To be [a vCISO], or not to be [a vCISO], that is the question:
Whether ’tis nobler in the mind to suffer
The slings and arrows of outrageous fortune,
Or to take Arms against a Sea of troubles…
–Hamlet, Act 3, Scene 1
Image Source: https://en.wikipedia.org/wiki/Hamlet#/media/File:Edwin_Booth_Hamlet_1870.jpg
Chief Information Security Officers know all about the “Sea of troubles,” and they experience “slings and arrows” daily. In mid-September, we saw a breach of Uber that threatened to undo the company’s security program – for exposing a fairly easy path to super admin privileges across most (if not all) of its infrastructure and security tools like GSuite, AWS, and HackerOne private vulnerability reports.
The stakes are high.
Large organizations can afford to seek and retain the talents and attention of seasoned information security professionals and to lead their efforts to mitigate risk and eliminate vulnerabilities with a CISO. However, not all organizations are large enough or mature enough to be able to justify the allocation of a full-time resource for this role. Enter the concept of the fractional CISO or vCISO.
A vCISO is (in many but not all cases) an expert retained by an organization to pay attention to strategic planning and execution of security and compliance programs. The experienced vCISO provides years of cybersecurity experience gained from working in various organizations and industries throughout their career. This flavor of vCISO is often a “been there, done that” kind of talent who has solved pretty much any problem or challenge a company might face ten ways until Tuesday.
Fractional CISOs are an increasingly attractive means to solve several problems, not the least of which is that there are not enough seasoned and talented CISOs to go around. According to research by Anthony Johnson’s company Delve Risk, there were 189 open CISO roles in the Fortune 1000 in August. Some of these positions have been open for more than 4-6 months. What’s going on there? Maybe vCISOs are a thing not just for smaller enterprises and startups.
Additionally, there are many talented infosec professionals out there who would love to break into the C-Suite and land their first CISO position. This is the other challenge that vCISO roles help to address: you cannot get the title until you have the title. So, in addition to experienced vCISOs being able to spread their knowledge and skill across multiple organizations as advisors and part-time staff, vCISO communities are springing up on Slack (I’ve joined two recently). These communities of professionals and aspiring infosec professionals are providing targeted and industry-specific guidance and mentoring to the “young guns” we want to see given those first opportunities. Fresh talent with boundless enthusiasm will get the chance to build an infosec program from scratch for a startup, or build programs for mid-sized companies that have 200+ headcount and really ought to be preparing a technology roadmap and security program to mature their security posture. These vCISOs can, with the help of their network of experienced vCISOs, work with organizations to take the important steps needed to implement best practices with regard to avoiding cyber attacks and other disruptions to business operations.
Two Kinds of CISOs
I’ve been fond of repeating a bit of wisdom that I picked up at a small boutique infosec conference here in New York City a few years ago:
There are two kinds of CISOs:
- pre-breach CISOs, and
- post-breach CISOs.
The pre-breach CISOs are often overly concerned and focused on tools–buying commercial, off-the-shelf software to mitigate risk and avoid bad things from happening. The post-breach CISOs know that tools are all well and good, but that it’s people and processes that matter far more when an incident occurs. “All hands on deck” is more of a liability during an investigation of a security event than a source of help. Well-intentioned developers or SREs might actually be destroying forensic evidence in their efforts to help eject the bad actor from the platform. Most DFIR first responders know that they need to tread carefully and adhere to the digital equivalent of the Hippocratic Oath: do no harm.
So it’s really a balance of people, process and tools that all organizations need to seek. The balance of these elements at a multi-billion AUM hedge fund is not identical to that of a century-old copyright royalty organization. And it’s also not the same for a unicorn startup that provides fantastically powerful insights into internet-facing vulnerabilities (SecurityScorecard, in case you could not guess this company’s name).
Just as our collective resilience to cyber attacks is aided by knowledge and threat intelligence sharing, so too our collective governance is to be aided by bringing together CISOs of all shapes and sizes and helping each other fight against the attack on our identities, our organizations, and our digital economy.
How SecurityScorecard supports CISOs
SecurityScorecard offers several products and services that directly support CISOs and their objectives:
Business leaders need timely, accurate information to make informed decisions. SecurityScorecard’s meaningful insights help CISOs show executives and boards how security initiatives are progressing, so they can determine where further attention or investment is needed.
CISOs play a key role in monitoring and leading incident response activities in their organizations. SecurityScorecard’s professional services enable you to take immediate action toward remediating incidents and mitigating risk.
Attack Surface Intelligence (ASI)
CISOs need constant insight into current threats SecurityScorecard’s Attack Surface Intelligence (ASI) detects more unknown unknowns, including those of your business ecosystem (aka third-party vendors) and how they pose a risk to your business, arming you with deep contextual insights and attribution to prioritize your next steps – all in one platform.
SecurityScorecard is the global leader in cybersecurity ratings and the only service with millions of organizations continuously rated. Thousands of organizations leverage our patented rating technology for self-monitoring, third-party risk management, board reporting, and cyber insurance underwriting. But we don’t stop there. Through a customer-centric, solution-based commitment to our partners, we are transforming the digital landscape, building a path toward resilience.