November 2018 - Fractional CISO

After twentyish years working for someone else, I quit my corporate job and started a cybersecurity consulting company. While it seemed risky at the time, now I can’t imagine doing anything else.

When I first quit, I got questions like, “You have clients lined up, right?” and “What are you really doing?” The answers, “no” and “starting a cybersecurity consulting company” did not seem to placate most folks.

That first month was a little nerve racking. Then I developed some leads which turned into two clients less than three months into the new venture. Soon enough I was actually doing client work; helping to protect my clients’ organizations.

The variety of work and clients has been interesting. I have served as a virtual/interim CISO, assisted companies in getting ready for audits, performed risk assessments, created cybersecurity plans, cybersecurity strategies, crafted policies and procedures, assisted in vulnerability assessments and helped with product security strategy. When I started I never imagined that I would be able to help so many organizations and in such different ways.

As a year mark approached, I was inundated with project work. I decided to make our first hire. I found a great candidate from a top computer science grad school. She has made a terrific contribution to the team and our clients.

We rented an office in a co-working space and we had our corporate headquarters. We were a real company!

Our office is in Newton, Massachusetts at the Riverside T-stop. Here is a picture of our building.

Why a virtual CISO

I originally started out knowing that the cybersecurity guidance I was providing my past couple of companies could be broadly applied to many organizations. Now I have come to believe that every mid-sized company will have a full or part-time CISO within the next ten years. The security and regulatory environment changes mean that every company needs cybersecurity expertise to build a cybersecurity program and set strategy.

You may not have come to this conclusion, yet. That’s okay; all our clients haven’t either. We also offer a la carte services to organizations to help them with gap assessments, risk assessments, cybersecurity plans, and other services to put the organization on the right track for solving their cybersecurity challenges.

With this emerging need, there will be an insatiable demand for high quality, affordable cybersecurity expertise. Several clients have tried to hire me full-time. I have turned down the opportunities as I know the need for services that we provide will just continue to grow.

Lessons Learned

I have learned a large number of lessons over our first 18 months. Here are some of my favorites.

Read business books. Reading books is really important. I have gotten some great business and cybersecurity ideas from books. Three business books that have been invaluable to someone new to starting a consulting company and new to sales:
- Million Dollar Consulting by Alan Weiss. This is by far the best book on building a consulting business. Anyone considering starting a consulting company should read this book.
- Million Dollar Consulting Proposals by Alan Weiss. How can you have a whole book on proposals? This book covers every detail about writing great proposals. Since reading it I have shrunk the size of our proposals and added a signature section so that there wasn’t a need to create a separate Statement of Work (SOW). It has plenty of other great tips and tricks.
- Beyond Referrals by Bill Cates. Referrals are the lifeblood of a fledgling consulting company. Beyond Referrals is a great book on how and when to ask for a referral.
Read cybersecurity books. Two great books on cybersecurity risk have driven how we build our risk models at Fractional CISO:
- How to Measure Anything in Cybersecurity Risk by Douglas Hubbard and Richard Seirsen. This book opened my eyes to how quantitative risk assessments can be so much better than the High/Medium/Low ones that until recently have dominated the industry.
- Measuring and Managing Information Risk: A FAIR Approach by Jack Freund and Jack Jones. FAIR is a great model for cybersecurity risk. The disciplined language and categorization is extremely useful for consistent results.

Have a strong network. Maybe this is obvious but it wasn’t to me starting out. My network has been the best source of leads for business. When I haven’t worked with someone before, getting them to agree to a deal can be a challenge. Contrast that with a recent customer who had worked with us before at a different company. From the first call to the time that we had a signed deal was around two weeks. If you are planning on consulting on your own, then you should know/believe that you have a strong network that values your advice.
Be disciplined. You have to be really disciplined especially in the beginning. Getting the first couple of clients is a lot of work. Even when you don’t have anything you have to do, you need to send those emails, make the calls and have a lot of meetings over coffee. You never know when one of those will pay off.
Have good friends and colleagues. I have a great network of friends and former colleagues. I can’t tell you much I have appreciated everyone’s support.
Talk to other consultants. I have learned so much from other consultants from both inside and outside cybersecurity. So many business issues transcend your industry. Having some folks that you trust outside of your industry make it easy to share the challenges and get great advice.
Have a terrific family. I have a terrific family who has been 100% supportive from the moment I told them my crazy idea to quit my job. When you are starting out on your own, it is invaluable having people that believe in you.
Enjoy it. Being on your own can be incredibly rewarding. Aside from the potential financial rewards, being able to decide your own direction and how to spend your time is a reward in itself. It is not for everyone. I recently spoke with someone in a similar field who said something like, “I don’t know why I did this. I hate working from home and I hate making sales calls.” For me, I don’t have anyone looking over my shoulder. I will succeed or fail based on my own volition. Although I had never been a salesperson before starting Fractional CISO, it turns out that I enjoy it! I am definitely building my sales skills.

What’s next?

If you or someone you know needs help with their cybersecurity program then please give us a call. We can be reached at (617) 658-3276 and our email is info@fractionalciso.com.

Yes, your organization needs a Password Manager! Now that we’ve answered one of the most frequently asked questions, let’s spend the rest of this blog post explaining why. How else would a person keep track of the 191 passwords an average employee needs to manage?

Here are some of the possible solutions for managing the tens of passwords used:

Have an eidetic memory.
Write them all down.
Reuse the same password for multiple sites.
Store them in your contacts/notes/some other application.

That’s great if you have an eidetic memory. This blog post is for the rest of your organization.

