The need for vCISO services is growing. SMBs and SMEs are dealing with more third-party risks, tightening regulatory demands and stringent cyber insurance requirements than ever before. However, they often lack the resources and expertise to hire an in-house security executive team. By outsourcing security and compliance leadership to a vCISO, these organizations can more easily obtain cybersecurity expertise specialized for their industry and strengthen their cybersecurity posture.

MSPs and MSSPs looking to meet this growing vCISO demand are often faced with the same challenge. The demand for cybersecurity talent far exceeds the supply. This has led to a competitive market where the costs of hiring and retaining skilled professionals can be prohibitive for MSSPs/MSPs as well. The need to maintain expertise of both security and compliance further exacerbates this challenge.

Cynomi, the first AI-driven vCISO platform, can help.

Cynomi enables you – MSPs, MSSPs and consulting firms – to provide vCISO services at scale – without straining your existing resources. Cynomi is modeled after the knowledge of the world’s best CISOs, allowing you and your clients to gain access to expert-level security and compliance insights and tools.

Cynomi provides the two main vCISO pillars, security and compliance, in an automated and actionable manner. This includes security assessments, gap analysis, compliance readiness, policy creation, task management and reporting. With Cynomi, you will benefit from increased revenue, a growing customer base, reduction in risk assessment time, a decrease in report generation time, well-structured processed and shorter employee onboarding times.

Let’s see how easy Cynomi is to work on:

Setting Up and Managing Multi-Tenant Accounts

Focusing on partners, Cynomi was designed to support multi-tenancy. You can independently create and manage a separate sub-account for each of your clients, allowing you to easily manage and track each one, as well as giving them access to Cynomi.

Figure 1: Cynomi account management screen

To support your scalability and growth, you can delegate roles and ownership among your team for each client account. You will still enjoy admin-level cross-account visibility and privileges.

For centralized management of all your clients, Cynomi provides a unified account management screen where you can edit user details, resend invitations, unlock blocked accounts and more.

Wherever you are on the platform, you’re always just a click away from the admin panel and all your user accounts.

Building a Cyber Profile with an Onboarding Questionnaire

Onboarding a new client starts with gathering high-level information about them, allowing to build a relevant remediation plan. This includes an onboarding questionnaire about their infrastructure. Once completed, Cynomi generates a tailored set of short follow-up questionnaires for security posture evaluation.

Figure 2: Cynomi onboarding questionnaire

Figure 3: Cynomi tailored-made follow-up questionnaires

Completing all the questionnaires delivers a comprehensive view of client security posture and gaps. Based on the responses, Cynomi offers custom tailored policies that cover all steps required for remediating security gaps.

Questionnaires can be revised at any time if a client’s environment changes. Policies will be automatically updated accordingly.

Internal and External Scans

To augment and complete your understanding of your client’s cyber profiles, Cynomi allows you to scan and assess their external and internal assets.

External Scanning:

For assessing the security of externally exposed assets, Cynomi scans IPs and URLs and discovers vulnerabilities as well as secured configurations. This includes scanning risky ports, checking protocols and encryption, verifying email configuration parameters, technology updates of web applications and more.

Figure 4: Cynomi scan results screen

Users can drill down into each scan finding to see an in-depth description and remediation options. Any detected vulnerabilities are automatically added to the account’s task list, according to their severity.

Figure 5: Drill-down to a specific finding

Scan results are available in just a few minutes.

Internal Scanning:

For discovering vulnerabilities in the client’s internal networks. Scans cover client assets like active directory and endpoints and assess its security hygiene and configuration.

You can also upload your NESSUS external scan, Qualys external scan or Microsoft Secure Score CSV files.

Scan findings are aggregated in an aggregated table and linked to the relevant tasks and policies they are related to.

Security Assessment

Cynomi continuously parses each client’s cyber profile against industry-specific security standards, regulatory frameworks and industry-specific threat intelligence. These are coupled with the information from the security questionnaires and the scans.

Based on the company-specific profile, the relevant cyber domains are dynamically picked with the optimized requirements. Each requirement is assigned a criticality level, representing the importance of this requirement for the organization’s security posture. Risks such as ransomware and data leak are calculated as well, based on the organization’s sensitivity to those attacks.

The result is a single pane of glass view of each client’s overall security posture and its progress over time.

The dashboard includes:

• Overall security posture score
• Vulnerability and exploit gap analysis
• Risk score for a specific threat vector
• Remediation plan with actionable prioritized tasks
• Status against various compliance frameworks requirements

Figure 6: Cynomi main dashboard

Comprehensive, Continuous Compliance Assessment

For meeting compliance requirements, Cynomi presents the client status against various compliance and security frameworks (list continuously updated):

• CIS v8
• ISO 27001
• NIST CSF 1.1
• NIST CSF2.0
• NIST-171
• NIST-SSDF
• SOC 2
• CMMC L1, CMMC L2
• GDPR
• NIS2
• PCI-DSS
• HIPAA security
• Cyber Essentials
• FTC Safeguard Rule
• SEC compliance
• ICS Cyber Security
• CCPA
• FFIEC

The compliance module is actionable and allows seeing the details of each control in each framework and how each task maps into each framework.

