Workstreet now supports ISO 42001 compliance → Learn more
December 21, 2023

How to be successful working with (or being) a vCISO for a startup

Are you a startup founder or employee considering working with a vCISO? Or maybe you’ve already made the call and are getting ready to onboard a new fractional cybersecurity lead? If so, this post is for you.
Written by:
Travis Good
Header image

Are you a startup founder or employee considering working with a vCISO? Or maybe you’ve already made the call and are getting ready to onboard a new fractional cybersecurity lead? If so, this post is for you. In this post, we cover the following 👇

  • The document outlines a three-phase approach for vCISOs to help startups improve their cybersecurity posture.
  • Phase 1 involves understanding the startup's business model and goals, identifying potential risks and vulnerabilities, and developing a risk management plan.
  • Phase 2 focuses on managing security controls and processes, providing training and awareness programs, and ensuring compliance with relevant regulations.
  • Phase 3 is about fine-tuning the cybersecurity program, implementing continuous improvement processes, assessing automated cybersecurity platforms, and evaluating emerging technologies and best practices.
  • An optional Phase 4 involves hiring a full-time CISO, with the vCISO assisting in defining the role, recruitment, selection, and ensuring a smooth transition.
  • Throughout all phases, regular communication and collaboration between the vCISO and the startup team are crucial to maintaining a strong cybersecurity posture.
  • The vCISO's role shifts from a hands-on implementer to a strategic advisor over time.
  • The ultimate goal is to help startups maintain a strong, consistent cybersecurity posture even as they grow and evolve.

As we’ve written before, most startups, whether B2B or B2C or B2D or any combination thereof, can effectively  run a mature infosec and compliance program with less money by hiring a vCISO, or fractional vCISO, as their de facto cybersecurity leader. A vCISO can be incredibly beneficial to a startup, as the right vCISO can bring a wealth of knowledge and experience to the table. They should understand the importance of security and compliance, and can help the startup build, scale, and run a secure and compliant infrastructure as well as internal procedures. A good startup vCISO can also provide guidance on best practices and develop a bulletproof and adaptable cybersecurity roadmap, helping the startup stay ahead of the curve in this ever-changing security and privacy landscape.

In this post, we’ve broken down the phases of a work for a successful vCISO <> startup relationship. The use of the word “relationship” instead of “engagement” is intentional because the only successful way for a startup get value from a vCISO is if there are real commitments, communications, and buy-in from both sides.

The names of the phases are less important than the tasks and the timing of each phase.

A vCISO that spends months getting up to speed and never optimizing, but only managing, a cybersecurity program is not a true vCISO. It’s a consultant billing hours and filling a seat (and title).

At Workstreet, we pride ourselves on improving every startup and every cybersecurity program we touch. This can be as simple as creating or editing a cybersecurity and compliance roadmap. Or as complex as designing and implementing entire GRC platforms or security tools.

Phase 1: Orienting (Week 1 - 4)

In this phase, the vCISO will focus on understanding the startup's business model, goals, current cybersecurity posture, and any cybersecurity roadmaps (or equivalent). The vCISO will work closely with the startup  team to identify potential risks and vulnerabilities, and develop a strategy to mitigate them.

👉 Key activities during this phase include:

Key activities during this phase include:

  • Meet and get to know the team. This is likely more than 1 team.
  • Conducting a comprehensive security assessment. A recent audit (internal audit or external audit) is a great starting point.
  • Identifying gaps in the existing security program or remediation items in a recent audit report.
  • Prioritizing risks and developing a risk management plannning.
  • Ensure an adequate understanding of the “why” for the chosen security governance framework.
  • Get onboarded and up to speed on current tools and tech, including comms like Slack and productive like Google.

During this initial phase, it's essential for the vCISO to establish open communication channels with the startup team, ensuring that everyone is on the same page regarding security and compliance objectives. In many cases, this means the vCISO joins and engages with the team in Slack.

