As a vCISO, you are responsible for your client’s cybersecurity strategy and risk management. It involves multiple disciplines, from research to execution to reporting. We recently published a complete tutorial for vCISO, “Your First 100 Days as a vCISO – 5 Steps to Success”which covers all the steps involved in running a successful vCISO engagement, along with recommended actions and step-by-step examples.
After the success of the tutorial and the requests we received from the MSP/MSSP community, we decided to dig deeper into specific parts of the vCISO reports and provide more color and examples. In this article, we will focus on how to create compelling reporting narratives that will significantly impact the overall value proposition of an MSP/MSSP.
This article contains recent highlights guided workshop we’ve spent some time covering what makes a report successful and how you can use it to improve engagement with your cybersecurity clients.
The workshop was conducted in collaboration with Jesse Miller, co-author of The First 100 Days and founder of PowerPSA Consulting and PowerGRYD. Jesse is a long-time CISO/vCISO and information security strategist who has made it his mission to help service providers crack the code for premium vCISO revenue. You can watch the entire webinar with more details and real-world examples here.
Hidden value in reporting
According to Miller, “It’s one thing to do great work, it’s quite another to have your client see it that way.” This should be the focus of reporting. A tight reporting process is the cherry on top of the connected journey for the customer in a successful vCISO program.
However, as Miller points out, reporting is not primarily intended to demonstrate the actions a vCISO performs for the customer, which is a common misconception. Rather, the real value lies in making the customer the hero of their security journey. Therefore, the vCISO’s reporting should focus on the customers and their organization’s goals, not on the vCISO’s performance. The ultimate goal of any report is to be able to discuss a business strategy that revolves around security.
Benefits of vCISO reporting
Addressing the above objective, vCISO reporting provides many benefits to both the vCISO and the customer:
For vCISO –
- Ensure vCISO meets customer expectations
- Ensuring that the customer understands their security and compliance posture
- Creating a shared vision between the vCISO and the customer
- Build consensus on ways to improve (instead of pushing recommendations unilaterally)
- Anchoring initiatives in business results
- Stimulating retention and sales
For the customer –
- Control their safety destiny
- Designing their security journey based on business outcomes and allowing them to take the risk associated with their decisions and actions
- Simplified decision making
- Noise reduction
- Bandwidth and scale
- Getting simple buttons and resources for tactical execution
- Ensure they perceive a high ROI on their vCISO investment
4 main sections of the vCISO report
To discover all the benefits listed above, it is recommended to create a report that covers four sections:
- Chapter 1: General Summary – Summary, top-level metrics, and any hot-plate items.
- Chapter 2: Tactical Review – About how the controls work, the data “stories” and setting the stage for the recommendations and initiatives to be presented in the following chapters.
- Chapter 3: Strategic Review – Roadmap review, business discussion, recommendations and RCT mapping (resource, commitment, time) for next steps.
- Chapter 4: Future Initiatives – Ongoing work, hedging and building a sales funnel.
Now let’s dive into each of them.
Chapter 1: General Summary
The first section of the report provides an overview and summary, teasers for the rest of the report, and high-level metrics. Here you can also refer to the “hot plate” items. For example, to inform about an attacker’s base and answer open questions.
By providing a short, results-oriented opening section, vCISOs can succinctly share the story they’re telling. It also allows executives and business leaders to engage with the first part of the report for an overview, leaving practitioners to deal with the finer details later.
For example, in this example report from Cynomi, we can see the first part of the general summary showing the posture score along with a brief explanation of what it means and hinting at the risk.
Chapter 2: Tactical Review
The second section allows you to tell stories with data. As there is a wide range of data that can be pulled into reports, it is important to ensure that the correct data is used. This will create the right story.
Remember, the idea is to make the customer the hero by showing them how they get what they want for business through a security program.
For example, a highly technical audience can penetrate the details of security programs. However, a high-level individual will not be able to understand the story from the same data. Therefore, it is recommended to automate the data collection and then match and trim the data for the type of customer it is being presented to.
This section can also show progress and recommendations for different decision makers, security incidents and how to resolve them, recommended actions to support business processes (eg M&A), and more.
For example, in this sample Cynomi report section, a vCISO can drill down on the status of various policies and domains that need to be better protected. Later in the report, the scan results are also shown as proof of this analysis.
Chapter 3: Strategic Review
The strategic review section is designed to create a prioritized security pathway. To build this story, it is important to link the risk assessment, security roadmap and recommendations. This means creating a system in which a high-level risk assessment detects breaches in security controls such as vulnerability management, malware control or incident response. The recommendations report should then clearly state which solutions need to be rolled out and the roadmap should list the priorities, i.e. creating a path.
Pro tips:
- Don’t spread FUD. Instead, take the compliment sandwich approach, starting and ending with positive reviews.
- Before asking customers to spend money, show them how recommendations and actions can save money and support the business.
- Use the RCT (Resource, Cost, Time) mapping to help clients make a decision.
For example, in this report Cynomi vCISO can show compliance status and use this for recommendations and roadmap.
Chapter 4: Future Initiatives
Finally, it is time to discuss future initiatives. Since customers don’t have infinite resources, this section helps queue and prioritize work based on the consensus that drives the business.
This section also helps protect the customer and the vCISO from risk. For example, showing month-by-month progress helps show auditors and regulators that the client is exercising due diligence. This protects both the vCISO and the customer.
Finally, this section creates accountability among customers. With a vCISO that clearly shows the business outcomes of adopting the recommended recommendations, the customer can make a business decision and take the risk of that decision.
What’s next?
Reporting is part of a holistic vCISO approach that builds customer trust. Turning your customer into a hero shows that you have their best interests at heart. When proven through reporting, it drives vCISO scale and growth, making your business successful.
For more explanations and examples, view the full the workshop is here.
For more professional advice and proven practices for vCISOs, read the guide “Your First 100 Days as a vCISO – 5 Steps to Success”.
For daily updates on how to increase your vCISO revenue, follow Jesse Miller on LinkedIn or to join PowerGRYD Community.