The compliance status against frameworks is updated continuously so you are always aware of your client’s readiness level.

Figure 7: Cynomi compliance dashboard

You can also download a dedicated compliance status report per client. The report includes:

• Overall compliance status
• A list of controls
• Maturity level
• Control status
• Control mapping to framework
• Implementation status
• A link to the relevant Cynomi tasks

With this information, you can easily understand where your clients stand and what gaps need to be closed in order to comply with different frameworks. You can then build a remediation plan for each framework you selected with just a few clicks.

Tailor-made Security Policies

It’s time to get down to business. Cynomi automatically generates a set of policies for each client. They are custom-created leveraging decades of built-in CISO expertise and crafted to be easy to follow and actionable.

On the policies view, you’ll find:

• The company score for all generated policies
• The option to drill down into the details of each policy, including purpose, scope and protection requirements
• Information on the tasks and progress that need to be completed for securing the policy’s domain

For example, this policy screen shows the client’s score per policy and allows you to drill down to see a breakdown of the policies requirements.

Figure 8: Cynomi policies screen

Policies are editable and customizable.

Actionable, Prioritized Remediation Tasks

Modeled after the knowledge of the world’s best CISOs, each policy requirement is also translated into an actionable task for remediation. Tasks are easy and intuitive to understand and follow and are displayed in an AI-generated prioritized list that includes its severity and status.

Task types include:

• Technical controls
• Administrative procedures
• Security components configurations
• And more

Figure 9: Cynomi tasks screen

The list and tasks can be edited. This flexibility allows the operating vCISO to postpone or defer certain tasks without affecting policy status or severity.

To track and manage tasks, users can apply filters, jump back to tasks that are already in progress, or focus on high severity tasks only. All progress is tracked, and tasks completed are automatically reflected in the client’s overall security posture score.

To execute and understand tasks, each task can be drilled into for step-by-step guidance on putting a control in place or mitigating the risk. Tasks are also customizable, allowing you to add best practice guidance, as well as evidence that supports the task.

Figure 10: Drill-down to a specific task

Plan and Roadmap

Cynomi leverages AI and automations to create a suggested plan. Then, the Cynomi platform provides the user with a wealth of tools and capabilities for planning, ongoing task management optimization and progress tracking:

• Assigning tasks to short-, medium- and long-term plans
• Allocating tasks to plans
• Adding due dates
• Filtering according to framework, due date, status, and more
• Editing tasks per changing needs
• Adding information and evidence to each task, per account or across the board, with specification, details and recommendations
• Adding product and service recommendations to tasks for upselling new services

Figure 11: Cynomi automated risk mitigation plan

Customer-facing Reports

Cynomi includes built-in customer-facing reporting for each client. You can generate reports at the click of a button with your own branding showing the client’s security level, improvement, trends, compliance gaps and comparisons with industry benchmarks. Reports include:

• Full Report – Your client’s cybersecurity posture. Use the report to present your clients’ status to them and your suggested remediation plan. Over time, updating the report will show the security improvements you helped them make.
• Risk Findings Report – Your clients’ risk exposure based on the platform scans.
• Compliance Report – Your clients’ compliance readiness and status.

Figure 12: Cynomi reports

These reports can help you to easily show your clients their current cyber posture status, the progress you helped them make and the impact of your work. Use these reports to open up conversations with management, IT and other stakeholders. Show them the security risks, help them understand requirements and demonstrate progress as each task is completed.

Continuous Optimization

Unlike one-time assessment tools, Cynomi continuously updates your client’s risk score, compliance readiness policies and tasks and shows progress over time. These are based on changes in your client environment, regulatory requirements and industry-specific threat intelligence. With this information, you can rest assured that you will always stay on top of your clients’ compliance and cybersecurity posture and demonstrate the value of your strategic cybersecurity service to them.

The Bottom Line

Cynomi’s AI-powered vCISO platform is designed to help MSPs and MSSPs grow their business and revenue through vCISO services. Cynomi helps service providers deliver comprehensive vCISO services to SMBs and SMEs, from risk assessments to security policies to plans and reporting, across both vCISO pillars: security and compliance. By understanding the impact of each task and action on both security and compliance, MSPs/MSSPs can make the most professional decisions for their clients. This allows MSPs and MSSPs to expand their customer base and secure recurring revenue with existing customers.

