Summary
What is a Virtual CISO
A virtual CISO is a virtual chief information security officer who;
- identifies and communicates cybersecurity risks to executive staff
- proposes risk mitigation strategies
- aligns security controls with the company’s risk appetite
Unlike a cybersecurity analyst, a virtual CISO is a leadership role typically taken on by larger companies with over 1,000 employees. They help build a risk management program, ensure compliance with cybersecurity frameworks, and manage third-party vendor risks. Their responsibilities include data classification, asset management, incident response, and budgeting. They also establish a governance committee to oversee risk and ensure continuous monitoring and reporting.
Action Items
- [ ] Build a risk management program and framework.
- [ ] Develop security policies and procedures.
- [ ] Perform risk impact analyses.
- [ ] Develop a cybersecurity budget and roadmap.
- [ ] Form a cybersecurity governance committee.
- [ ] Create a third-party vendor risk management program.
Outline
Understanding the Role of a Virtual CISO
- Asher explains that a virtual CISO is a virtual chief information security officer who identifies cybersecurity risks for an organization and makes those risks visible to the executive or risk staff.
- The role of a virtual CISO includes proposing an appropriate risk appetite and risk mitigations to align the company with the proper risk posture.
- Asher differentiates between a virtual CISO and a cybersecurity analyst, noting that small companies often bring in niche cybersecurity professionals before adding management or leadership roles.
- The role of a CISO is described as someone who is in charge and responsible for communicating and identifying risks, recommending risk mitigations, and ensuring the company reaches its appropriate risk tolerance.
Evolving Cybersecurity Roles and Responsibilities
- Asher discusses the evolution of cybersecurity roles as companies grow, from security analysts and engineers to security architects and managers.
- The importance of assigning responsibilities related to cybersecurity programs to the right roles is emphasized, with a focus on technical aptitude and management responsibilities.
- The role of a cybersecurity manager is highlighted, who oversees roles or pillars of the program and communicates risk to the risk committee.
- Asher mentions the involvement of regulatory bodies like the SEC in executive oversight of cybersecurity risks, and the need for companies to assign this role to someone who understands cybersecurity and can communicate with executives.
The Distinction Between Virtual CISO and CISO
- Asher clarifies that a virtual CISO is an expert in cybersecurity who helps communicate risk to executive staff and determine risk objectives and milestones.
- The role of a virtual CISO is to build a roadmap for cybersecurity and provide value to the company, especially for public companies or those with proprietary data.
- Virtual CISOs typically have longer engagements and provide expertise in areas like data classification, asset management, and encryption.
- Asher shares personal experience as a virtual CISO, emphasizing the importance of building a risk management program and ensuring consistent identification of risks and priorities.
Components of a Risk Management Program
- Asher outlines the components of a risk management program, including continuous monitoring, security metrics, and ensuring tools are maintained and configured correctly.
- The importance of classifying alerts, investigations, incidents, and breaches is discussed, along with building a proper policy and procedure set.
- Asher advocates for aligning with existing cybersecurity frameworks and mapping controls to measure maturity and identify gaps consistently over time.
- The role of educating users who handle critical assets and building a comprehensive awareness and training program is highlighted.
Building a Governance Program and Third-Party Vendor Risk Management
- Asher discusses the importance of forming a cybersecurity governance committee to elect business stakeholders and discuss risk on a quarterly basis.
- The committee should include representatives from business operations, finance, legal, IT, and other relevant departments to ensure comprehensive risk management.
- Asher emphasizes the need to document a governance program to avoid forgetting important aspects and to build a third-party vendor risk program.
- The role of classifying vendors by tiers and sharing standards and expectations with them is discussed, along with validating and treating any identified risks.
Conclusion and Q&A
- Asher concludes by summarizing the roles and responsibilities of a virtual CISO, including building a risk management program, continuous monitoring, and budgeting.
- The importance of providing updates to staff, coordinating reporting, and forming a cybersecurity governance committee is reiterated.
- Asher invites questions about virtual CISOs and offers to respond to any unanswered queries, encouraging participants to reach out or leave comments.
