CISO stands for Chief Information Security Officer. This is the top security expert that builds out and is responsible for an organization's cyber security systems that protect their data and information.

My Fintech Cybersecurity Journey – Out of the Bubble

September 30, 2020

I’ll admit it – when I joined Fractional CISO earlier this year, I had no idea what it would really be like as a Virtual CISO.

I knew that my new position — providing cybersecurity leadership to clients across all sorts of industries — would be very different than my previous eight years as a technical manager at a financial software company, where I led their SaaS operations, engineering, and cybersecurity teams.

That was a great job, but I had a growing feeling that I was becoming isolated in my far too comfortable bubble, and I needed to break out or risk stagnating my career. Starting at Fractional CISO, I faced a new challenge: I needed to quickly re-focus myself as a security leader.

But what would that look like? Would I be able to use what I’ve learned from years in Fintech and apply it here? What would be new and different that I would have to learn fresh?

It’s only been three months so far, and I’m sure there’s still plenty more to discover, but I thought I’d share a few things I’ve noticed along the way.

It’s a big, wild world out there…

Working in Fintech was demanding and required specialized skills, but the danger of being at one company or industry for too long is that you’ll end up not seeing what’s going on in the wider world – that’s the bubble again. I knew our company’s technologies and our approach to cybersecurity very well, but I only had vague notions as to how other businesses were handling similar challenges.

I wondered how different it would be with my new clients.

As soon as I met a few of them, I was astonished by how much variation I saw with their cybersecurity needs and practices. I see many companies wrestling with fundamental security controls that I was used to taking for granted, but also see many medium sized clients using exciting, cutting-edge service-based cloud architectures that require new approaches to cybersecurity.

Because of the technologically conservative career bubble I was in, I hadn’t realized how quickly the smaller and more nimble firms out there had evolved and fully embraced these practices in the last few years. It’s exciting to now be working with so many interesting and innovative companies!

… but it’s also déjà vu, all over again.

Even though some of the cloud architectures are new, I still see a lot of familiar cybersecurity management needs with our clients.

There are always vulnerabilities that need to be found and patched. End-users sometimes find a way to do things you wish they wouldn’t. Customers love to send our clients gigantic pre-sales security questionnaires. Auditors always need mountains of evidence. And no one likes to take security awareness training (even though some of it actually isn’t horrible anymore!).

Honestly, it was a bit reassuring to see that there are plenty of common threads with cybersecurity management across all industries and companies, and that made it easy to jump right in and start helping our clients.

Compliance is security (or at least it’s a start)…

I used to be fond of the saying “compliance isn’t security,” which means that if you’re only focused on doing just enough to pass a compliance audit — like SOC2 or PCI-DSS — then you’re probably not doing enough to have “good” cybersecurity.

There’s some truth to that but working with our clients has made me think of this in a different light now.

What I’ve seen is that many of our clients are under pressure from their customers or partners to pass a compliance audit. Quite often, they don’t have any meaningful cybersecurity management in place, but they’re motivated to improve because of their looming audit. We help them prepare for that process by first helping them create a solid foundation for their new cybersecurity management program and then by helping strengthen it so it can stand up to the auditor’s inspection. I’ve seen clients move from having a very low security capability to being fully SOC2 compliant, and that’s an indisputably HUGE improvement towards “good” cybersecurity!

…but complacency kills security.

The key of course is to not become complacent with just “good enough”, and you should continually improve your cybersecurity management program.

Completing a successful audit is just the starting point! I know, I know – investing more resources into a fully mature cybersecurity program will at some point have diminishing returns, but for companies who are just starting to take charge of their own cybersecurity, the return on even a modest investment for the first few years is usually sky high.

Nobody writes a security management policy until they’re forced to do so…

I have yet to meet anyone, anywhere, that likes to write formal cybersecurity policies just because it’s the “right thing to do”. The reality is, most of the time companies write policies because they’re being forced to in order to pass their first cybersecurity compliance audit.

We help our clients with policy creation as much as we can, but still, it’s never easy. Trying to formalize and write down the rules that govern everything your company does around cybersecurity is usually a heavy lift, but well worth the effort.

… but writing policies just to pass an audit is a waste of time.

Information security policies themselves don’t provide a single bit of practical security. They’re just words in a document, after all! The only value they have is to guide human behavior, and sometimes that doesn’t come easy, particularly if it means changes to how people work.

I’ve seen clients work very hard to write policies because of an upcoming audit, but not put a lot of thought into how they’re going to get the entire organization to follow them. Policies should be living documents that define how a company wants to manage their cybersecurity, and that requires effort to educate, train, and manage employees so they can all work towards those common goals.

All employees should know that there are documented cybersecurity practices, and managers should reference them when steering behaviors, influencing design decisions, and evaluating risks.

