Blog - Fractional CISO - Virtual CISO

Blog

How Secure Are Your Employees’ Home Networks?

21st May 2020

Everyone: “Rob, why don’t you deposit checks from your phone?” Me, Pre-Pandemic: “Use the app on my phone? Are you crazy? The bank is right around the corner. It’s so easy to deposit checks there. If my phone were stolen, the attacker would have a leg up on getting my banking information. I feel safer at the bank.” … Continue reading How Secure Are Your Employees’ Home Networks? →

Starting your cybersecurity program

20th May 2020

How do you get your cybersecurity program started? We know of a lot of mid-sized companies that struggle with getting their cybersecurity program going. Before you hire cybersecurity experts there is significant progress that an organization can make on its own. Don’t believe me? Even when you hire an expert, you will need a team … Continue reading Starting your cybersecurity program →

FCISO

18th May 2020

Why when you search for FCISO doesn’t the Fractional CISO website come up? I’ll tell you why… Up until this point, we haven’t cared about the FCISO search term. However, now we are going to start using #FCISO for our LinkedIn hashtag so we do care about it. Fractional CISO provides FCISO services to its … Continue reading FCISO →

How to set up Threat Intelligence via Slack for Free

14th May 2020

Are you finding it hard to keep up with new major cybersecurity vulnerabilities that could affect your environment? Unless cybersecurity is your full-time job, you’re probably not spending a lot of time wading through blog posts and listening to hours of podcasts just to keep up with every breaking story. Most of us really just … Continue reading How to set up Threat Intelligence via Slack for Free →

SOC 2 vs ISO 27001

11th May 2020

Should you get a SOC 2 or ISO 27001? We get that question all of the time. The answer is simple… It depends. A SOC 2 is an attestation report that a CPA firm evaluates for effective security controls. ISO 27001 is a certification that says that an organization is following a set of cybersecurity … Continue reading SOC 2 vs ISO 27001 →

How to Gamify Your Incident Response Planning (And Make It Fun)

7th May 2020

Zombies are attacking the perimeter. They’ve made it past the outer defense wall and are trying to breach the inner wall. You’ve bolstered your gateway defenses, but the flood of zombies found a weakness. Their attack breaks through. What do you do? Roll for initiative. No, this isn’t one of those Dungeons and Dragons articles or … Continue reading How to Gamify Your Incident Response Planning (And Make It Fun) →

Correct Horse Battery Staple Review – Password Advice

1st May 2020

The “Correct Horse Battery Staple” piece at xkcd is still so popular! I guess if you want something to live on then make a comic about it… In the comic, you have an example of the type of password that we’ve been taught to create by IT systems over the past couple of decades (Tr0ub4dor&3). … Continue reading Correct Horse Battery Staple Review – Password Advice →

Pro Tip: Sending Secrets via Signal

20th April 2020

How do you send a secret key or password to another team member? You can’t just hand someone a sticky note! That’s why we recommend downloading and using the Signal app. Signal has end-to-end encryption and has been vetted by some of the top security minds. We use Signal when sharing passwords, birthdates, files containing confidential materials and … Continue reading Pro Tip: Sending Secrets via Signal →

Fast and Easy Video Conferencing Comes With a Price

10th April 2020

Back when I was a kid, my grandfather would never talk about money on the phone. Even face-to-face, if he had to say the word out loud, he would whisper it, as if speaking normally would somehow invite a visit from nefarious forces. I can’t really blame him. He was a first generation American whose Jewish parents had … Continue reading Fast and Easy Video Conferencing Comes With a Price →

G Suite Access Control Audit Tip

29th March 2020

Here’s a G Suite tip that will save you lots of time figuring out who your administrators are. From the admin console go to Reports > Users > Account Activity. Admin Status will tell you who is a “Super Admin,” “Admin” or “None.” Hey Google, “Can you make this easier to find?”

Are You Treating Your Cybersecurity Like a Rental Car?

