How not to use a vCISO

Please allow me a few sentences to introduce and explain the CISO role in the interest of keeping the audience within the fold of the article.  I promise to then quickly transition to the message I hope to impart.

A Chief Information Security Officer (CISO) is cut from the same timber as a CEO or CIO; at least it should be.  This role is responsible for planning, implementing, and managing the enterprise’s information security program, as well as responding to cybersecurity threats and incidents that are a part of today’s reality.  However the role has evolved over the years from a strictly defensive posture to now including a measure of prognostication. In that, given a business strategy the CISO must assemble a cohesive set of programs, plans and technologies to deliver future success…securely. Achieving this is challenging as no one knows what the future brings. Given this dynamic set of challenges the CISO plays a critical role, as part of leadership, in managing business risk and success in a cost-effective manner.

A virtual CISO (vCISO) is the same position; however, it’s often an outsourced resource that helps a company tackle the nuances of cybersecurity for the organization.   Why outsourced? Many companies struggle to meet the salary demands and/or workload justification to warrant a full-time CISO, so the next best thing is a part-time vCISO, also called a fractional CISO. With a vCISO on board a company gets some cybersecurity expertise at a reasonable price.

This sounds like a win-win, so what are you on about?

The issue is accountability. Or the lack thereof. A vCISO is often treated as an advisor, whose pronouncements can be accepted or disregarded based on internal priorities that may have nothing to do with securing the environment. In these situations, the vCISO is not providing much value outside of checking a box or acting as a sounding board. What’s needed is an environment where the vCISO delivers risk-based cybersecurity expertise that is trusted, actionable and improves the organization’s security posture.

This dilemma stems from the fact that the vCISO is not a company employee and may find it difficult persuading management to take action on recommendations. Conversely, a bad decision by a vCISO hurts the company mostly. So how does this disconnect get resolved?

The solution to this dilemma mirrors that of the many professionals with a similar dynamic, such as doctors, lawyers, architects, and CPAs. Fundamentally, these are issues of trust and deference. Society is accustomed to conferring value to the established professional disciplines and seeking and acting on their input and direction. Is a vCISO a professional of the same ilk? Perhaps … not yet, but change is coming. Let me count the ways.

• Financial Institutions: must comply with Gramm-Leach-Bliley Act (GLBA) and the Federal Financial Institution Examination Council (FFIEC) mandate strict security protocols.
• Healthcare and Pharmaceuticals: is bound by The Health Insurance Portability and Accountability Act (HIPAA) mandates that organizations implement security safeguards and conduct risk assessments to protect this data.
• Federal, state, and local government agencies: are bound my the Federal Information Security Modernization Act (FISMA), Federal Risk and Authorization Management Program (FedRAMP) or Government Risk and Authorization Management Program (GovRAMP) and must undergo and pass annual assessments to remain complaint.
• Department of Defense Contractors: are required to be Cybersecurity Maturity Model Certification (CMMC) compliant in order to obtain and maintain defense contracts or else forfeit the work.
• Education: must comply with the Educational Rights and Privacy Act (FERPA) due to their student data.

Each of these five domains requires cybersecurity expertise aligned with their industry. Just a like dermatologist isn’t the same as an ENT, a CISO in the Federal space will a have different cybersecurity understanding than one in the Healthcare due to their different compliance frameworks. A company hiring a CISO or vCISO is well advised to find someone with experience in their industry. A well aligned vCISO will garner the important trust factor needed to be effective.

Another point, the CISO or vCISO profession has evolved. It used to be that the ability to remove a virus from a computer made you a cybersecurity expert. Today’s CISO battles external threats, internal threats, ill informed and unformed employees, state sponsored persistent threats, script kiddies, and now throw in artificial intelligence. This has lead to the creation of the cybersecurity training industry that responsible for providing cybersecurity certifications:

• (ISC)²: Offers globally recognized certifications, including the senior-level Certified Information Systems Security Professional (CISSP) and the entry-level Certified in Cybersecurity (CC). 
• ISACA: A professional organization providing certifications such as the Certified Information Security Manager (CISM) and the Certified Information Systems Auditor (CISA). 
• CompTIA: Known for its vendor-neutral certifications, with the Security+ being a widely recognized and recommended entry-level certification. 
• EC-Council: Provides the Certified Ethical Hacker (C|EH) certification, a highly respected credential for penetration testing. 
• SANS Institute: A leader in practical, enterprise-level cybersecurity training and professional certifications like the GIAC Security Essentials (GSEC). 

