Last Updated on March 11, 2023
Trust, but verify.
These famous words of Ronald Reagan, who, incidentally, would make a fantastic CISO, are also the simplest explanation of what it’s like to work as a virtual CISO.
If step one is building trust and relationship with clients, step two is being let in to see all the inner workings and operations to make informed and strategic decisions.
I recently interviewed our very own Andrew Farkas, Virtual CISO at Pivot Point Security, about his experience as a virtual CISO and why the need exists for such a role.
A loose definition of vCISO
Trying to define just what a vCISO is?
So are we!
Well, that is to say, it’s a fluid definition, which is actually a good thing for companies who need a CISO to not just be informed and proactive, but also adaptive to the business and the industry.
“Trying to capture exactly what a CISO would do, it’s just a matter of the dynamic relationship between the breadth of the service, the depth of the service, and the frequency of the service,” says Andrew.
A CISO, in concept, it’s somebody who has to develop strategy, budget, personnel, and help reach infosec goals, but all of that means different things to different organizations and sectors.
“The hardest thing for a CISO to know, before they get started, is they have to know everything about operations, everything about technology, and as much about the front office business as possible.”
Sourcing a vCISO that’s right for you
The first rule of finding a great vCISO for your company is to remember that this role spans every aspect of the business, but please don’t expect your CISO to be all-knowing.
“Organizations typically already have the answers they need. They need someone to help them talk to each other.”
They don’t need to know how to build your product, but they should know where there are crossovers and gaps that need to be protected as well as understand how your software is built and accessed.
“You have to, in concept, know how everything plugs in and works together so you can understand the vectors in which things can be exploited,” says Andrew.
Hire other people who know the deep configurations and trust your vCISO enough to bring them in on every level so they can do a comprehensive job.
A great CISO should be able to advise on governance, implementations, and maintenance/assessments, and be given space to hire great people who know how to roll out each of those.
You’re not hiring them to audit you, fine you or call you out on regulations—you’re hiring one to prevent those things and to operate as your partner.
Leveraging a vCISO and drawing a plan
To be clear: hiring a vCISO won’t solve all your problems, but they will help you create a plan to tackle them.
The more perspective your vCISO can get in on the nuts and bolts and the more they can understand what the business does, the easier they can identify inconsistencies and vulnerabilities.
Let them take a daunting, time consuming, and long road map, and compartmentalize it all into bite sized chunks you can craft a plan around together. And give them space to do it!
Every company has it’s unique risks, gaps, locations, etc. so you can expect your vCISO to help you cover these three areas, specific to your company and your needs:
- Scope – what needs protecting
- Risk – what we’re protecting against
- Gap – what needs to get done
This post is based on a small portion of an episode of The Virtual CISO Podcast, featuring Andrew Farkas. To hear this episode in its entirety, and many more like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.
ISO 27001 Recipe & Ingredients for Certification eBrief Discover what you need to achieve ISO 27001 certification! This eBrief will give you a quick and easily digestible introduction to the ISO 27001 standard and the process of becoming ISO 27001 certified.