Full Article: What is a Virtual CISO
What is a virtual CISO?
At the core, it’s very simple. A virtual CISO is a virtual chief information security officer. That sounds pretty simple, but what is it really a virtual CISO is someone that identifies cybersecurity risk for an organization, reports and makes that risk visible to the executive or the risk staff, and that proposes an appropriate risk appetite and the risk mitigations that should happen to bring that company in line with the proper risk posture.
Okay, so what’s the difference between a virtual CISO and a cybersecurity analyst?
When companies are small, they’ll typically bring in niche cybersecurity professionals, someone who’s a product specialist or a SME, an engineer, and as that company develops, you add a layer of management or leadership or oversight, and that continues up. What I’ve seen historically is companies don’t bring in a chief information security officer or even a Information Security Officer, that’s an Information Security Officer without the word chief, until they’ve hit a capacity of, at least over 1000 employees, maybe sometimes even closer to 2500 so this role is really
The culmination of someone who’s leading the cybersecurity program, probably managing different people, different technologies and bringing it all together, and really responsible for communicating and identifying risk and recommending risk mitigations so that the company can reach their appropriate risk tolerance or risk appetite, the word chief is really that just means someone that’s in charge, someone’s responsible.
It’s a role. The role is the same without the chief, even if it’s just information security officer. So, at the base of a security program, you might put in a technology, say it’s endpoint detection and response. Well now we need to assign the responsibilities that go along with maybe implementing or operating or monitoring, updating, maintaining, managing alerts out of the endpoint detection and response program. So we list out what those responsibilities are, and we assign them to a role. Now, sometimes that role, if it’s big enough, would just be an endpoint, detection and response, analyst or operator, but if the company’s not big enough, and we give all those responsibilities to somebody, then we still have opportunities to give them potentially other responsibilities. As the program gets wider and bigger over time, we need to make sure that all those responsibilities related to this huge umbrella of cybersecurity are assigned to the right roles. So we see at the bottom, not bottom as in like less important, but bottom is far as technical we see a high technical aptitude in this level of security analysts or security engineers, and then maybe a layer above that, once the company gets big enough, you have security architects, people who are ensuring that the products have enough resources to do the things they’re responsible they’re fast enough, they’re reporting in the right way. They’re tied into all the other systems. They’re configured according to the industry best practice or the way that the vendor says. And then you might have a cybersecurity manager or somebody who oversees roles or pillars of that program. And then finally, we have to take that and we have to permeate that information up to the risk committee.
Companies have different ways of identifying risk. We also see regulatory bodies starting to get involved in this process, saying within public companies, there is an organization called the SEC, or securities and exchange commission, that’s actually saying there needs to be executive oversight on cybersecurity risks. So who at the company or a group of people are going to listen to what the cybersecurity risks are and decide whether those risks are appropriate or not. So we need to volunteer somebody. We need to assign this role of communicating risk to the Risk Committee, and that’s someone who understands cybersecurity and someone who’s able to. Communicate with executives. And I think right there is the key to what’s the difference between a virtual CISO. Because let me tell you, communicating at an executive level is a whole different, unique set of skills, and you need people that come up in cybersecurity.
Look, I came up in cybersecurity in a closet, you know, I remember the sounds and the hums of servers and a server room in the coldness. And if I was sitting in there long enough it would get into my bones. You know that type of person does not normally communicate with executives, and it takes a lot of progress, a lot of practice, some training, and maybe even a little criticism, healthy criticism, to get there. Now we know what a CISO is, someone who communicates risk to the executives or the risk committee.
What is a virtual CISO?
A virtual CISO is someone who is basically fractional or augmented staff. This person is an expert in cybersecurity and can help communicate risk to executive staff and determine risk objectives and milestones, and help determine what the company risk appetite is.