19th March 2020

My wife and I took our two kids down to Sarasota, Florida a few weeks ago, to visit my parents. There was a fair amount of rental car logistics involved (don’t ask), and when it came time to pick up the car, I brought along my dad. I signed the papers, grabbed the keys and … Continue reading Are You Treating Your Cybersecurity Like a Rental Car? →

Why the Corp.com Sale Matters to You

24th February 2020

The Corp.com website is being sold (likely price: $1.7 million). Why should you care? Because many companies use corp.com as their second level domain for their Active Directory. As explained in this helpful article, it means that, “[W]hoever controls corp.com can passively intercept private communications from hundreds of thousands of computers that end up being … Continue reading Why the Corp.com Sale Matters to You →

Every Company Needs a Jessica

20th February 2020

Where I live, you’re not allowed to park on the street overnight. Unless, that is, you apply for and receive an official town parking pass. So I called my town hall to learn more. Who answered the phone? Jessica. (Not her real name.) Who processes the parking applications? Jessica. Who is also responsible for block … Continue reading Every Company Needs a Jessica →

Should I become a Virtual CISO? What I wish I had read 30 months ago

12th February 2020

This article is written as advice for aspiring Virtual CISOs (vCISO). This is the third part in a series. If you haven’t read the 18-month and 25-month ones, you should. They’re here: https://fractionalciso.com/18-months-in-what-ive-learned-starting-a-cybersecurity-company/ https://fractionalciso.com/25-months-in-what-ive-learned-starting-a-cybersecurity-company/ Know, like, trust, buy These magic words: “know, like, trust, buy” are the key to success in the Virtual CISO business. … Continue reading Should I become a Virtual CISO? What I wish I had read 30 months ago →

Just Okay Is Not Okay

16th January 2020

These days, I don’t watch much live TV. The exception is sports. And with football playoffs in full swing, I’ve seen a fair number of commercials along the way. One that has stood out involves a surgeon: Here, too, just okay is not okay. Security is Fundamental to IT MSPs face a big challenge. They support … Continue reading Just Okay Is Not Okay →

Don’t Click That Link!

19th December 2019

Anyone who says there is no difference between boys and girls, has never coached youth basketball. I coach at our local YMCA — 3rd/4th graders with my son; 1st/2nd graders with my daughter. And let me tell you, I’m not even sure these two populations are of the same species. Here’s a prime example… When … Continue reading Don’t Click That Link! →

Disney+ Account Compromise

5th December 2019

There are many Disney Plus accounts available for sale by fraudsters. Attackers use Credential Stuffing and Password Spraying attacks to gain access to these accounts. CNBC has more details on the compromises. What are Credential Stuffing and Password Spraying Attacks? Credential Stuffing is when attackers take known email addresses and passwords from one site compromise … Continue reading Disney+ Account Compromise →

SSCP: Gliding into a New Security Career

3rd December 2019

How many paragliding instructors do we have out there? Okay, not a lot. But what if you were one looking to make a career change into cybersecurity? Take it from this former paragliding instructor, here’s the way to glide into a new cybersecurity career. Before I found out about the SSCP certification, the landscape of … Continue reading SSCP: Gliding into a New Security Career →

Can You Hear Me Now?

21st November 2019

Here is a sentence you have probably never heard: “Alexa, send our company banking credentials to a cyber-criminal.” Nobody, of course, would deliberately invite their smart speaker to share confidential information with bad actors. And the software itself (Alexa, Google Home, etc.) is not designed to do bad things. But, that doesn’t mean bad things … Continue reading Can You Hear Me Now? →

3 Tips to Make Your Vulnerability Report Pop

6th November 2019

Have you ever been the victim, I mean, read a vulnerability report? It looks like the world is about to end with all of the red tens and lots of numbers all over the place. Technical humans trying to make sense of the information mumble things like, “I guess we have to patch” or “um, … Continue reading 3 Tips to Make Your Vulnerability Report Pop →

Sales troubles? Call the cybersecurity specialist!

