What is a vCISO and why would you want to hire one? [Q&A]
As the profile of cybersecurity has increased within enterprises, so has the challenge of finding people to fill senior roles and then hanging on to them.
Recent research suggests that CISOs don't stay in the job for more than three years on average. One answer is to use a virtual CISO (vCISO) to advise on current issues and relieve the strain on the in-house team.
We spoke to Lee Buttke, managing director and CISO of AgileBlue, to find out more about the role of the vCISO and how they can help.
BN: Can you describe the vCISO role and the typical situations one might be brought in to address for a client?
LB: A vCISO operates at both the operational and strategic levels, collaborating closely with clients on a daily and weekly basis to understand threats and devise risk mitigation strategies. This involves assessing and addressing alerts originating from various sources and systematically reviewing vulnerability scans, threat reports and threat intelligence they receive. Involvement typically centers around compliance-driven necessities, whether it's achieving SOC2 compliance, or adhering to industry regulations. Building a robust security program is often intertwined with adhering to these regulations, particularly when handling sensitive data. Our clients usually seek assistance due to these regulatory hurdles.
Currently, a significant portion of our vCISO clients primarily engage in day-to-day operational activities, including processing information related to threat intelligence and orchestrating the necessary actions. We predominantly serve clients in high-consequence industries like finance, education and aviation sectors, catering to their unique industry requirements.
BN: Looking at the current cybersecurity landscape, what factors do you see driving this trend or need in the market for vCISO services?
LB: Organizations that encounter security incidents often come to the realization that they require external expertise to navigate the complexity of cybersecurity. Emerging or updated regulations -- particularly in sectors like finance, aviation and education -- are the driving force behind this demand.
For example, In the aviation industry, there exists a specific regulation known as EA-2301 which is tailored to airports and airlines. It encompasses four distinct areas essential for crafting a comprehensive cybersecurity program within this subsection of the industry. Within the education sector, compliance with the Gramm-Leach-Bliley Act (GLBA) is imperative. For example, recent updates released in June of this year mandate educational institutions offering student loans to establish robust cybersecurity programs.
I've also engaged clients regarding cyber insurance. Depending on the insurance carrier, certain minimum cybersecurity standards must be in place to qualify for coverage. Over the past year, we've extensively delved into topics such as MFA, encryption, logging, monitoring and SOC-as-a-service to meet these insurance-driven demands. The majority of our clients have cyber insurance policies; however, their concern lies in whether their claims will be covered when the need arises.
BN: How does a virtual CISO complement an in-house CISO, and what scenarios would make sense to utilize a vCISO?
LB: Our typical engagement does not involve collaborating directly with in-house CISOs; rather, we predominantly partner with CIOs. Our role encompasses delivering high-level advice while also addressing day-to-day operational aspects of cybersecurity. However, in recent months, a unique opportunity emerged when an in-house CISO was departing from a company. In such cases, we step in as an interim vCISO to bridge the gap while the organization deliberates on whether to hire another in-house CISO.
Typically, our approach complements and aligns with the responsibilities of an in-house CIO, ensuring a comprehensive cybersecurity strategy. Our work involves collaborating with numerous organizations each month, allowing us to encounter a wide array of threats and vulnerabilities. This wealth of expertise and experience is then shared across all our clients, providing a significant advantage when engaging a vCISO.
BN: How do you build and maintain relationships with internal teams and stakeholders, given the remote nature of the role? How do you address challenges that may arise from not being physically present?
LB: We place a strong emphasis on maintaining regular standing meetings as a core component of our service. Our approach isn't merely 'call us when you have an issue'; rather, we maintain active involvement in our clients' operations. These meetings serve as a cornerstone for not only establishing a strategic roadmap, but also actively driving its implementation. Building and nurturing relationships is a natural outcome of these consistent weekly and monthly interactions.
In addition to formal meetings, we foster ongoing communication through platforms such as Slack or Teams, where clients can reach out to us on a daily basis. I also make it a point to personally touch base with internal stakeholders. We've found that effective communication and relationship-building transcend physical boundaries. Staying present and engaged is key.
I also make periodic onsite visits to our clients as well, typically on a quarterly or bi-annual basis. These visits aren't solely for performing tasks; they also serve a social function, which remains important in our current digital age. Such interactions contribute to the human connection and strengthen our relationships with the people we work with.
BN: With the SEC proposing a four business day turnaround for incident reporting, how can boards begin to prepare for this potential requirement? What systems or should they begin putting in place to make this possible?
LB: We ensure that our clients possess a well-defined incident response plan, which includes the creation of forms and templates to clearly outline the key elements. These forms and templates detail the individuals involved, the affected systems and data as well as external entities that need to be contacted. It may sound simplistic, but this level of preparation is essential for effective incident response.
Many organizations opt to have a Digital Forensics and Incident Response (DFIR) capability in-house or retain the services of a DFIR company that can manage these aspects on their behalf. Our SOC-as-a-service approach encompasses continuous monitoring of alerts, identification of indicators of compromise (IOCs), and diligent vulnerability scanning and patching, ensuring a proactive stance towards security.
Photo credit: Den Rise / Shutterstock