Virtual CISO – Dispelling the Myths!

Virtual CISO – Dispelling the Myths!
22/02/2020 Comments Off on Virtual CISO – Dispelling the Myths! CISO Blog, Security Advisory Blog EditoratLarge

The virtual CISO or virtual Chief Information Security Officer is a relatively new concept and with that comes a few misunderstandings of what the client actually gets (i.e. solid cybersecurity protection for your business). The word “virtual” probably doesn’t do us any favours but let’s look at some of the more common misconceptions about a virtual CISO service and whether it would be a service that might be suitable for your organisation.

We’re too small for CISO level support

It’s true for many small organisations, you may only need limited support when it comes to cybersecurity. It’s also worth understanding your true size when it comes to your offering. How much do you rely on third party suppliers? How much do you rely on the gig-economy to access commoditised services? Did that freelancer on Fiverr do your website for a fraction of the cost of a local developer – what is the reason they are so cheap? Your customers’ data is now in quite a few different organisations (and quite a few countries). It may be on AWS or Azure. It may be in Salesforce, MailChimp or Google Docs. You are possibly using Office365 too. All this still needs securing and you probably don’t have the time because you’re working on delivering your offering and growing your business. So, if you’re not doing due diligence on all this, who is? Do you want all your hard work wiped out by a misconfiguration on your Amazon S3 bucket? No – you need a plan!

A CISO needs to be on-site, in person!

Sometimes it’s just nice to be able to go to someone’s desk and ask them a question. We get that. When you’re concerned about something you have just heard at the last Institute of Director’s breakfast briefing you may just want to get a sense of how vulnerable your organisation may be to the latest hacking technique.

“Could we fall foul to the same ransomware attack that hit Travelex and be out for 6 weeks?”

That’s why virtual CISOs come onsite as often or as little as our clients want. We give our clients direct numbers so they can ring us when they need to. We can also Skype & Webex. Whatever is needed to ensure a solid working relationship – we can even work on your materials from a secure virtual/remote desktop. These days, we’re all working from somewhere else so there is the flexibility to help you from anywhere in the world. Myself, I’ve taken calls from clients up a mountain whilst skiing in the Swiss Alps.

How could a Virtual CISO really understand our business

Every business is unique in certain aspects, culture, technology, intellectual property. It can take an inexperienced security professional a long time to get to grips with exactly what an organisation is doing with their technology. A good Virtual CISO knows that you can’t secure what you don’t know about. We do asset discovery on a regular basis for multiple clients so we know where to look. Whether it’s a cloud-based Human Resources Information System or some web storage someone has set up on a new domain, we will help you find out what is going on in your environment. That critical spreadsheet which is essentially running the whole business…we can help you find it…and then help you secure it.

You’re not going to stay the same size either. You’re going to grow and change. You may be small now but you have your eye on some VC funding that could take your business into the stratosphere. When that happens you will need someone who can help you navigate those challenges and demonstrate to those funders that you have got good corporate governance practices in place. The Virtual CISO is someone who can help you navigate those waters whilst you concentrate on delivering that killer pitch!

I want to talk to the same person

And we get that. That’s why Virtual CISOs typically retain their own set of clients and keep up-to-date with what is happening with their clients’ businesses. Just like regular CISOs, a Virtual CISO is building relationships and having constant conversations. The benefit of a Virtual CISO service is that, whilst you may be interacting with one person, there are other virtual CISOs that can also provide support. Clients get a force multiplication effect.

Virtual CISO just do strategy and policy, we need tactical support

Your one of those organisations who know exactly what you need to do, you want someone to actually fix the issues rather than talk about fixing them. A Virtual CISO is not just about strategy and policy – it’s a much wider service offering. If you need something fixing then we can do that too. You may just need some security consultancy. You may need some very specialist skills or technology. What the virtual CISO can do in these situations is help ensure a client is not going out to the market blind. This procurement support can be one of the most valuable aspects of a great Virtual CISO – they can actually save organisations a tonne of money by separating the useful services from the snake-oil.

I’m already a CISO

Many larger organisations already have an information security team, often headed up by an internal CISO. How would such an organisation benefit from a Virtual CISO service? It can be very tough for an in-house CISO, many face incredible pressure and often suffer from burnout.

“91% of CISOs suffer ‘moderate or high’ levels of stress.”

By employing a virtual CISO in-house CISOs can leverage that extra support to reduce the likelihood of burnout. Sometimes you can rely on your network but other times you want to know you can rely on a cast iron NDA. If you’re non-technical CISO having a Virtual CISO by your side means you can have comfort in those times where you feel less confident about the true nature of highly complex and technical risk. If you’re a highly technical CISO, partnering with a virtual CISO with solid soft skills could be a major advantage when negotiating the politics of the board room.

Anyone can become a Virtual CISO

Sure, anyone can become a Virtual CISO. Just like in any profession, there are good and bad people. What you want is someone who actually understands cybersecurity risk at a strategic level. Be wary of the rebadged management consultant who will simply provide frameworks and cookie-cutter advice. We have had quite a few clients come through to us after feeling they are getting no real value from their virtual CISO. It’s not enough to sound confident, virtual CISOs must be able to demonstrate value. Also, be very cautious of the salesman in virtual CISO clothing. Two minutes after they have landed, they want to introduce you to one vendor after another before they have even spent 5 minutes trying to understand what you actually need. In these cases, get them to provide written confirmation as to how much they are getting from the introduction. Obviously, no virtual CISO is doing the work for free but it’s pretty hard to remain impartial if you’re getting a kickback!

Would a Virtual CISO work for my organisation?

Whatever the size of your organisation, a virtual CISO will make you more secure. It’s a service that covers so, so much! We all have blind spots, we all have strengths and weaknesses. What a great virtual CISO does is fill those gaps and watches your back! If you’d like to know more about Fox Red Risk’s virtual CISO offering get in contact via the website or give us a call.

About Fox Red Risk

Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing controls frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.

22301:2019 article 25 article 28 awareness bcms breach change management ciso controller cybersecurity data breach data privacy Data Protection data protection by design data protection officer data protection service Data Subject Access Request DPO DSAR GDPR incident management information security leadership management monitoring Outsourced DPO Privacy processor resilience risk risk appetite risk management ROI security security as a service small business strategic strategy Subject Access Request tools training transparency vciso virtual ciso vulnerability scanning

About The Author