29th October 2019

It is so non-intuitive. Yet, each time I try to explain it, I get puzzled looks. This is usually how it goes…. “I help business leaders create a cybersecurity program and story to unblock sales.” “Huh?” But it is true. More often than not our clients make the decision to hire us because they are … Continue reading Sales troubles? Call the cybersecurity specialist! →

How many organizations have access to my email?

11th September 2019

Here’s a scenario: You are sending a confidential email to an employee at another company that’s based overseas. You need to share the information with the person at that company, but you don’t want the information to get out beyond that connection. How many organizations will have access to that email? Answer: More than you … Continue reading How many organizations have access to my email? →

Virtual CISO (vCISO)

9th September 2019

A Virtual Chief Information Security Officer (vCISO) helps organizations to protect their infrastructure, data, people and customers. A vCISO is a top security expert that builds the client organization’s cybersecurity program. The Virtual CISO works with the existing management and technical teams. You may be wondering if your organization needs a vCISO. This article aims … Continue reading Virtual CISO (vCISO) →

SOC 2 Certification: How to Get One

29th August 2019

There has been a huge trend in the US for technology companies to get their SOC 2 attestation report. How do we know? We’ve helped a number of companies achieve their compliance. This blog post explores many of the considerations that our clients go through in their quest for a SOC 2. Why SOC 2? … Continue reading SOC 2 Certification: How to Get One →

25 months in: What I’ve learned starting a cybersecurity company

31st July 2019

This is the second part in a series. If you haven’t read the 18 month one, you should. It’s here: https://fractionalciso.com/18-months-in-what-ive-learned-starting-a-cybersecurity-company/ After re-reading my 18-month blog post I couldn’t believe how much has changed with our business and with me in just six months. Okay, seven months but I started writing this post at the … Continue reading 25 months in: What I’ve learned starting a cybersecurity company →

vCISO video

8th July 2019

Have you ever wondered what a vCISO is or why you should hire one? Now in just 71 seconds with this vCISO video you can learn everything you have ever wanted to about what a Virtual CISO is and how they can help your organization. Want to watch the vCISO video on YouTube? Check it … Continue reading vCISO video →

How to find the Fractional CISO brochure

6th June 2019

I recently had trouble finding our brochure on our website. That is not good news if you are looking for it! Here it is! We’ll find a good spot in the future.

IoT Platforms: The Top Six

30th May 2019

I recently finished a small consulting engagement where the client asked me about if they should build an IoT platform. I’ll give you the same advice I gave them, but for free. “Don’t do it.” Let’s talk about the underlying challenges with today’s IoT platforms. It’s a very weird market. Think of it this way: … Continue reading IoT Platforms: The Top Six →

Fractional CISO in the news

3rd April 2019

We’ve gotten some great first quarter 2019 press exposure covering a range of cybersecurity topics. First, our article covering the Four Signs You’re Ready for a Virtual CISO was published by the Security Ledger in February. We walk you through the key reasons for choosing a vCISO including because of customer input, regulatory requirements, mergers … Continue reading Fractional CISO in the news →

Meraki Review: Is it the right Security Appliance for your organization?

27th March 2019

You may be considering making changes to your network or starting a new company or branch office. What should you do to minimize your organization’s cybersecurity risk? When we moved into a new office, I was responsible for setting up the network. This included selecting the right network equipment for our organization. As a security … Continue reading Meraki Review: Is it the right Security Appliance for your organization? →

Pen Test. Do I need one?

13th March 2019

“Yes, but…” That is the right answer 95% of the time. Almost every organization needs a penetration test or pen test. Organizations with mature security programs don’t need to ask the question. They already know the answer based on their program and plan. Organizations that are asking that question are operating from the right mindset. … Continue reading Pen Test. Do I need one? →

WiFi Pineapple: Can Still Compromise Your Network in 2019

30th January 2019

Suppose you see a few people in a rented car, parked across a street at a hotel, next to an office. Does this sound suspicious to you at all? Not at all! Right? In a real-life version of this story, those people were attempting to perform a cyber-attack on the Organization for the Prevention of … Continue reading WiFi Pineapple: Can Still Compromise Your Network in 2019 →