Policies also need to be reviewed and updated as the company’s practices evolve – not just once a year! Having a policy document dusted off just to show an auditor is not the right way to manage security. It’s ineffective, exposes your company to undue risk, and is just a waste of time!

I knew a lot more than I thought going into this role…

In my previous positions, I’ve managed several technical teams, including SaaS security operations, but I’ve never held a position that was solely focused on cybersecurity leadership.

Did I actually know enough to do this job?

I didn’t appreciate this until I left “the bubble”, but I had picked up far more cybersecurity management knowledge than I realized in part just by working alongside some very talented people over the years. I’ve worked with great GRC (Governance, Risk Management, and Compliance) teams who lead us through SAS 70, SOC2, and ISO 27001 audits. I’ve also worked with dedicated security engineers who let me look over their shoulders as they ran their vulnerability scans and evaluated firewall configuration tools. Sometimes you don’t realize how much you learn just by working with smart people!

… but I also knew a lot less that I thought.

HIPAA and Kubernetes and Google Cloud… oh my!

Of course, anything can be learned, but if you’ve had no reason so far in your career to learn a particular regulation, technology, or practice, it can be a bit daunting to all at once start leading clients who are each doing their own thing. Suddenly needing to learn about all sorts of new and interesting topics is invigorating, and it’s probably the best part about breaking out of the bubble!

Virtual consulting is hard…

Oddly enough, I’ve only been to Fractional CISO HQ twice: once for an interview and once on my first day. Between those two days there was this pandemic that flared up that you may have heard about.

Starting any job while working from home has been challenging, but getting to really know our clients’ team members and build trust has been extra difficult without visiting on site and meeting people face-to-face. As soon as we get this situation behind us, I guarantee that all of us at Fractional CISO will be hitting the road and stopping by to check in on everyone!

…but this is WAY more fun than I thought it would be

Working for a small company with talented people, rediscovering how interesting it is to learn about new technology, and realizing that this was clearly the right step for me have all made this transition easier and better than I expected. But most of all, I had no idea how rewarding it would be to help so many mid-sized organizations fend off the bad guys as they improve their cybersecurity.

This is much more fun than being in the bubble!

To receive more great cybersecurity content for business leaders, sign up for our monthly newsletter: https://fractionalciso.com/newsletter/

Elon Musk: Cybersecurity’s Iron Man

September 17, 2020

Earlier this week, while taking a break from home schooling (don’t ask), I happened to be browsing a list of the world’s billionaires.

You can probably guess who’s leading the pack – Bezos, Gates and Zuckerberg, of course. But did you know that Tesla founder, Elon Musk, is consistently among the top five? I have to admit, I was surprised.

But as I dug in a bit and read his bio, I realized that not only is he super-rich, he’s also involved in an astonishing array of projects and companies. According to Wikipedia…

He is the founder, CEO, CTO and chief designer of SpaceX; early investor, CEO and product architect of Tesla, Inc.; founder of The Boring Company; co-founder of Neuralink; and co-founder and initial co-chairman of OpenAI.

The truth is, he’s essentially a real-life version of world-famous industrialist and genius inventor, Tony Stark (AKA “Iron Man”), minus the self-contained flying suit of armor (or so I am assuming).

And it doesn’t end there. Musk is a cybersecurity superhero, too.

The Russians Are Coming

You may have read about a Russian hacker’s recent attempt to recruit a Tesla employee to insert malware into the company’s computer systems. The employee turned down the $1 million offered and, instead, notified the FBI, which ultimately arrested the hacker.

Cybersecurity-wise, what stands out most about this incident is that Tesla’s security practices are so well-conceived and implemented that the only feasible way in was through an on-the-ground insider – there were no viable remote entry points.

Musk’s obsession with cybersecurity is well known. Realizing that the hacking of Tesla’s car fleet would be the downfall of his business, he has taken every step imaginable to guard against that possibility (even hiring people, on occasion, who have demonstrated an ability to hack a Tesla).

Most of us, of course, don’t have to worry about a Russian operative recruiting one of our employees to plant malware inside our systems.

First, because the Russian attackers are really, really good at breaking in remotely. They don’t need to physically enter a building to gain access. Second, because most companies don’t offer a great enough return for a hacker to risk getting caught in an FBI sting!

Nevertheless, Tesla’s approach to cybersecurity is instructive. Here are three important takeaways…

#1. Don’t be the weak player.

Maybe you’ve heard the old joke about two men in the forest who come upon a ferocious bear. One kneels down and starts tightening his shoelaces. The other guy asks, “Do you really think we can outrun him?” The first guys says, “I don’t need to outrun him, I only need to outrun you.”

The same logic applies with your cybersecurity.

The bad guys are in business – they want to make as much money with as little effort and risk as possible. They are looking for the most vulnerable targets. If you put enough controls in place, they will likely look elsewhere.

#2. Map risk evaluation to business risk.

