I met my first security questionnaire in 2012. I thought it was a lawyer’s problem. Oh how wrong I was.
When George and I started pitching ClearOPS in 2019, we were met with blank stares or skeptical faces. I tried everything, even a scrolling security questionnaire in the pitch. No one really got it.
Except for those who did. You know the ones. The people who when you say the word “security questionnaire” shudder and start to get angry. Those were the people who kept us going.
Turns out, a lot of those people are called virtual Chief Information Security Officers, or vCISOs for short. One vCISO in particular, Cosant read our blog post called “The Cost of Security Theater” and reached out to me. Based on that conversation, I started to reach out to more and more vCISOs. All of them were being asked to fill out security questionnaires by their clients and seeing little to no ROI on them. That got us thinking.
However, most of the vCISOs we met were not ready to convert into customers. It wasn’t until we recently re-launched that I found out why. Security questionnaires are not consistent work. It is hard to justify spending money on a platform when you don’t know if you are going to use it. Plus, a bunch of “SOC2 in two weeks” companies were pushing the idea that a SOC2 would somehow, miraculously, eliminate the flow of security questionnaires to their customers. It does not.
Based on some advice I received, we formed the Security Expert Marketplace and inadvertently pivoted our business model into a marketplace. As part of the marketing strategy, we featured vCISOs in webinars where they could talk about hot topics. It was so much fun.
Because it was successful and, yet, we did not want to be in the marketplace business, we tried to figure out how to combine the Security Expert Marketplace with our existing software. Based on the feedback we had received up til that point, we knew our software needed tailoring. But, as you can imagine, vCISOs are busy. They did not have time to give us feedback on our software, let alone bring us into their day to day. So, we decided to take on a couple of clients ourselves. What better way to know what your customers need than to experience it yourself?
While I would never call myself a vCISO, one lawyer and another former CISO make a pretty good team for this work.
Here is what we discovered:
- We decided to use the UpWork platform. Wow, is the competition fierce and the pay is peanuts. Most companies want to pay $30-$50 an hour for vCISO work. That is so below market it is laughable. Even at the top end of the range, that is $96k per year for full-time. The average CISO makes $463,000 per year. If you are starting out, you can find your break through clients, but I don’t recommend it long term.
- Security questionnaires are everywhere and the impetus behind everything, but are also abused. One company wanted us to guarantee that all the answers we helped them draft would give them a 100% score. Yikes (we declined that work). Plus, no one wanted to build their answer database with a past questionnaire because they wanted it to have the good answers we were going to implement for them.
- Most vCISOs start with a gap assessment which sounds logical, but more often than not, they are not the starting point. Every single job we took, we were supposed to do a gap assessment first. And yet, for every single job, the first task was policies. Even if you are helping a company with Drata, Vanta, Secureframe, Tugboat Logic, etc. they need you to customize policies. Clearly, the starting point is policies because clients need policies to respond to customer security questionnaires.
- Doing a gap assessment is very, very hard because of the coordination amongst the internal stakeholders. The first hard problem is finding the person who can tell you what the current security posture is. It’s an extremely large hurdle!
- Implementing a plan to improve security is as hard, if not harder, than the gap assessment. If you struggled to find someone internally to help you measure the gaps, it is equally as hard to find someone to implement the changes.
- SOC2 is all the latest craze. Seriously, everyone wants a SOC2 and no one has any idea how to get there. They don’t realize it is as complex and time consuming as a financial audit.
Implementing security is still a people and processes problem. Cybersecurity Ventures predicts that there will be 3.5 million cybersecurity jobs unfilled by 2025. In order for vCISOs to meet this demand by taking on more than one client, they need software that helps them scale.
Not software that replaces them.
That’s where ClearOPS comes in. We adjusted our software to address that repeatable, manual vCISO work that can be automated, like security questionnaires, collaborating on gap assessments, tracking implementation plans, automating security posture with sophisticated scanning and generating reports on vendors. Ideally, an all-in-one tool that supports a vCISO with multiple clients, keeping the client’s data segregated, but enabling the vCISO to access each client’s data without a separate email address for each.
That’s what we did and that is what we will continue to do. ClearOPS is laser focused on solving the scaling problem for vCISOs. Because if they can scale, then we have a fighting chance against the bad guys, which is a win - win situation.
You’re the best,