These are just a few of many certifications. Not included are Cloud specific, network specific and software specific certifications. A CISO or vCISO possessing one or more cybersecurity credentials demonstrates that person’s commitment to understanding the nuances of today’s digital landscape and its threats. A company looking to hire a CISO or vCISO would be well served to include cybersecurity certifications as part of their candidate vetting process along with bachelors degrees computing or related fields.

I return back to the question; is a CISO a professional on par with a Lawyer? Perhaps still not yet, but it’s heading in a direction where credentials are becoming critical for the position.

Which leads me back to the statement; trust and deference. A company hires a vCISO because the team lacks the expertise in that particular domain. Why wouldn’t leadership trust that individual? Especially if they come with cybersecurity bona fides? And if a topic is raised calling for an expert cybersecurity opinion why wouldn’t a company defer to the vCISO? After all, that individual is the most knowledgeable on the subject matter.

What about accountability for the vCISO? How does a company ensure that the vCISO has the company’s best interest in mind? This is a harder question to answer, because ultimately managing risk is the CEO or owners responsibility; it can’t be transferred. The vCISO is a consultant/contractor engagement so the best tools for accountability are found within the contract agreement. If written well, the vCISO can be held accountable for provisions stipulated in the engagement. For example;

• Statement of Work – what are the company’s expectations from the vCISO? What role will this individual play with the organization’s leadership and committees? What are actionable duties that the vCISO will deliver weekly, monthly, quarterly, etc.
• Liability and Indemnification Clauses – legal statements on how each party, while acting on the best interest of the engagement, protects their financial position when things go wrong. This is a critical but important agreement that is needed for a productive relationship.
• Confidentiality and NDAs – A staple of today’s business environment. Though, the readily exchanged and popular use of this tool raises the question on their effectiveness. Who can recall the agreements of one NDA let alone a dozen or more? At best, it’s a signal of business intent and conversation starter.
• Termination Clauses – How does a working relationship end; good or bad? Stipulating the reasons for terminating an agreement helps steer both parties away from the rocks on the shore, or clearly exposes a bad working relationship that needs to end.

Finally, it’s difficult to grade or improve something that isn’t measured. As part the contract agreement, there should be clear markers on what’s expected from the vCISO, to include reports, assessments, meeting participation that occurs on a regular basis, and most important – aligns with the organizations business cycles. Some vCISOs provide a cookie-cutter service that forces a business to alter their operations. While this helps the vCISO keep their costs down it comes at a price for the business’ operations. The ideal relationship will have the vCISO learn and understand the organization’s rhythms and idiosyncrasies, that then translates into a business aligned risk management program. Perhaps this level of customized service is unrealistic, then the next best thing is to find a vCISO that specializes in the organization’s industry. In this case, the vCISO will understand regulatory compliance and operational needs on day one, which makes the working relationship a more productive one.

Recapping this article; companies need cybersecurity expertise and should seek professional help, either a full time employee or part-time contractor. If a vCISO is selected then be sure to have a clear roadmap on what that vCISO will do for the business, and the deliverables that will be produced on a regular basis. And most important, work on building a trust relationship with that person so that the business can obtain and act on cybersecurity advise or direction with confidence and commitment.

I hope you found this article informative, thought-provoking, or somewhat interesting. I strive to produce content that imparts the most value to those in the IT trenches. I’m happy to hear if you have a different take or additional information that could benefit others.

Best of luck, and feel free to suggest other topics you would like me to address.

Abel Sanchez (abel@staidworks.com) – BankSafeTech Contributor and Moderator