Cynomi also reduces vCISO tasks’ time by over 40% and helps onboard new employees quickly, so responsibilities can be delegated to them, regardless of seniority. By simplifying and standardizing processes, MSPs/MSSPs can onboard employees and customers quickly and cut time-to-value by half.

Finally, Cynomi’s reports allow MSPs and MSSPs to leverage reports and demonstrate tangible impact. This opens up conversations with leadership and increases upsell of services and products.

Visit Cynomi website to test it yourself.

Feb 07, 2024The Hacker NewsRisk Management / Cybersecurity

2024 will be the year of the vCISO. An incredible 45% of MSPs and MSSPs are planning to start offering vCISO services in 2024. As an MSP/MSSP providing vCISO services, you own the organization’s cybersecurity infrastructure and strategy. But you also need to position yourself as a reliable decision-maker, navigating professional responsibilities, business needs and leadership requirements. A new webinar by Cynomi, vCISO platform leader, hosting CISO and vCISO veteran Jesse Miller from PowerPSA Consulting, provides MSPs and MSSPs with an effective 100-day plan to build themselves up for success.

The webinar provides a tangible five-step 100-day action plan that any MSP/MSSP can follow when they engage with a new vCISO client. It also provides guidance on vCISO goals and pitfalls to avoid. By watching the webinar, you can position yourself as a strategic and long-term partner for your clients. They will see you as capable of driving security transformation and managing security continuously and dynamically.

Some of the main highlights covered in the webinar:

vCISO Goals

When starting as a vCISO, it’s important to understand the vCISO’s goals and use them to guide you throughout your role:

• Establishing, overseeing and managing organizational security in a flexible and robust manner.
• Fostering trust with security goals through alignment, to get leadership and stakeholder buy-in.
• Making security a business enabler, contributing to compliance, operational efficiency, a competitive advantage, financial responsibility, and more.

Pitfalls to Avoid

At the same time, stay clear of pitfalls that can disrupt your ability to provide high-quality services. Some tips for avoiding pitfalls include:

• Stay strategic and resist the temptation to put out fires.
• Maintain objectivity and avoid getting caught up in organizational politics.
• Use automation, not manual processes. Those are time-consuming, error-prone, and inefficient compared.
• Ensure compliance to avoid grave legal and reputational consequences.
• Delegate and build the infrastructure rather than doing everything yourself.
• And more

The 5 Phases: Your 100 Day Action Plan

Phase 1: Research (Days 0-30)

Welcome to your new client! Start by researching the current state of the organization’s security posture and business objectives. This involves building relationships with stakeholders and the IT/security team, reviewing management practices, policies and configurations, and assessing vendor management processes and third-party risks. These actions will help you understand the potential vulnerabilities and the effectiveness of existing security controls and procedures.

Phase 2 Understand (Days 0-45)

Now, it’s time to bring your findings together. This starts with conducting a security risk assessment with a standard onboarding questionnaire and scanning tool. Then, use all the information from the assessment and from phase one to create a clear picture of security maturity and the security posture. After presenting this posture and existing gaps to management, you will be able to develop a list of short-term and long-term needs based on risks and business objectives. In the list, make sure to demonstrate the business value of your security investments. When possible, use automation for efficiency.

Phase 3: Prioritize (Days 15-60)

The third step is about shaping actionable plans.Draft short, mid and long-term goals and develop the plan and required budget to achieve these goals. Identify 2-3 quick wins that will improve security and your organizational stance and share all these deliverables, together with a risk register, with management.

Phase 4: Execute (Days 30-80)

Now is the time to execute. This will establish your vCISO credibility and set the tone for ongoing security management. Once you have stakeholder and management buy-in, communicate your plan across the board, creating a sense of shared responsibility and success. Start executing the tasks that will help you achieve your goals: implementing automated systems, the quick wins you identified, high-priority policy creation, and new tools and products. As soon as possible, set up the reporting cadence to help you demonstrate improvement. And as always, in a fast-moving environment, be prepared to adjust as needed.

Phase 5 – Report (Days 45-100)

Reporting is key for demonstrating success. Collect data that reflects progress and success, like reduced incident response times or fewer successful phishing attempts. Make sure to communicate this data to management in a way that shows the business impact, successes and challenges, and security progress. On top of this frequent reporting, conduct an additional full assessment after 3-4 months to demonstrate progress and identify any new or unresolved vulnerabilities. Based on these reports, continuously adapt and improve your processes and controls to keep security measures effective and relevant.

Your Next Steps as a vCISO

Making meaningful choices, measuring your impact, and maintaining a flexible mindset will set you up for success on your vCISO journey. To get more insights, understand how this plan comes together and to get a complete list of tasks and a checklist to guide you throughout your first 100 days, watch the webinar here.