More and more companies are looking to engage a virtual Chief Information Security Officer (vCISO). The compelling advantages include “more bang for the buck” versus a full-time CISO, shorter time to value given the enormous challenges of filling vCISO positions, and reduced business risk given how quickly many CISOs vacate their jobs.
But our discussions with clients and peers indicate that there’s scant consensus around what exactly a vCISO does. How can you onboard such a critical role if you’re unsure (or maybe a bit unrealistic) about what a vCISO could or should do?
On our show, The Virtual CISO Podcast we dropped an episode, “True Confessions of a Real Virtual CISO,” featuring guest Andrew Farkas and host John Verry who are both practicing vCISO’s, to dispel this confusion.
“[As vCISO] you need to get down to touch the road once in a while. But you don’t need to be the tires.”
John and Andrew were very concrete and real-world (and also very witty) in their questions and answers. One timely topic they drilled into was how a vCISO specifically functions in a new and/or growing Software-as-a-Service (SaaS) business—a vertical with strong interest in vCISO relationships.
John kicks off the dialog: “Say you’re a SaaS firm and you want to hire a vCISO. You know as a SaaS you could have application security issues, secure development lifecycle issues, network architecture issues, incident response plans, security monitoring, cloud security… Is it reasonable that a vCISO is going to have expertise in all those areas and be able to do all those things?”
Speaking from direct experience, Andrew explains exactly what the expectations and realities should be for a SaaS vCISO: “Yeah, in concept absolutely. I think you do need to understand how everything plugs in and works together (conceptually) so you can understand the vectors through which things can be exploited. You don’t have to know deep configuration. You don’t have to know how to build the product, necessarily—but you have to know where there are things that are insulated, and things that are going to be potentially peeking out into the world or crossing over certain gaps that need to be protected…
“So yes, understanding how your software is built and how it’s plugged into your network and how it works in conjunction with other applications, and how internal and external users and stakeholders are able to access it—you have to know at least from a mapping standpoint how all of that stuff talks to each other, touches each other, plugs into each other, etc.,” notes Andrew.
John reframes Andrew’s insight: “A CISO [needs to] understand the full lifecycle of the data at a 1,000-foot level. Their job is to know enough to know where the issues, risks and challenges are, and then engage the right people at the right time, whether internal or external to the organization.
“For example, you won’t know as a CISO how to securely configure a Kubernetes cluster. But you know enough to know that that a Kubernetes cluster has certain risks associated with it, and that you need to get the right resources to address that,” John summarizes.
Andrew quips: “You hire other people to know how it ‘really’ works. [As vCISO] you need to get down to touch the road once in a while. But you don’t need to be the tires.”
If you’re considering onboarding a vCISO and want to know more about your options and how to get the most from the engagement, contact Pivot Point Security.