vCISO vs. Advisory CISO: How to choose the right Trusted Cybersecurity Advisor

Cyberattacks are becoming increasingly frequent and sophisticated, and their consequences now extend beyond organizations to affect individuals at a personal level, including job and financial loss.

At the same time, the rapid adoption of increasingly complex technologies, including OT/ICS, greater interconnectivity, widespread use of cloud-based services, and near real-time security monitoring demands a far more proactive approach to enhancing an organization’s cyber resilience posture.

In reality, no single solution fits all organizational needs, and the myth of the “one‑man band” has proven to be just that—a fairy tale. These realities place organizations in a challenging position. Organizations are required to make numerous executive‑level decisions across the cybersecurity spectrum to meet fast‑paced operational and regulatory obligations. In other words, defending digital ecosystems against evolving cyber threats is a complex task, with cybersecurity expected to act as a key enabler for secure operations and scalable growth.

For these reasons, organizations increasingly rely on Trusted Advisors, often engaging them in the capacity of an Advisory CISO or a vCISO. The following table provides a brief top five key differentiators across the spectrum of responsibilities when it comes to trusted advisors, especially between the two roles mentioned above, to enable organizations to make informed decisions.

This article aims to clarify how Trusted Advisor roles can add value to organizations, and why they are often a highly cost‑effective option.

Table 1 - Top-five key differentiators across the spectrum of Trusted Advisors’ responsibilities

With that in mind, this article presents actionable guidance to help executive leadership self‑assess and select the right type of trusted advisor. It is important to note that Trusted Advisor services can be delivered either as white‑labelled support or through full ownership of the appointed role for the duration of the engagement.

Why organizations are turning to Trusted Advisors

There has been a lot of debate regarding the set of attributes of a seasoned Chief Information Security Officer (CISO). The truth is that the role (and its responsibilities) is evolving faster than most would admit. The role increasingly demands a balance of business acumen, leadership capability, communication skills, and technical understanding.

Figure 1 – Trusted Advisor attributes contributing to the cybersecurity leadership quadrant. 

One of the main reasons this quadrant of attributes is true and necessary is that it is paramount for a cybersecurity executive to be in the position to make informed decisions based on valid inputs. These decisions in their entirety are responsible for ensuring that a whole organization is operating securely, fully aligned to the organization’s strategy, vision, and current/future needs. 

There have been many examples, especially those deriving from high-profile data breaches, where it became evident that the responsibility for securing an organization was often misinterpreted as being a constant tick-box exercise to meet minimum compliance requirements.

Before diving into the specifics, it is important to emphasize that this article helps organizations self‑assess how they:

• Drive their cybersecurity program
• Identify what kind of help they need to enhance their existing capabilities
• Develop further existing capabilities
• Enhance the program and capabilities with industry-focused risk-prioritization
• Minimize the risk of having unknown risks
• Measure and quantify cyber maturity

Even for organizations with a CISO (or those looking for a CISO), numerous emerging challenges require multi-discipline expertise. This is where the role of the Trusted Advisor (as outlined earlier on) comes into play to act either complementary to the existing practice or shape an approach as necessary until the right team is appointed to it. Sometimes during a transition process, or during the phase where an organization is looking to hire a full-time CISO, and there is a need for someone to act in that capacity until the hiring process is complete.

Trusted advisor roles allow decision-makers and thought-leaders to examine, evaluate and future-proof their cybersecurity initiatives, implementation, and execution, by bringing in specialized expertise to save the organization time and be cost-effective.

For that reason, the role and responsibilities of the cybersecurity executive lead (e.g., CISO) are divided below into three phases, allowing boardroom decision-makers to compare and contrast their existing cybersecurity initiatives and set expectations.

Figure 2 – Cybersecurity Executive’s three-phase roles and responsibilities approach

From day one, the industry/sector the organization is operating within should be taken into consideration. The cybersecurity lead (e.g. CISO) is expected to be all-hands-on-deck in understanding the existing threat surface. They are expected to bring guidance on what, where, and how the organization needs to be protected, especially regarding any industry/sector-specific cyber threats that can be devastating to the organization.