Phase 2: Management (Week 2 Forward)

During the management phase, the vCISO will take the reigns on the security controls and ensure security workflows are effectively integrated into the startup's operations. This phase should jot just be about the vCISO managing others; the vCISO should be managing all or at least some of the day to day of the cybersecurity program.

👉 Key activities during this phase include:

  • Collaborating with the team to manage and takeover security controls and processes.
  • Providing training and awareness programs for employees that touch cybersecurity workflows and procedures.
  • Monitoring and managing the effectiveness of security measures around daily workflows.
  • Ensuring compliance with relevant regulations, industry standards, and company procedures.
  • Remediating audit gaps or developing plans to remediate gaps.
  • Continuously reviewing and updating the risk management plan, and potentially doing a full risk assessment.

In this phase, regular communication and collaboration between the vCISO and the startup team are crucial to successfully managing and maintaining the day to day blocking and tackling of cybersecurity workflows.

Phase 3: Optimize (Week 4 Forward)

In the optimization phase, the vCISO should fine-tune the cybersecurity program to maximize its effectiveness and efficiency. This requires a critical eye. Automation is a goal in this stage. This phase is crucial for ensuring that the startup's cybersecurity posture remains strong and adaptable as the business grows and evolves; scaling a cybersecurity program is not easy and the vCISO should have experience with this.

👉 Key activities during this phase include:

  • Developing or editing a cybersecurity roadmap for implementing security controls and processes.
  • Analyzing security metrics and trends to identify areas for improvement, and new metrics to begin to measure.
  • Implementing continuous improvement processes for security controls and procedures.
  • Streamlining cybersecurity operations to reduce complexity and overhead.
  • Assessing automated cybersecurity platforms that can connect multiple tools.
  • Evaluating emerging technologies and best practices to stay ahead of evolving threats.
  • Maintaining a strong security culture through ongoing education and engagement. This is usually low hanging fruit for vCISOs as it’s easy to implement and often there’s room here for improvement.

During this phase, the vCISO's role shifts and expands from a hands-on implementer to a strategic advisor, helping the startup team make informed decisions about security investments and priorities.

[Optional] Phase 4: FTE CISO Hiring (Week 12 Forward)

In some cases, a startup may reach a point where it's more beneficial to hire a full-time CISO to manage their security and compliance needs. This is highly dependent on the startup. If you’ve ever hired a CISO for a startup, you know how hard this can be. Many CISOs with executive leadership experience lack startup experience and many security leaders with startup experience lack executive leadership experience. During this phase, the vCISO should play a crucial role in defining the role, helping with recruitment, identifying the right candidates, interviewing, and ensuring a smooth transition.

👉 Key activities during this phase include:

  • Assisting in the development of a CISO job description and requirements.
  • Identifying and assisting in selection of a recruiter (if one is deemed necessary).
  • Participating in the interview and selection process for potential candidates.
  • Collaborating with the new CISO to ensure a seamless handoff of responsibilities. A goal of winding a vCISO down over 4 weeks is as good rule of thumb.
  • Providing ongoing support and guidance as needed during the transition period, often being available for questions and feedback over the first 90 days of CISO employment.

This phase is optional and depends on the startup's growth and evolving security needs. The vCISO's involvement in this phase ensures that the startup continues to maintain a strong, consistent cybersecurity posture even as they transition to having a dedicated in-house CISO.

Hire a vCISO for Phase 3

If you're considering hiring a vCISO for your startup, it's essential to find the right person or team who can effectively guide you through Phases 3. Look for a vCISO with a strong track record of optimizing cybersecurity programs and potentially in supporting the hiring process for full-time CISOs (if this is relevant). This will ensure that your startup benefits from their expertise and experience, ultimately leading to a more secure and compliant organization.

Hire Workstreet to get you up the mountain

Better than a typical vCISO, hire an experienced team with complimentary and synergistic skill sets. That’s Workstreet. You get decades (literally) of security, compliance, and privacy startup experience in one fractional vCISO. We know the cloud, SaaS, distributed teams, the challenges of trust startups face, and how to operationalize cybersecurity without slowing down growth.