So we’re really talking about, where are we going with cybersecurity, and where are we at, and how do we get there? How do we build that roadmap? But they’re not a part of the full-time staff. Now, remember when I said before, I don’t usually see companies hiring a full time CISO until they’re at least over 1000 employees, sometimes closer to 2500 so what do we do in the meantime, especially for a public company, or a company that has a lot of proprietary data, classified data that really does care about their program. They want to build a cybersecurity program, they want to do due diligence, and they want to do what’s appropriate for them at that phase of the company. But they don’t have anyone like that, and that’s where virtual CISO comes in. It’s an expert that can augment the staff. Relationships with virtual CISOs can be short, but typically they are a longer engagement. As long as that virtual CISO is providing value to that company, and in that relationship, that virtual CISO basically, again permeates risk, identifies risk, builds a data classification program helps find out where that data is stored, labels those assets as part of that asset management program identifies critical assets, Crown Jewels, make sure that the methods that that data and that information is traveling over is encrypted or protected properly. Talk about mobile devices and the applications we use and the cloud resources that we have.
I am a virtual CISO, so I’ve got quite a bit of experience in this area. Building a risk management program is something that I typically do. What do I mean by risk management program, instead of just going and trying to do security, actually defining;
- What is our formula for identifying risk?
- How do we do that consistently, and how do we ensure the right priorities are identified?
The process of thinking or discipline is what I call the risk management program, and creating a document around that so we can do it consistently and provide visibility on how we do continuous monitoring.
- What are we watching for?
- What should be we be watching for?
- What do we need visibility around?
- How do we collect security metrics?
- How do we ensure the tools that we invested in are actually doing the things that we originally wanted them to do?
- How do we know that they’re maintained?
- How do we know they’re configured?
- How do we know that we don’t miss an alert. How do we classify the difference between an alert, an investigation, an incident, and the B word breach, building a proper policy and procedure set?
I believe in policies. I believe in documentation. I also believe that someone who’s good at it can do it with brevity.
- How do we make these short and digestible and understandable so people can be educated and actually take action on them?
- How do we align with a cybersecurity framework, instead of just coming up with our own good idea on how to organize all of this cybersecurity stuff because it’s a mile wide and a mile deep.
- Is there already an existing cybersecurity framework that’s appropriate for our industry or our business size, and how do we map our controls to that framework and then use that framework to measure our maturity and our gaps consistently over time.
- How do we identify crown jewels?
- How do we educate users who are dealing with those Crown Jewels, how to treat those properly? How do we put out a proper awareness and training program?
- How do we perform a risk impact and analysis?
- How do we detail our risk remediation plans?
- How do we build a roadmap that includes technology, process and people to successfully achieve those outcomes we’re looking for?
- And within that, how do we budget appropriately?
- What is our budget? Can we expect a budget increase, and how do we balance the priority of this risk reduction with the financial responsibilities that we have?
- How do we provide updates to staff?
- How do we coordinate reporting?
- Who does that reporting go?
- What do they want to see, what do we want to communicate?
- Forming a cybersecurity Governance Committee is really a great idea. Here we elect business stakeholders across the business typically, what I see, I work with biotech and life science and pharma, but bringing in people from the business, operations, finance, legal, it and we talk about risk on a quarterly basis, not just cybersecurity risk, but what’s changing with the business.
- What new vendors are we introducing?
- What new processes are we changing?
- How do we process invoices and payment changes, and are they in line with how we want to apply cybersecurity to them?
- How do we build a governance program so that we don’t forget anything? I see this a lot, that we focus really hard on maturing cybersecurity, and as we do this with limited resources, things fall out of the back of the truck and then get forgotten about.
- How do we document a governance program?
- And one of the other things is, how do we build a third party vendor risk program? Third party vendors introduce a lot of risk to our company.
- How do we classify them by tiers?
- What are we concerned about with those vendors, reputation, finance, integrity, availability, confidentiality, how do we share those standards and expectations with them?
- And how do we validate there is no risk, and if there are risks, how do we treat risk?
Again, that goes back to that separate cybersecurity governance committee.
So those are some of the things that I see a virtual CISO. Those are some of the things that I do, and those are some of the roles of what a virtual CISO is and what a virtual CISO does. So I hope that’s been helpful.
f you have questions maybe that I didn’t answer about virtual CISO, go ahead and reach out or put them in the comments below, and I’ll be sure to respond.
Recent Comments