March 27, 2020

Last Updated on January 12, 2024

Cybersecurity firms, especially tool vendors, have been called out for “selling fear” and using hype to gain sales traction. One problem with this tactic is that it can backfire.
In a climate already rife with fear, uncertainty and doubt, businesses and individuals can end up paralyzed and unable to act. A pervasive sense can emerge that cybercrime is something inescapable or unmanageable.
Business leaders may feel fatalistic about their company’s security posture, and end up taking a “head in the sand approach,” hoping that nothing bad will happen because it hasn’t so far. The end result is that they delay addressing information security risk… something any business can effectively manage.
On our show, The Virtual CISO Podcast we dropped an episode, “True Confessions of a Real Virtual CISO,” where guest Andrew Farkas and host John Verry, both experienced vCISOs, touch on how pervasive this “fingers crossed” mindset can be.
As Andrew puts it, “The biggest issue I see is that inherent fear of not knowing what you actually need to do—where you’re vulnerable, what your problems are. A lot of organizations talk to us and they say, ‘I know I need to do something,’ ‘We had an issue once,’ or ‘We keep getting questions about this,’ or ‘I’m not feeling great about that…’
“There’s a sense that they know they need to adopt something that threads through the organization. But they don’t know where to start or where the things they most prominently need to address are. That’s when [as vCISO] you need to start with, ‘You need to get to know us and we need to get to know you, so we can actually tell you what your objectives are if you don’t already know.’
“A lot of times it starts with a sneaking suspicion that: ‘Things aren’t really great under the hood here, and we need somebody to come in and let us know what the plan should be, what the objectives should be. All we know right now is they need to be something. We’ve been doing little to nothing for too long and getting away with it. And we don’t want that kind of track record to be sullied by something that affects our business,’” Andrew relates.
In other words, with a new client that doesn’t yet have a plan for information security plan and goals, a vCISO’s job often begins with building trust, getting to know the business, and stimulating internal conversation within the company culture about what’s really going on (or not). As people become more at ease with addressing information security, a roadmap for progress can materialize.

“The biggest issue I see is that inherent fear of not knowing what you actually need to do—where you’re vulnerable, what your problems are.”

As Andrew puts it, “Once you get somebody to be comfortable… Let them know ‘We’re not auditing you, we’re not going to slap you with fines, we’re not going to call the regulators to tell them you’re noncompliant—we’re here to prevent all that, we’re on your side, we want to operate with you as a partner, as part of your business’… Then they open up, and you learn so much about the organization to take away with you: What it is that they do, what their problems are, what needs to be addressed first.
“Just from a few days of talking to everybody, hopefully taking some good notes and wrapping that up and pointing it back at everyone to have that introspection, that reflection on what you’ve discovered and everybody agrees on it… Then it may be daunting, it may be time-consuming, it may be a long roadmap. But at least everybody can say, ‘Now I know what I need to do,’” shares Andrew.
If you’re considering onboarding a vCISO to help your business “make a plan” and get information security more under control, contact Pivot Point Security to speak with an expert about our flexible, cost-effective approach.