I’ll admit it – when I joined Fractional CISO earlier this year, I had no idea what it would really be like as a Virtual CISO.
I knew that my new position — providing cybersecurity leadership to clients across all sorts of industries — would be very different than my previous eight years as a technical manager at a financial software company, where I led their SaaS operations, engineering, and cybersecurity teams.
That was a great job, but I had a growing feeling that I was becoming isolated in my far too comfortable bubble, and I needed to break out or risk stagnating my career. Starting at Fractional CISO, I faced a new challenge: I needed to quickly re-focus myself as a security leader.
But what would that look like? Would I be able to use what I’ve learned from years in Fintech and apply it here? What would be new and different that I would have to learn fresh?
It’s only been three months so far, and I’m sure there’s still plenty more to discover, but I thought I’d share a few things I’ve noticed along the way.
It’s a big, wild world out there…
Working in Fintech was demanding and required specialized skills, but the danger of being at one company or industry for too long is that you’ll end up not seeing what’s going on in the wider world – that’s the bubble again. I knew our company’s technologies and our approach to cybersecurity very well, but I only had vague notions as to how other businesses were handling similar challenges.
I wondered how different it would be with my new clients.
As soon as I met a few of them, I was astonished by how much variation I saw with their cybersecurity needs and practices. I see many companies wrestling with fundamental security controls that I was used to taking for granted, but also see many medium sized clients using exciting, cutting-edge service-based cloud architectures that require new approaches to cybersecurity.
Because of the technologically conservative career bubble I was in, I hadn’t realized how quickly the smaller and more nimble firms out there had evolved and fully embraced these practices in the last few years. It’s exciting to now be working with so many interesting and innovative companies!
… but it’s also déjà vu, all over again.
Even though some of the cloud architectures are new, I still see a lot of familiar cybersecurity management needs with our clients.
There are always vulnerabilities that need to be found and patched. End-users sometimes find a way to do things you wish they wouldn’t. Customers love to send our clients gigantic pre-sales security questionnaires. Auditors always need mountains of evidence. And no one likes to take security awareness training (even though some of it actually isn’t horrible anymore!).
Honestly, it was a bit reassuring to see that there are plenty of common threads with cybersecurity management across all industries and companies, and that made it easy to jump right in and start helping our clients.
Compliance is security (or at least it’s a start)…
I used to be fond of the saying “compliance isn’t security,” which means that if you’re only focused on doing just enough to pass a compliance audit — like SOC2 or PCI-DSS — then you’re probably not doing enough to have “good” cybersecurity.
There’s some truth to that but working with our clients has made me think of this in a different light now.
What I’ve seen is that many of our clients are under pressure from their customers or partners to pass a compliance audit. Quite often, they don’t have any meaningful cybersecurity management in place, but they’re motivated to improve because of their looming audit. We help them prepare for that process by first helping them create a solid foundation for their new cybersecurity management program and then by helping strengthen it so it can stand up to the auditor’s inspection. I’ve seen clients move from having a very low security capability to being fully SOC2 compliant, and that’s an indisputably HUGE improvement towards “good” cybersecurity!
…but complacency kills security.
The key of course is to not become complacent with just “good enough”, and you should continually improve your cybersecurity management program.
Completing a successful audit is just the starting point! I know, I know – investing more resources into a fully mature cybersecurity program will at some point have diminishing returns, but for companies who are just starting to take charge of their own cybersecurity, the return on even a modest investment for the first few years is usually sky high.
Nobody writes a security management policy until they’re forced to do so…
I have yet to meet anyone, anywhere, that likes to write formal cybersecurity policies just because it’s the “right thing to do”. The reality is, most of the time companies write policies because they’re being forced to in order to pass their first cybersecurity compliance audit.
We help our clients with policy creation as much as we can, but still, it’s never easy. Trying to formalize and write down the rules that govern everything your company does around cybersecurity is usually a heavy lift, but well worth the effort.
… but writing policies just to pass an audit is a waste of time.
Information security policies themselves don’t provide a single bit of practical security. They’re just words in a document, after all! The only value they have is to guide human behavior, and sometimes that doesn’t come easy, particularly if it means changes to how people work.
I’ve seen clients work very hard to write policies because of an upcoming audit, but not put a lot of thought into how they’re going to get the entire organization to follow them. Policies should be living documents that define how a company wants to manage their cybersecurity, and that requires effort to educate, train, and manage employees so they can all work towards those common goals.
All employees should know that there are documented cybersecurity practices, and managers should reference them when steering behaviors, influencing design decisions, and evaluating risks.
Policies also need to be reviewed and updated as the company’s practices evolve – not just once a year! Having a policy document dusted off just to show an auditor is not the right way to manage security. It’s ineffective, exposes your company to undue risk, and is just a waste of time!
I knew a lot more than I thought going into this role…
In my previous positions, I’ve managed several technical teams, including SaaS security operations, but I’ve never held a position that was solely focused on cybersecurity leadership.
Did I actually know enough to do this job?
I didn’t appreciate this until I left “the bubble”, but I had picked up far more cybersecurity management knowledge than I realized in part just by working alongside some very talented people over the years. I’ve worked with great GRC (Governance, Risk Management, and Compliance) teams who lead us through SAS 70, SOC2, and ISO 27001 audits. I’ve also worked with dedicated security engineers who let me look over their shoulders as they ran their vulnerability scans and evaluated firewall configuration tools. Sometimes you don’t realize how much you learn just by working with smart people!
… but I also knew a lot less that I thought.
HIPAA and Kubernetes and Google Cloud… oh my!
Of course, anything can be learned, but if you’ve had no reason so far in your career to learn a particular regulation, technology, or practice, it can be a bit daunting to all at once start leading clients who are each doing their own thing. Suddenly needing to learn about all sorts of new and interesting topics is invigorating, and it’s probably the best part about breaking out of the bubble!
Virtual consulting is hard…
Oddly enough, I’ve only been to Fractional CISO HQ twice: once for an interview and once on my first day. Between those two days there was this pandemic that flared up that you may have heard about.
Starting any job while working from home has been challenging, but getting to really know our clients’ team members and build trust has been extra difficult without visiting on site and meeting people face-to-face. As soon as we get this situation behind us, I guarantee that all of us at Fractional CISO will be hitting the road and stopping by to check in on everyone!
…but this is WAY more fun than I thought it would be
Working for a small company with talented people, rediscovering how interesting it is to learn about new technology, and realizing that this was clearly the right step for me have all made this transition easier and better than I expected. But most of all, I had no idea how rewarding it would be to help so many mid-sized organizations fend off the bad guys as they improve their cybersecurity.
This is much more fun than being in the bubble!
To receive more great cybersecurity content for business leaders, sign up for our monthly newsletter: https://fractionalciso.com/newsletter/