Musk knows with certainty where Tesla’s biggest threat lies: it’s a fleet-wide hack. In his own words, “That would be the end of Tesla.” And so that’s where his greatest security efforts live, too.

Many companies, on the other hand, don’t make these kinds of distinctions – everything is given equal importance, whether that’s a corporate database inside a cloud environment, customer records on an internal network, or a marketing web site with no connection to either.

There’s no such thing as across the board security – there is not enough time or money on Earth to protect everything equally.

Rather, you need to complete a risk assessment, one in which you prioritize and make choices by identifying your key assets, both in terms of what they are worth to you and what they might be worth to a potential hacker.

Put another way, what’s your equivalent to a fleet of Teslas?

#3. Consider possible negative scenarios.

Once you know where your priorities lie, now consider how and where these key assets might be vulnerable. What means are hackers, generally, using these days to access company data? How would a bad actor monetize that information?

Many companies fall down here as well. Too often, esoteric or unlikely attacks are given high priority, while basic security steps like multi-factor authentication or training employees on good cybersecurity behavior are given little attention.

Keep in mind as well that the “entry point” for an attack may, in and of itself, be of little value. Just as an unlocked door in the basement provides access to everything within the walls of your building, an unsecured printer on your network may open the door to your entire production system.

The key, always, is to apply a risk-based view of potential threats and their repercussions. For example, email may not seem like a big deal, but if gaining entry to your system allows me to send fake messages on your behalf, you’re in for a very long day (or month).

Conclusion

Elon Musk’s singular focus on cybersecurity is a shining example of corporate leadership and the importance of keeping a close eye on what matters most.

Whether “the bear” on your heels is a Russian attacker or a four-legged mammal, it falls on you to make yourself as uninviting a target as possible!

Virtual CISO (vCISO)

September 14, 2020

A Virtual Chief Information Security Officer (vCISO) helps organizations to protect their infrastructure, data, people and customers. A vCISO is a top security expert that builds the client organization’s cybersecurity program. The Virtual CISO works with the existing management and technical teams. You may be wondering if your organization needs a vCISO. This article aims to cover all the considerations for engaging with a Virtual CISO.

How an organization uses its vCISO depends on the business itself. The organization’s structure, products and services, markets and IT context all factor in.

Some companies are content to just sit and wait for problems – but that kind of apathy can be fatalistic.

In most cases, waiting around is a terrible strategy! A Virtual CISO helps a firm to be proactive when initiative counts.

When a company is struggling to implement security, comply with industry regulations, and outpace competitors, a vCISO can help. Virtual CISOs provide guidance and measure the results of the client’s cybersecurity program.

Reading this, you may be wondering if your organization needs a Virtual CISO. Here are some of the things that these top pros can do to help your company toward success and security.

A Virtual CISO Services: Protect Your Organization

Managing cybersecurity in today’s world is almost indescribably tough. Many business leadership teams, don’t feel up to the challenge, or they understand that outside firepower can enhance a security model.

Most mid-sized firms have some technical personnel or contractors that handle most of the technical needs of security. But who is looking at the big picture of cybersecurity for the organization?

Often this is a CIO, CTO, COO, Chief Compliance Officer or another executive that has a full plate of responsibilities. This executive might not have the bandwidth to cover their enterprise’s cybersecurity program. That gap leads to unnecessary risk!

Other organizations choose to put a mid-level technical manager in charge of security. These folks also have a full-time job. They don’t have the executive presence to influence senior management. They need buy-in for key security programs – especially when there’s a time-sensitive project. It’s not that these people aren’t working hard enough to implement best practices – it’s just that the company doesn’t have the tools that it needs to achieve!

A Chief Information Security Officer (CISO) is a senior-level team member. The CISO establishes and maintains an enterprise’s security vision, strategy, and programs. The role ensures information assets and technologies are appropriately protected. Most large organizations have a full-time CISO to handle their cybersecurity needs. Mid-range companies and smaller may not have such a role. Having a non-security expert in charge of security is a recipe for trouble!

A Virtual CISO is designed to provide expert security guidance through:

Understanding the organization’s strategy and business environment
Providing threat analysis and strategy updates in real-time
Anticipating future security and compliance challenges
Overseeing mid-level and analyst/engineering teams
Discovery, triage, remediation and evaluation of threats

All of this and more contributes to a safer, better positioned corporate vantage point.

If your company doesn’t have the resources to hire a full-time CISO and equip that expert with all the best tools for the job, the next best thing is a virtual security officer from a proven company. These experts don’t require extensive training, outside of getting to know your organization intimately, and they have access to the right tools for the job already. With a good vCISO you will minimize your overhead while gaining access to the protective benefits that these experts bring along with them. Take control of your business proactively by bringing in an expert in security ahead of any major problems.

