September 24, 2021

Last Updated on January 19, 2024

As an endless barrage of successful cyberattacks illustrate, information security and privacy are hard to get right. Meeting ever-greater regulatory demands is a further challenge. The “Holy Grail”—achieving a trusted third-party attestation that proves your business is secure and compliant—might seem far out of reach.

Wherever your security and privacy posture is today, one “universal law” holds true. A successful program requires a measured, strategic approach. As opposed to a series of ad hoc, tactical decisions to address pressing problems more or less in a vacuum.

To help business leaders take a step back and see the wider view of how to develop a verifiably successful cybersecurity and privacy program, Pivot Point Security CISO and Managing Partner, John Verry, made a guest appearance on Harbor Technology Group’s podcast “The Perfect Storm.” John and podcast host Matt Webster are competitors as well as friends, and both are strong proponents of “starting with strategy” to add maximum value in client engagements.

Setting a clear vision

“It’s being able to translate the importance [of cybersecurity] and the pressures that these companies are facing,” says Matt. “The sales dude’s talking a customer and saying, ‘I have this going on right now, and we need to be ISO [27001 certified].’ Well, that’s just not a turnkey process. Implementing a strategy is a way for the company to say, ‘Okay, take a deep breath. We need to set a clear vision, and the organization can’t afford to run around trying to play Whac-a-Mole with how we’re approaching cybersecurity.’”

“Recently we got an RFP out of the blue for vCISO and SOC 2 [audit preparation],” echoes John. “I was like, ‘We could respond to your bid. But if we did, we’d be wasting your money. So you know what, actually we’re not going to respond to your bid. We don’t have a clear picture [of your current environment], and we don’t know where you need to go. We really need a strategy. This isn’t going to be the only client that’s going to ask you for attestation. Why are we jumping through hoops for this particular client, when you’re not addressing the privacy component? Which is going to come, because you’ve got personal information. You’re not addressing this, you’re not addressing that…’”

In other words, the client was thinking tactically when they needed to be thinking strategically.

From vision to execution

“And then the conversation evolved,” continues John. “Remember we talked about the idea of Vision, and then we roll into the Execution component. What is execution? The first part is that you translate that strategy into a near-term, actionable plan. Like, when you guys do your vCISO, I’m sure you do a risk assessment and a gap assessment. So that the risk treatment plans and gap remediation plans are the short-term tactical plan that comes out of that strategic plan that you’ve created for them.”

“Now the next part is, we need to get to these repeatable processes,” John explains. “So, in information security that’s often developing a set of policies, procedures, standards… Things like incident response plans, business continuity plans, and things of that nature. And, ideally, put them into a project plan or into a GRC tool or something you can track.”

“And then the last piece of that is, do we have the people?” adds John. “And do they have the appropriate training and knowledge to actually execute these repeatable processes in a way that’s effective and efficient? And do we have the tools to actually do that?”

Making it understandable to business leaders

“What was cool was that during the conversation, the client was saying, ‘Hey, we’re going to buy this tool called Vantive. Have you heard of Vantive?’ Which is a tool for SOC 2 prep. And I was like, ‘Yeah, it’s a pretty good tool.’ But I literally had a picture of the [Pivot Point Security Proven Process] wheel up, and I’m like, ‘So, you’re down here at Execute, and you’re actually going to buy a product before you have a clear Vision, up here.’ And the guy on the phone goes, ‘I was just thinking the same thing,’” John relates. “’Why are we jumping to Execute when we haven’t finished Vision?’”

“He was the CFO,” shares John. “It was really cool to see a CFO connect with our [process] model. And to me, it was, like, ‘That’s great, lights on!”

What’s Next?

If you need to shift your cybersecurity view from tactical to strategic, this episode featuring John Verry on Harbor Technology Group’s “The Perfect Storm” podcast will certainly help you get there.

Looking for some more information around building out a strategic security program? Check out the related blog post: Why Products are the Least Important Element of Your Cybersecurity Program – Pivot Point Security

Successful vCISO = All Security Roles Filled

This document outlines the 3 critical roles and responsibilities of a Virtual Chief Information Security Officer: Architect, Builder, and Operator.
Download the free inforgaphic now!