Cybersecurity Breach Bankruptcy: It Does Happen

23rd January 2019

“Companies don’t go out of business due to a cybersecurity breach,” say several well-versed cybersecurity experts. When I give them counter-examples to disprove their point, they list it as an aberration. Here’s a less catchy but more accurate statement: “Large companies usually don’t go out of business due to a large cybersecurity breach. They can … Continue reading Cybersecurity Breach Bankruptcy: It Does Happen →

NIST Cybersecurity Resources During the Shutdown

9th January 2019

They did what? During the government shutdown, which has now gone on for over two weeks, the clever folks at the National Institute of Standards and Technology (NIST) took down many of the resources that the cybersecurity community relies on to help protect society. The NIST Cybersecurity department has indispensable frameworks and other tools that … Continue reading NIST Cybersecurity Resources During the Shutdown →

Top Fractional CISO blogs of 2018

26th December 2018

It’s that time of year… the top lists of 2018. Here at Fractional CISO we are not immune to the phenomenon. So, we’ll shamelessly follow suit with our top blogs of 2018. #6 Actual breaking news… Typeform Data Breach: 100,000 Records and Counting We are usually a commentary site. But sometimes we get a scoop. … Continue reading Top Fractional CISO blogs of 2018 →

3 Reasons Why Cryptocurrency Won’t Become Mainstream

19th December 2018

Some say to never kick a cryptocurrency when its down. But I will. The recent Bitcoin crash has brought the question to light of the long-term viability of cryptocurrencies. Will they come back, or won’t they? I don’t know. What I do know is that cryptocurrencies have some serious structural challenges. These challenges will prevent … Continue reading 3 Reasons Why Cryptocurrency Won’t Become Mainstream →

SOC 2 Audit: How to Comply with the Tough New Changes

11th December 2018

SOC 2 Audit: How to Comply with the Tough New Changes Companies that want SOC 2 audit certification are scrambling to get in front of new requirements from the American Institute of Certified Public Accountants (AICPA). The AICPA has released additional information on what’s needed for a SOC 2 audit. SOC 2 audits finished after … Continue reading SOC 2 Audit: How to Comply with the Tough New Changes →

18 months in: What I’ve learned starting a cybersecurity company

28th November 2018

After twentyish years working for someone else, I quit my corporate job and started a cybersecurity consulting company. While it seemed risky at the time, now I can’t imagine doing anything else. When I first quit, I got questions like, “You have clients lined up, right?” and “What are you really doing?” The answers, “no” … Continue reading 18 months in: What I’ve learned starting a cybersecurity company →

Does your organization need a Password Manager?

6th November 2018

Yes, your organization needs a Password Manager! Now that we’ve answered one of the most frequently asked questions, let’s spend the rest of this blog post explaining why. How else would a person keep track of the 191 passwords an average employee needs to manage? Here are some of the possible solutions for managing the … Continue reading Does your organization need a Password Manager? →

Understanding IoT Identity

9th October 2018

What is a surefire way to mess up the security of your IoT implementation? Use the same secret for all of your devices? Allow former employees to access the devices in the system? How about leave default passwords on devices? It turns out that there are a lot of surefire ways to mess things up. … Continue reading Understanding IoT Identity →

Four steps to securing your IoT Identity from ex-employees

6th September 2018

When you see one of those cybersecurity stories about how an ex-employee “hacked” a company with terrible consequences, do you think that could never be us? Or do you think, I’m glad we don’t have anyone like that around! Many companies are exposed to the former insider risk, they fortunately haven’t been tested by a … Continue reading Four steps to securing your IoT Identity from ex-employees →

Is your website about to go dark?

