MSP Blog Logo


Business Growth


Help Desk



Sales & Marketing


Empowering Your MSP Business to Grow and Prosper—One Post at a Time


Featured Post

The Ultimate Guide to Success in Managed IT Services

What are the fundamentals to building a profitable managed IT services business? Keep reading to discover the four key ingredients for success.

Read Now

10 Must-Haves in a Chief Information Security Officer (CISO)

Posted March 7, 2016by Yves Dorleans

10 Must-Haves in a Chief Information Security Officer (CISO)

With last month's announcement that the White House plans to hire its first chief information security officer (CISO), cybersecurity continues to be a major concern and national agenda priority. According to Security Magazine, the pending appointment is "part of a larger cybersecurity defense plan that will also include a $3.1 billion fund to replace outdated IT infrastructure; a commission to study cybersecurity problems, and a program to recruit cybersecurity experts into government roles." 

And while the stakes may be a bit higher at the White House, the Oval Office isn't the only place where highly-skilled cybersecurity talent is needed. Small- and medium-sized business offices all over struggle to recruit, hire and retain security experts, and the need is great. The Symantec 2015 Internet Security Threat Report, Volume 20 found that "60 percent of all targeted attacks struck small-and medium-sized organizations" last year. As MSPs, you have a duty to the companies you protect to fulfill the duties of a chief information officer (CIO) and CISO. What all does this entail? 

How to Become the CISO Your Clients Need:

1. Translate existing control framework recommendations into customized controls to build a comprehensive, in-depth defense for the organization.

2. Understand the industry in which your clients' company is operating, and the specific threats that need to be defended against. Casting a wide net is not optimal, either for security or for cost efficiency. This kind of approach is expensive, and you might miss minute details and vulnerabilities that lead to considerable data compromise. 

3. Practice agility in risk management and communicate those risks to senior management, selecting the right mitigation and countermeasures. 

4. Coach and develop those who directly report to you, other members of your organization and appropriate employees at your clients' sites.

5. Learn the culture of the company, and try to implement changes to correct behaviors that may put clients' data at risk.

6. Act as advisor to both senior management and other cross-functional groups within the enterprise.

7. Act independently. The CISO position is an independent function, and should not be influenced by leaders of IT and other members of senior management. 

8. Hire and train the right people for the security function.

9. Sell a security strategy that's embraced by all members of the organization. 

10. Be diplomatic and have the ability to diffuse conflicting situations. This is especially beneficial when executives have to compete for budgets and limited resouces. A CISO must posess this leadership to enact security initiatives and ensure they're implemented companywide. 


If you want to be stickier with clients, provide the cybersecurity insight they so desperately need. Be their virtual CIO and CISO. Lay the foundation for a healthy IT environment, creating complete, responsive and disaster-proof policies, processes and procedures. Then continue to reassess your clients' networks, managing and remediating any issues or vulnerabilities that you identify. Most importantly, you're only as strong as your weakest link. Whatever security framework you do establish, verify that it is properly enforced and receives buy-in from all employees at your clients' sites. Become intimately familiar with all of the intricacies of your clients' individual networks, be they in physical or operational parameters. Then, once they begin to view you as a strategic partner, rather than just another vendor, you'll unlock new opportunities to win more lucrative business, all while strengthening your bond with those clients.


More posts for the CISO in all of you:


BLOG Webinar Why Do SMBs Outsource IT Security to MSPs

Yves Dorleans is Director of Information Security and Compliance at Continuum Managed services, he has been working in IT operations, compliance and security for over 15 years. Yves lead consulting teams for engagements with small, and medium sized businesses in the design of security and IT General Controls required for compliance, state, private and federal regulations. For several years at KPMG Yves was part of the advisory practice that was instrumental in helping companies adapt IT and security control frameworks, such as COBIT, NIST to support their internal business processes.

RMM 101: Must-Haves for Your IT Management Solution
MSP Guide to Managed Services SLAs  [white paper]
comments powered by Disqus