Ask the Right Questions When Interviewing a vCISO
Districts that choose to hire a vCISO will find themselves evaluating a range of service providers and should ask these critical questions as they walk through the process:
- How many other clients will the vCISO serve, and what percentage of their time should you expect to receive?
- How will the service work when the district experiences a cybersecurity emergency?
- What type of services are included in the vCISO scope, and what would prompt the service to bring in additional resources?
- If additional resources are required, are they available at negotiated rates? Is it possible to use some vCISO hours to cover other subject matter experts?
The vCISO relationship isn’t just between the district and the service provider — the individual chosen for the vCISO role must also work well with district leaders and staff. Administrators should insist on interviewing candidates to ensure a good fit and consider asking some of the following questions:
- What experience do you have in cybersecurity?
- What experience do you have working with — and within — school districts?
- How well will you handle communication with different stakeholders, including senior administrators, school board members, teachers, parents, the media and law enforcement?
- What are your thoughts about creating a secure operating environment where open access to educational resources is idealized?
- What is your familiarity with the district’s cloud and on-premises technologies?
It’s important to remember that, just like employee relationships, vCISO relationships will also come to an end. Be sure to discuss the terms of any changes in advance. Districts should understand the conditions under which the provider will change the individual assigned to the account, the procedure for changing personnel at the district’s request, and the selection process when a new candidate must be identified.
Set Reasonable Timeline Expectations for vCISOs
After hiring a virtual CISO, district administrators should set reasonable expectations for that individual’s performance. Realistically speaking, the vCISO is not going to come in and solve all of the district’s cybersecurity woes on day one. The engagement should begin with a cybersecurity program assessment that evaluates the current state of the program, compares that with the desired state and identifies any gaps that require remediation. The vCISO and district leadership may then work together to prioritize filling those gaps and develop an action plan for advancing the state of the district’s cybersecurity program.
DIVE DEEPER: Learn how a vCISO can help a K–12 school meet its cybersecurity goals.
While districts shouldn’t expect an immediate answer to all of their problems, they should expect that the vCISO will meet clearly defined and agreed-upon performance standards. It’s reasonable to outline a set of goals for each month, quarter and year, and then evaluate the vCISO’s performance against those goals on a regular basis. While the vCISO isn’t technically an employee of the district, he or she should still receive regular performance evaluations to ensure that the district realizes a return on its investment.
Outsourcing cybersecurity operations and leadership can help school districts punch above their weight class. Districts gain access to talent that they would not otherwise be able to afford by sharing access to a senior cybersecurity leader. They also benefit by continuing to develop a relationship with a cybersecurity services provider that may bring other resources to the table.