1st August 2018

Encryption hasn’t always been a standard on the Internet – in earlier days, most webmasters simply used HTTP, instead of the HTTPS format. HTTP means no encryption for the website. So all the private information- names, addresses, passwords, that are collected can be “heard” by any one “listening in”. These days, many companies are moving … Continue reading Is your website about to go dark? →

Typeform Data Breach: 100,000 Records and Counting

12th July 2018

The list of customers affected by the Typeform data breach has grown in the past week. So has the number of personal records exposed. This article aims to collect all of this data in one location. What is Typeform? Typeform conducts customer surveys and quizzes for other companies using their service. The web-based platform allows … Continue reading Typeform Data Breach: 100,000 Records and Counting →

Cybersecurity Risk Assessment – A Better Way

8th June 2018

What do cybersecurity pros mean when they talk about a “high vulnerability” or “high risk?” – if you’ve ever scratched your head listening to someone present a cybersecurity risk assessment, you’re not alone. Many of us have these questions about risk: What does a high vulnerability mean to a business? How do we rank cybersecurity … Continue reading Cybersecurity Risk Assessment – A Better Way →

IoT cybersecurity standards

29th May 2018

Fractional CISO’s own Rob Black is featured in the current Security Ledger podcast discussing IoT cybersecurity standards. Rob discusses the state of IoT security standards, the challenges the industry faces and what is next for IoT security standards. Check out the podcast here. Coverage of the podcast and the upcoming Security of Things Forum here. … Continue reading IoT cybersecurity standards →

How Do You Pronounce CISO?

18th November 2017

One of my clients pronounces it SIS-so. Another one spells out C-I-S-O. That got me thinking: why do I pronounce CISO, SEE-so? But before I answer that question, what exactly is a CISO and how can it benefit your organization? What Is a CISO? A Chief Information Security Officer (CISO) is a business leader focused … Continue reading How Do You Pronounce CISO? →

Do I need a CISO? A guide for NY Financial Advisors

18th August 2017

New York State has instituted significant cybersecurity regulations. Do they apply to Registered Investment Advisors (RIA)? While the Department of Financial Services does not regulate RIAs, following their guidance can help to protect the organization. Additionally, RIAs that handle insurance or certain other securities are subject to the regulation. Appointing a Chief Information Security Officer … Continue reading Do I need a CISO? A guide for NY Financial Advisors →

NY Cybersecurity Regs: Four Things Every New York State Financial Institution MUST DO!

18th July 2017

Wondering about how to comply with New York DFS Cybersecurity regulations? You’re not alone. New York is a pioneer in instituting regulations for cybersecurity in the financial services sector. Anyone subject to the banking law, insurance law or financial services law needs to accomplish goals to show compliance. So what you have to do? Here … Continue reading NY Cybersecurity Regs: Four Things Every New York State Financial Institution MUST DO! →

Why Fractional CISO: How medium-sized businesses can improve their cybersecurity posture

28th June 2017

Many medium-sized businesses know that they are not doing enough to address cybersecurity threats. The frequent news reports of cyberattacks are unsettling. Many of them occur because of human error, not because of technology. The good guys have to be nearly perfect but the bad guys only have to find a single vulnerability. People, Process … Continue reading Why Fractional CISO: How medium-sized businesses can improve their cybersecurity posture →

What large RIAs need to do to comply with NY State DFS cybersecurity regulations in 2017

30th May 2017

The State of New York is the first state in the country to issue a regulation that specifically requires certain cybersecurity policies, procedures, controls and personnel for financial firms. This regulation affects all organizations regulated by the New York State Department of Financial Services (DFS). That includes everyone registered under the Banking Law, Insurance Law … Continue reading What large RIAs need to do to comply with NY State DFS cybersecurity regulations in 2017 →

What small RIAs need to do to comply with NY DFS cybersecurity regulations

23rd March 2017

The State of New York is the first state in the country to issue a regulation that specifically requires certain cybersecurity policies, procedures, controls and personnel for financial firms. This regulation affects all organizations regulated by the New York State Department of Financial Services (DFS). That includes everyone registered under the Banking Law, Insurance Law … Continue reading What small RIAs need to do to comply with NY DFS cybersecurity regulations →