This involves significant effort, which must be structured rather than ad hoc to avoid reactive “fire‑fighting.” Despite what the theory in an ideal scenario says, there are many cases where starting with a security assessment might not be very effective without understanding the actual environment (digital ecosystem) that they are supposed to protect. There is no silver bullet when it comes to cybersecurity. These heterogeneous initiatives are where a vCISO, supported by a team of experts, can deliver outcomes in a fraction of the time.

Phase 1: Understand your organization's cybersecurity environment

The first phase is to understand the overall environment of the organization using a twelve-step approach and build upon each step as necessary. A CISO should meet with key stakeholders, request certain inputs, review documents and participate in governance meetings to be up to speed on how security is integrated with the organization. Some of the critical areas that the existing CISO (or acting trusted advisor) should engage in understanding are:

• Business Context: Understand the kind of business that the organization is engaged in, its cores services, key customers, market position, regulatory environment, industry/sector where it operates, critical assets (crown jewels), high-value targets, etc. In addition, align with the organization’s vision and develop the appropriate cybersecurity strategy to act as the enabler.
• Governance Structure: Understand the various governance constructs within the organization, i.e., to get a big picture of how the information security department (ISD) interfaces with the rest of the organization. A CISO should understand the reporting structure of ISD, applicable governance committees, internal ISD structure, cross-functional teams etc. As quickly as possible, CISO needs to start participating in these meetings (security committee) to familiarize themselves with the latest updates.
• Review Enterprise Strategic Plans: Review existing strategic plans at the enterprise level, organizational vision and mission statements and ensure that all IS efforts are aligned with these strategic plans. Identify bottlenecks and conflicts of interest.
• Review Corporate Policies: Review relevant policies, standards and procedures to understand the enterprise-level requirements around technology and security. Refine, review and develop new policies if necessary, according to the security industry’s standards, taking into consideration the industry/sector they are operating within.
• Understand Regulatory Requirements: Understand the regulatory and compliance requirements of the organization from an information security perspective. Review any existing control framework to support these obligations and the results of any prior audits/assessments performed on these frameworks.
• Understand the Information Security Department: Understand the existing information security teams along with their capabilities and skillsets. Try to understand the implementation of network security, identity & access management, risk management, application and infrastructure security, threat, vulnerability and patch management and security operations center within the organization. Ensure that there is a clear understanding between the responsibilities of the IS and IT departments, and what are the role’s boundaries of the IT Security function.
• Study the Information Security Budget: Obtain historical and current IS budgets and understand the operational expenses, the allocation for new initiatives etc. Ensure the budget requirements are aligned with the overall strategy and can produce measurable results for future budgetary needs.
• Meet Key Stakeholders: Ensure to meet relevant decision-makers from all business units, verticals, and technology teams to understand their latest initiatives and operational upkeep of security within their units, including capturing a clear picture of the cybersecurity culture.
• Asset Visibility: Understand the spectrum of organizational assets (including those existing behind organizational silos) and the current level of visibility. Enquire about the identification of crown jewels, data classification status, risk profiling, etc.
• Review Enterprise Systems Architecture: Review the systems architecture and understand how the various technology elements interact with one another (including on-premise and any Cloud-based utilized services). Also, understand how the vendors are integrated within the architecture.
• Review Business Continuity Plan (BCP)/Disaster Recovery (DR): Identify and understand critical assets from the business impact analysis and associated metrics like Recovery Point Objective (RPO), Recovery Time Objective (RTO), and Mean Tolerable Downtime (MTD), etc.
• Current State of Cybersecurity Culture: Dive into the human aspect of security, which goes beyond processes and technology. Answer the difficult questions which involve human-behavior and aspects that use non-conventional methods to target the organization in its entirety, including but not limited to third-party trusted relationships.

When certain essential elements are missing based on the above exercise, e.g., specific information security policy(ies), make a note of it to be included in your to-do list.

