All companies benefit from the presence of a CISO. But not all companies can justify the cost of a full time head of security. One option is for another position within the company to include the security role. However, an increasingly popular solution is to employ a part-time virtual CISO (vCISO), combining reduced overheads with access to a dedicated cybersecurity expert.
Today, CISO Conversations examines the role of the vCISO in conversation with Chris Bedel and Greg Schaffer.
For Chris Bedel, the journey started around 2013. He was CISO at a community bank and undergoing an audit. The auditor commented, “We audit a lot of small financial institutions, and it would be good if they had this degree of professionalism for even just one day a week.”
Bedel was curious and asked what he meant – and the auditor introduced the concept of the vCISO. “It’s gaining traction,” he said. “I think it’s the future for community banking and small businesses. Security is getting harder, and it won’t go away – but the cost of a CISO is prohibitive for small companies.”
That was the spark for Bedel. He spent a couple of years talking to people and discussing the concept, and heard arguments both for and against; but by 2015 he decided to take the plunge. “And it’s just grown from there,” he said.
Greg Schaffer started a little later, around 2016. At that time, he was CISO for a bank in Nashville, Tennessee. Smaller financial institutions are the breeding ground for vCISOs – they cannot necessarily justify the cost or provide the work for a full-time CISO; but nor can they share the function with other roles because of the need for a separation of duties.
Schaffer had been doing separate consulting before he began to consider being a vCISO. On the one hand he was attracted by the idea of helping multiple small to mid-size businesses, while on the other hand he was comfortable with the regular paycheck of regular employment. It became a matter of personal risk management in discussions with his wife. What could happen if I didn’t work out?
But in 2017, he took the plunge. He cold called several MSSPs (who were and are the primary suppliers of vCISOs) and asked if they had anything available. They had. He left the bank and became a fulltime parttime CISO – a vCISO.
Alone or part of a group
Both Bedel and Schaffer are now running their own vCISO organizations, providing vCISOs to other companies. One question is whether vCISOs can operate independently and alone, or whether they need to be part of an umbrella group such as an MSSP or a vCISO company. Both say working alone is possible, but more difficult and with greater risk.
On one hand, working alone means you receive 100% of the fee. Any organizing company needs to withhold a portion to cover the company’s own overheads. But on the other hand, there is less likelihood of being caught ‘between projects’ nor spending periods of time looking for the next client or marketing your services. You work for slightly less, but more consistently.
Bedel points to another advantage of being part of a group. “We’re now a team of ten. Every time we add a new person to the team, we increase our expertise and strengthen our service. If I’m in a meeting with a client and a topic comes up where I’m not an expert, I can say, ‘Let’s set up a meeting with my colleague, who’s an expert in this’.”
And then there’s the soft skills. “Some are very detail and task oriented, and others are very strong in business communication. But we’re not just matching the vCISO –we do a team approach where we’ll also have a risk analyst as part of the team. So, the matching is also which vCISO would work best with which risk analyst – because one of the things we try to do is to continuously mentor each other.”
Schaffer agrees that having multiple resources can provide a better service to the client. “I’ve been going through that exercise this morning about looking at the resources available and doing a puzzle match based on strengths and weaknesses. Some vCISOs are more focused on healthcare, some are more focused on finance, and others are more experienced in federal government requirements.”
In terms of earning power, Schaffer believes that the vCISO will probably earn more on an hourly basis, but would likely max out at around 30 hours per week. There’s more to being a vCISO than simply being on the clock. “You must maintain your competency and your currency. You must do courses and maintain professional status in your own time.”
Reporting within the client
The reporting hierarchy is a contentious issue for most CISOs. “We have clients where we report directly to the CEO,” comments Bedel; “but that’s mostly for the very small clients. The CFO, COO or CRO is more common. But what we like is to be an equal peer with the CIO or CTO, so we are not left out of the IT functions.”
Schaffer notes that it is usually the CIO or CTO that reaches out in the first place to make contact. “I’m not necessarily against the vCISO or the full time CISO reporting to the CIO, provided the relationship is managed appropriately. It’s just a matter of managing to the risk, not to the org chart.”
Which begs a question: what if this cannot be achieved because of philosophical differences with the CIO, or old-fashioned personal prejudices?
“It’s never happened,” said Schaffer. “I’ve only had one client where I’ve had to terminate the relationship, and that was through scope creep. But if it got to the point where I didn’t think we were being effective because of the reporting structure, and there was no obvious solution, I would say: ‘We’re here to build a security program and if you can’t integrate that into your structure, it goes against our core principles. We can no longer work for you.”
This is another advantage for the vCISO approach – you can walk away from an impossible situation without walking away from your entire income.