Announcing RIA Cybersecurity Risk Worksheet

13th February 2017

Introducing the complementary RIA Cybersecurity Risk Worksheet! The RIA Cybersecurity Risk Worksheet is a great tool for Registered Investment Advisors (RIAs) to do a quick initial investigation into your firm’s cyber security practices. RIA Cybersecurity risk worksheet The risk worksheet is an eighteen question multiple choice self-evaluation of your firm’s current cybersecurity practices. After answering … Continue reading Announcing RIA Cybersecurity Risk Worksheet →

Mothers, don’t let your babies grow up to use the ‘admin’ username

31st January 2017

There are many blog posts, articles, training materials and all sorts of content admonishing people to pick good passwords. But there is not nearly the same volume of content discussing good username selection. Administrators especially should be cognizant of good usernames to reduce the risk of an attack. Here at Fractional CISO we took a … Continue reading Mothers, don’t let your babies grow up to use the ‘admin’ username →

Why a virtual CISO for your medium-sized business makes sense

9th November 2016

You know you need better security for your organization. The security consultants you hired ran a penetration test on your website but did they look comprehensively at your organization’s security posture? Did they talk with your executive management about their business goals and risk tolerance for the organization? Often in the security space there is … Continue reading Why a virtual CISO for your medium-sized business makes sense →

Password Advice – xkcd

6th October 2016

“What about ‘correct horse battery staple’ style passwords?” has been the response to our password manager post. There is a famous xkcd comic posted above suggesting that using four ‘random words’ together would make a great password. Here at Fractional CISO we have a view of the security of such passwords… eh. It is true that … Continue reading Password Advice – xkcd →

Password advice from the wicked

25th September 2016

Internet ransomers, hackers, and scammers all have password advice for you… keep your passwords simple, don’t change them and use the same ones for every site. Unfortunately many of us follow this terrible advice. Not having a good password scheme can lead to significant financial, privacy, social and career problems. Instead of following what … Continue reading Password advice from the wicked →

Business Email Compromise

19th May 2016

“Please wire $70,000 to the account below.” If your staff got these instructions from “you” via email, would they do it? Would they confirm in person with you first? What policies, procedures and systems do you have in place to prevent such an action when the “you” is not you? You may believe that this … Continue reading Business Email Compromise →

How to check if someone is really a CISSP

30th April 2016

The Certified Information Systems Security Professional (CISSP) is the most prestigious security certification. People with the certification demonstrate a comprehensive understanding of many aspects of security as well as many years of relevant experience in the security space. The test is one of the more challenging tests with a fair number of experienced security professionals … Continue reading How to check if someone is really a CISSP →

Temporary CISO

28th March 2016

A Temporary CISO is the interim appointment of a CISO at an organization for a period of transition. Often an Temporary CISO is needed during a period of crisis for instance during a security breach, because of a key departure or because the existing CISO needs to take a leave of absence for personal reasons. However, it may … Continue reading Temporary CISO →

Interim CISO

25th February 2016

An Interim CISO is the temporary appointment of a CISO at an organization for a period of transition. Often organizations need an Interim CISO during a period of crisis. The organization needs to hire the Interim CISO quickly due to a departure. Sometimes the existing CISO may need to take a leave of absence for health … Continue reading Interim CISO →

How Registered Investment Advisors can avoid the SEC’s cybersecurity wrath

7th December 2015

In the course of providing investment guidance to consumers, Registered Investment Advisors (RIAs) collect significant personal and financial information for their clients. Hackers have learned that targeting RIAs can be a fruitful source of valuable information. The Security and Exchange Commission (SEC) has turned its attention toward RIA cybersecurity, issuing strong guidance on how RIAs … Continue reading How Registered Investment Advisors can avoid the SEC’s cybersecurity wrath →

Welcome to Fractional CISO!

2nd November 2015

Fractional CISO is intended to solve the challenges that we have encountered being responsible for security at a medium-sized cloud company. Many cloud companies charters do not have security as the primary responsibility but security is one of the first questions that customers ask and one of the biggest risks to your company’s success. Many leaders … Continue reading Welcome to Fractional CISO! →