Phase 2: Analyze your current security posture and identify gaps

Once a fundamental understanding exists of the overall environment, the current state of the information security within the organization and the possible gaps with enterprise strategic plans need to be analyzed. This analysis would require a review of prior assessment reports, inputs from key stakeholders and outputs coming from the participation of the various governance committees. This phase comprises a seven-step approach to break down the workload and assign responsibilities to get the right (and up-to-date) inputs:

• Analyze Reports: Review and analyze security assessment reports, internal and external audit results, compliance assessments, performance metrics of the information security department, ongoing security efforts etc. and capture existing gaps that need to be addressed. Capture the timeframes of remediation, effectiveness and validate the lessons-learnt process.
• Security integration with Enterprise Systems Architecture: Review and analyze the integration of security with the enterprise architecture and identify possible security gaps that need to be addressed. Involve key stakeholders throughout this process and obtain their inputs and perspectives.
• Visit Physical Locations: Visit key physical locations like data centers, Security Operation Centre (SOC) and Network Operating Centre (NOC) and analyze how physical security is implemented for these key locations.
• Organizational Security Culture: Analyze existing cybersecurity training mechanisms, day to day operational activities, systems used to protect information and identify the organizational security culture across people, process and technology. Note that this would not be of a tangible value and cannot be explicitly used for any assessments. However, this is a key informal metric that the CISO can use for decision making.
• Define Capability Matrix: After understanding the existing skillset within the information security department, prepare the capability matrix to clearly define the existing skills, required skills and the training, education, recruitment mechanisms that would be used to address the gaps.
• Identify Key Solutions required: Ensure that you identify key security solutions like but not limited to network monitoring tool, identity & access management tool, that needs to be procured and implemented to improve the security posture. There are occasions where tools have been procured but not used or take a long time to identify these are misconfigured.
• Perform Gap Assessments: If there are no existing assessments, audit reports, or actionable inputs from key stakeholders on possible gaps for any key security process or solution, perform gap assessments in alignment with your information security budget and enterprise strategic plans to identify these gaps.

Phase 3: Plan and execute your information security strategy

After analyzing the current security posture and identifying any possible security gaps, the final phase would be to formulate and execute a seven-step approach to address these gaps and reach the target state in alignment with the enterprise strategy. Ensure that your plan considers and aligns with the information security budget or communicates clearly to the board what adjustment is needed to the budget, ensuring that any budget increase can be justified.

• Define Current and Target State: Structure all the existing information security processes to clearly define the current state of the organization’s security posture. Similarly, define the target state of the security posture based on the enterprise strategic plans, information security budgets, organizational and sector-level requirements, industry best practices, etc.
• Formulate the Information Security Strategy Plan: Create a plan to address all the existing gaps and define the next steps required to achieve the target state. This plan will be utilized as the cornerstone for all information security initiatives.
• Socialize the Plan: Socialize this plan with key stakeholders, leadership teams, governance committees and obtain inputs and buy-in from all of them.
• Refine the Plan: Incorporate relevant feedback from key stakeholders and refine the plan before executing any security initiatives.
• Create the Implementation Roadmap: Establish the implementation roadmap with detailed initiatives, action items, timelines, effort and cost estimates, project management and resource requirements to execute the plan.
• Request Management Approval: Request for management approval and allocation of budget to implement the information security strategy plan.
• Build the Project Governance Constructs: Ensure that all the initiatives and action items from the information security strategic plan and the roadmap are managed through well-defined governance programs that monitor, course-correct, and improve efficiencies and effectiveness.

How CPX can help accelerate your cybersecurity program

Every cybersecurity executive bearing the responsibility of driving, leading and executing a cybersecurity program, is expected to be actively involved in various day-to-day operational activities. Some of these activities require specialized skillset that might not be available within the existing capabilities of the Information Security Department or Cybersecurity function of the organization.

Benchmarking against industry peers is a good indicator of where the organization is currently standing and where it should aim to reach (and of course within what timeframe). This is where specialized Trusted Advisor roles, such as the vCISO, can significantly reduce time‑consuming execution, misdirected initiatives, costly mistakes, low‑value tasks, and uncoordinated security operations.

We are already helping various entities accelerate their cybersecurity posture, programs and compliance, across the UAE. We look forward to having a chat with you today on how we could potentially help you.

Reach out to CPX to discuss our Trusted Advisor program and how it can support your organization’s strategic cybersecurity initiatives.