Page 121 - Cyber Defense eMagazine January 2024
P. 121
call upon. I find this fascinating because the vCISO is part cybersecurity advisor, part strategist, part
practitioner and part recruiter.
I am sure more niches will evolve, but, based on my interviews, these are the most common. One
consistency I have noted is the initial due diligence required with each client, usually called a gap analysis
or gap assessment. My takeaway is that if you are offering vCISO services, you have to be offering gap
analyses.
Go It Alone or Build a Scaling Business
It is exciting to start your own business working for yourself. While consulting businesses are often
considered “lifestyle” businesses, they still can grow and scale like a startup. I personally like to analogize
cybersecurity consulting firms to law firms and I think the model works well. The most highly experienced
partner starts the firm and starts to grow enough client work such that they need help due to bandwidth
constraints. At first, they have a few vCISO friends who can pitch in and consult when needed. Eventually,
they need to hire someone to take over the client work so they can focus more on marketing and sales.
Eventually, the founding partner is managing several other vCISOs and also associates who are earlier
in their career. In this model, a vCISO partners with the associate. The associate has a cheaper hourly
rate than the vCISO and works on more of the heavy lifting, like conducting the due diligence for gap
assessments, reviewing vendor evidence of security and responding to security questionnaires on the
client’s behalf. The vCISO partners focus more of their time on high-level tasks, training the associates
and keeping abreast of changes to any standards or regulations (like NIST CSF 2.0 or CMMC).
Meanwhile, the founding partner now spends almost all of his/ her or their time managing the business,
hiring and firing and marketing and sales. It is worth taking the time to understand what you want. Do you
want to run a business or do you like doing the work for the clients? Your decision will determine whether
you stay a one-person firm or grow into something much larger.
Back to the law firm analogy, I see vCISO firms eventually having specialties like law firms do now. One
firm may have an entire practice area that focuses on audit readiness while another practice area that
focuses on secondments within companies. Basically, those choices you made to start your firm, which
niche to offer, becomes one division of your much larger firm.
2023 was the year of the explosion of the vCISO market and I do not anticipate that it slows down in
2024. If anything, we will start to see larger and larger firms emerge as top-tier with reputations for being
best in class. If you have been thinking of starting your own firm, I say the time is now before the price of
entry gets too high.
As you dive deeper into running your own firm, you'll discover even more insights and nuances. Stay
curious, adapt to the changing landscape, and never stop learning. With dedication and the right
strategies, you can build a vCISO firm that brings you challenges that are worth experiencing and
enjoyment in your work that you never thought possible.
Cyber Defense eMagazine – January 2024 Edition 121
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
