Last Updated on March 23, 2020
The idea of a virtual Chief Information Security Officer (vCISO) is gaining traction for a number of reasons; mainly affordability, shorter time to value and reduced business risk. But from our conversations with clients, and from what we see online, it’s clear that there’s considerable confusion around what exactly a vCISO does.
In our podcast episode with guest Andrew Farkas, “True Confessions of a Real Virtual CISO,” sheds abundant light on this often murky issue. These two experts, and experienced vCISO’s, get to the core of what actually happens when a vCISO shows up on the doorstep of your business and addresses its information security challenges to accomplish the agreed goals.
Among the most surprising and valuable insights that Andrew and John reveal is the concern that the “business versus technical” balancing act that vCISOs must perform. On one level they’re part of the C-suite (if only in name). But do they need to be ready to do log analysis, too?
John asks Andrew point-blank: Is vCISO a business level role or a highly technical information security bits-and-bytes role?
Andrew replies: “If you were in a technology company like a software-as-a-service or platform-as-a-service company, [the vCISO role] would be more technical in nature, focusing on your process around building things, testing things, releasing things, maintaining things… A vCISO at a university would focus much more around behavioral and people aspects of information security…”
John: “So there’s a fundamental difference between business information security and technical information security?”
Andrew: “… It has to be both. If you have technical components that are processing information that is worth protecting, it has to be technical. If you have people or processes that are using said information in a more administrative way… then you have to truly understand the business.
“I’ve seen CIOs that are basically CTOs. I’ve seen CIOs that are basically COOs. And I feel like the hardest thing for a CISO … is they have to know everything about operations, everything about technology and as much about the front-office business as possible.”
Here’s a really compelling nugget of vCISO insight from Andrew: “They need to know more than any other individual ‘C’ position in order to protect all aspects that fall under all other ‘C’ positions.”
John then echoes a common misconception about vCISOs:
“Part of the problem I see when I’m chatting with people about the vCISO role is they think of a vCISO as somebody who can do every information security job—they’re going to hire one vCISO and they’ll be doing ‘everything.’”
Andrew expounds: “When you first get involved with an organization that has no information security footprint, you do have to be an architect, an engineer and an analyst—and be able to talk to senior management at a governance level when it comes to headcount and budget and making sure that you’re providing a holistic solution for a company.
“With size and maturity you see more things like, OK I need an architect who can double as more of a senior management level… but then I need engineers and analysts to know how to maintain all the solutions and processes I put in place and to be investigating all of the day-to-day events and issues and precursors for new things you need to protect.”
So is a vCISO a business role or a technical role? Sounds like it’s always both, and the balance point shifts with the specific organizational context. Companies looking to bring on a vCISO would do well to consider in advance where that business/technical balance is likely to fall for them.
Want to talk over the vCISO role and how that might look for your organization? Contact Pivot Point Security to connect with a Virtual Security Team member and get some exact answers.