Writing down passwords

Writing down passwords is not necessarily a bad idea. Especially for someone who is unlikely to be targeted for attack, this solution could possibly work. But only if the passwords are stored in a secure, locked location. However, there is no way you could make sure that everyone in the organization is following this practice.

If your company is a likely target of an attack, then writing passwords down could be a bad idea. Likely targets at an organization include high net worth individuals, people who have access to valuable intelligence or have a close relative that has stolen in the past.

Even if some people are not likely to be a target, what happens when the paper is lost or destroyed? I hope your staff enjoys resetting passwords!

Reusing passwords

Credit: xkcd

Reusing passwords is a terrible idea. Terrible like running with a chainsaw, terrible.

It is difficult to remember lots of passwords, so often people use the same password again and again.

An attack scenario that plays out again and again is the following. A single site is compromised. It may not even be important to anyone. It could be a site that your employee created an account for in order to perform a one-time download. Now the bad guys have their email address and the password that they use everywhere.

Next, the attackers try the same email address and password combination for every site they can think of. They try email, the company portals, social media, airline, e-commerce, and financial sites. If they successfully log in, then they extract the maximum value that they can from these sites at the employee’s expense.

Soon enough the person’s entire digital identity has been compromised! Reusing the same password is dangerous, for the individual and the company.

Store passwords in a contact, notes application or Excel

If people in your organization store passwords in the contacts or notes application or Excel then congratulations, your organization is using a password manager! Here is the bad news… You are using a really bad password manager. The passwords are note encrypted. You are storing your most confidential information in something that it was not designed for. This data may be replicated all over. If a bad guy were able to compromise this application then they would have access to all of your passwords.

Several high-profile cybersecurity breaches occurred in part to storing passwords in Word and Excel documents. For instance, the Sony data breach included a directory named “Password” that contained Word and Excel files with passwords!

If you stored passwords in another application, then you have already made the leap that you need a password manager. Now the next step is to use an application that is designed for the task.

Should you put all your password eggs in one password manager basket?

While you might recognize the problems identified above, you may still be skeptical about using a password manager. The main argument being- The password manager isn’t necessarily impenetrable. So, if your master password is compromised, the bad guys would have all of your credentials.

A password manager doesn’t eliminate risk. It does significantly reduce it for most use cases. If you do use a password manager, then you should pick an absolutely killer password. Remember that this password lets someone into all of your other passwords.

Before you balk at a password manager, let’s review the key benefits:

Passwords are stored in an encrypted form.
Passwords are replicated between devices ensuring access from mobile or desktop
Gives employees the freedom of using a different password for every account without having to remember every one of them.
Gives a way to come up with different, long, and complex passwords.
Accessible on a variety of apps and devices.
Great at reminding you all of the sites and applications you use. Especially the infrequently accessed ones.

The primary benefit of using Password manager for your organization is that you are changing people’s security behavior. Your employees can truly protect the way they are using the web and manage their passwords- both professional and personal.

How to pick a password manager?

If you are asking this question, CONGRATULATIONS! You have taken a major step in the right direction.

There are several options available in the market. To make sure that your business uses the best product it is important to evaluate your needs and pick features you would require. For example, if your company uses services that require multiple users to access it, you would go for a password manager that lets users create groups for shared access so that employees can be up to date on the password changes and remove access for those who leave the company.

Picking the right technology is the key. Between SaaS and on-premise solutions, SaaS is a better option for small industries. You only pay for what you need. On the other hand, on-premise solutions are a flexible and reliable option for large enterprises since you pay for the hardware and the license is completely owned by you.

What to look for in a corporate password manager:

Cross-platform. The password manager should work on multiple devices and operating systems and have data syncing feature to provide the flexibility to retain the same security between different platforms.
Admin console. A centralized admin console lets you manage employee access and set company-wide policies. The added benefit is the ability to track login attempts, valid logins, and unusual activities. Make sure your password manager allows you to customize the admin privileges.
Bulk password changer. Having a bulk password changing feature will allow you to quickly change a large number of passwords for your organization in the event of an organizational change or a security incident.
Password storage. You can either store your passwords on locally or remotely on a company’s server. Most managers first encrypt the passwords locally before storing them on cloud. So, it should be safe for a majority of users. There is still a remote possibility that the passwords could become compromised. So, if you hate the idea of having your organization’s passwords stored on one site in the cloud, there is always the option of storing them locally.
Shared credential management. The ability to create groups for shared access credentials will not only enable easy on-boarding but will also make managing employee permissions easier.
Remote Sessions. If your organization deals with remote access demands from a number of different users, this would be an essential feature. It would allow the authorized users to launch completely emulated RDP, SSH, and Telnet sessions without any end-point agents, browser plug-ins, or helper programs.
Separate vaults. Having separate vaults for personal and business passwords will allow admins to monitor and regulate corporate passwords without compromising the privacy of your employees’ personal space.
Multi-factor authentication. For an added layer of security, many password managers also provide multi-factor authentication to limit access to the vault.
Active Directory (AD)/LDAP integration. AD and LDAP’s single sign-on capabilities can be extended to the password manager. Leveraging the AD setup while implementing a password manager would save time in the on-boarding process.
Auditability. The Password Manager’s audit function can demonstrate who had access to systems when an incident occurred.

A password management tool will likely improve your organization’s cybersecurity posture.

Next steps

Need help with a password manager project or with your overall cybersecurity strategy? Give us a call at Fractional CISO today. We can be reached at (617) 658-3276 or email info@fractionalciso.com and find out how we can assist you.

Monthly Archives: November 2018