Filling In as an Interim CISO

There are many cases where a larger organization’s CISO departs due to a new role, termination or an illness. In these cases, the organization needs a qualified person to manage its cybersecurity. The mandate to “handle security in real-time” means the CISO desk should not ever be empty: if an interim presence is needed, a vCISO is a valuable solution.

The right Virtual CISO will be able to take over where the existing CISO left off without disrupting the current security protocols in position. At the same time, hiring a virtual expert can provide your organization with an outside perspective and may lead to security enhancements that otherwise wouldn’t have been considered. Many companies see the need for temporary vCISO services as a negative, but this expert could end up improving your company in unexpected ways, so don’t immediately look at a fill-in CISO as a negative. Instead, try and view this outsider as a tool for progress for your organization.

Why Do Companies Hire a Virtual CISO?

Companies are getting aggressive about getting a CISO on board for a number of reasons.

One is the range of new cybersecurity regulations that companies have to deal with. Past industry standards like PCI and HIPAA are now joined by bold new privacy and security rules that change how we view the company’s responsibility to safeguard data. Perhaps the best recent example is the European General Data Protection Regulation (GDPR) that’s having so much of an effect not just in the EU, but around the globalized business community.

Then there are the cautionary examples: data breaches splashed across the front page, chilling tales of pilfered data, identity theft, and commercial loss.

These are two of the biggest drivers toward a CISO strategy that plans for every eventuality, including an empty chair.

Far too many organizations wait until disaster strikes before investing in virtual CISO services at all. This is the wrong way to approach the issue. Instead, it’s best to hire a vCISO while things are still running smoothly. A skilled chief information and security officer will build necessary security safeguards into your company over time, and your business will only grow stronger over time. Hiring a virtual CISO, or spending the money to have an in-house CISO will help preserve company profits over time.

If you’re interested in giving your company the best chance for success in the future, bringing in professional offering virtual CISO services is an excellent investment. This move won’t raise your stock prices immediately, but it could be the improvement that successfully staves off a security breach or another real disaster for your company in the future. Think of this professional as a preventative measure or a safeguard for your company that you don’t want to be without.

A Virtual CISO Program from Fractional CISO

With a vCISO from Fractional CISO, every engagement is a little different. In every case, the vCISO will work to understand your business environment, culture and objectives.

Then the Virtual CISO will get to work on:

Starting a cybersecurity risk assessment based on your organization’s assets
Establishing the organization’s cybersecurity strategy
Building a cybersecurity plan and program
Building a Governance, Risk and Compliance (GRC) program
Maintaining core security operations
Focusing on people including managing personnel, contractors and/or vendors
Building and executing a training strategy

Fractional CISO’s Virtual CISO service also involves:

Understanding the business environment and matching a management style that resonates with the customer
Quickly building trusted relationships with key personnel, resulting in a more successful cybersecurity program
Meeting customer requirements with a flexible Virtual CISO program
Having great templates and systems in place to maximize leverage.

A typical engagement involves being on-site for two to three weeks of the first eight weeks of the process. On-site participation varies based on customer preference and the requirements of the engagement. For more details on the Fractional CISO offerings, check out our services and offerings.

More vCISO Benefits

The key benefit of hiring a Virtual CISO is that you get the same expertise and capability as a full-time CISO. But you don’t have the associated level of overhead, benefits, and training. A firm can achieve its security goals related to prioritization, risk evaluation and training. With the right virtual CISO services, you will enjoy security improvements sooner too. Less training time is needed to get this virtual expert up to speed with your company than a long-term new-hire would take. Any company that values its virtual security will come to appreciate the experience that a vCISO brings to the table. With that said, not everyone only wants a part-time CISO. That’s why it’s possible to use a virtual CISO program year-round for long-term protection. Whether your business decides to change its website infrastructure, test out a new server setup, or alter another piece of technology that’s crucial to your daily operations, a vCISO can reduce common information security concerns along the way. Few companies are currently considering hiring for virtual CISO jobs, and many of these organizations are leaving themselves at risk as a result.

Virtual CISO Requirements

It’s important for a CISO to have a sufficient background in security, to understand the security landscape. The CISO has to keep up to date with the latest in the security industry. How can you make sure that a prospective CISO is a security expert?

Cybersecurity credentials can help. A CISSP (Certified Information Systems Security Professional) or CISM certificate is just part of the proof of capability for a CISO. The CISO needs to be able to talk intelligently about systems and compliance and translate that knowledge to teams. This role needs to have “people skills” as well as “tech skills” and expertise in the industry. That combination helps companies to safeguard their systems and re-organize for the business world of the future.

Next Steps with a Virtual CISO

If you would like to discuss whether a Virtual CISO is right for you, please give us a call for a complimentary consultation. We can be reached at (617) 658-3276 and our email is [email protected]. Let us help you to achieve your goals for cybersecurity!

Monthly Archives: September 2020