizes compliance, embeds workflows into the organization, and makes regulatory changes a snap to handle. Software that allows consultants to work hand-in-hand with their clients to custom-fit solutions to each organization’s need and add maximum value.

 

Cybersecurity can be made easier with integration and automation, which leads to better delivery of vCISO services and better delivery of cybersecurity management, and therefore better and easier security. Other advancements in technology such as webhooks, APIs, agile development, server-less architecture, and rapid feedback cycles, allow us to put the technology elements in place to make security management more efficient.

 

Most importantly, we consultants on the management side of security need to deliver security in a way that makes sense to business leaders. That is, a vision of what their cybersecurity program should look like, rather than piecemeal services that just look like cost-centers. We need to say to clients “we do security” rather than telling them “we do this piece and that piece, and maybe this piece over here.” 

 

The right software allows firms to deliver a unified concept that clients understand as a whole program. Not just piecemeal services.

 

We at Rivial call the concept Security Management Orchestration or SMO. Seeing SMO on display in the Rivial Platform enables clients to visualize their security program as it should be, adding value to the organization. 

 

Read more about Security Management Orchestration HERE.

 

At this pivotal point in the evolution of cybersecurity, consulting firms can choose one of three paths. Option 1 is to ignore the trend, lose clients to competition, and eventually go out of business—this is obviously the worst-case scenario. It would be sad to see good, hard-working people give up their dreams because they chose to ignore market changes. Option 2 is to build your own software. While this may be a good long-term plan, I can tell you from experience it’s high risk and hard to get right. I am the first to admit Rivial was fortunate to make it through the chaos of running a consulting company AND building a software startup at the same time. Option 3 is partnering with the leader in the nascent cybersecurity management platform market. (full disclosure: the market doesn’t really exist yet, and we at Rivial are pushing to grow it)

 

Companies of all shapes and sizes will need to demand more from their consulting firm. Those who can’t deliver will be at a significant disadvantage. The firms that don’t act will be left behind, paying more for security consultants, for less efficient cybersecurity management, and lost clients. Consulting firms that move now will power through the changes and thrive on the other end of the transformation.

 

The Rivial Platform is the world’s first and most comprehensive cybersecurity management platform created by consultants, for consultants. Management of Program, Risk, Compliance, Testing, Vendor Cybersecurity, and Response all integrated and easy to deliver very high-value services to clients. If you’re interested in becoming a Rivial Partner so you can leverage our platform and ride the Great vCISO Transformation wave, click the button below to see if your firm qualifies for the partner program.