Understanding the client’s business
It’s worth noting that most of the work as a vCISO is performed offsite, as a remote vCISO. “I like to say we were remote before remote became cool,” said Schaffer. “We’re 99% remote. We will go on site if it is advantageous to the client, but we have clients where we’ve never been on site. We’ll go onsite to lead quarterly security steering committee meetings, and I like to visit on an annual basis to maintain a relationship with senior executives and perhaps the board – but otherwise, it’s all remote.”
Bedel has an identical view, it’s almost entirely remote. At one level, it’s necessary because both the clients and the vCISOs are dispersed across the country. But Bedel adds, “We will go onsite early to establish relationships. It’s necessary, because much of the work is based on relationships, and if the client doesn’t trust you, you can’t get anything done.”
This raises another question. CISOs are urged to be businessmen with a deep understand of the business itself. How can you do this as a vCISO while working remotely?
For Bedel, the solution is twofold. He looks for long term contracts, and avoids tactical fill-ins. “The shortest contract we offer,” he said, “is for twelve months. We’ve signed deals for three years, and we have clients we’ve worked with for the full seven years of our existence.” In such circumstances, the vCISO may be remote, but is effectively a fulltime vCISO – and business understanding and relationships can grow organically.
The second solution is a limitation on clients. “We work strictly in the financial institution space,” he said. “That helps us because we know the business before we even go into it and start meeting people. Before we even start, we understand how the business works.”
Schaffer is forced into a different approach since he accepts new clients from a wider range of verticals, and recognizes that some of the vCISOs on his team don’t automatically understand the business concerned. “That’s where I come in as a mentor,” he said. “I understand business and I can talk business, and I know what to ask. Some of our vCISOs and some of our analysts are better than others – but it’s my job to mentor them all to become better at business communication and know what to ask.”
He takes it on himself to make sure that client has an effective communication methodology from the outset. And he takes it on himself to mentor the vCISOs on the soft skills of engagement. “We need the client to feel that we’re a team member working to lower the company’s information security risk.”
Schaffer also seeks a minimum contract of 12 months, “because we need that time to learn the business.” The client’s organizational chart is a good starting point, along with any penetration tests, vulnerability assessments and business continuity tests that have been recently performed.
“We’ll have a weekly meeting with the client to discuss where we’re at, where we’re going what they need – and take care of any technical items that come up such as vendor risk assessments. More importantly, this allows us to diagram out their data flows, to determine the information inventory and to do a gap analysis against a relevant framework – usually NIST. From doing a gap analysis, we then discover more of the business – and typically, we don’t really start to have a good feel of a client’s environment until about three months in. By that point, we start to understand the business more, the flows more, who the players are, and where the pain points are.”
Bedel offers the following advice for the would-be vCISO. “What do you already understand?” he asks. “Is it auto dealerships, or do you understand insurance or software companies? Go and do that and be very good at that one thing so that you don’t have to learn the business when you first start. You may need to learn some of the quirks of the client, but you already know the bigger picture.”
When the work begins, he says the ability to overcome prejudices – both your own and those that come from the client – is essential. “You’re sat in a meeting with staff from the client, and the guy sat opposite is sitting with crossed arms. You know he’s thinking, ‘Why the hell should I listen to this guy?’ I’d be doing the same thing in his shoes. But you can’t react. Somehow you must get this guy to understand, ‘I’m here to help. We’re going to fix the things we can fix together, and I promise I’m going to show you this.’ These aren’t easy conversations, but they’re vital.”
Schaffer offers two separate areas of advice, the first comes from his own experience. “One of the most important certifications that I’ve gained in the security space over my career has nothing to do with security – it’s the work I did at Toastmasters. It’s not just because it helps me to be a better speaker, it helps me to be a better listener.” He believes the ability to listen is vital. “If you can’t listen, you won’t understand the business needs of the company.”
The second is more traditional. “There’s an ego trap in cybersecurity,” he comments. “It’s easy to measure success in terms of salary or notoriety. But that’s false – work with the heart of a servant and you’ll always be successful. That’s because you’re measuring your success, not on what you’re receiving, but what you’re giving.”
The final question we always ask the CISOs in these Conversations concerns the most likely or worrying threats, now or coming. For Bedel it’s the supply chain. “That’s where it will most likely happen,” he said. “Just think of SolarWinds and Kaseya. Why go break into one company when you can get hundreds or thousands all in a one-on-one shot. That’s where the threat is.”
For Schaffer, it’s closer to home. “In my opinion,” he said, “it’s always going to be the human element. You can ignore all the different threats du jour – the ransomware, the attacks, the credential theft and stuffing –we’re still going to get exploited. It’s not a solvable problem, and that’s why cybersecurity is really risk management. It’s how we mitigate the information risk and the people risk. That will never go away, because we’re only human.”