Sabrina Serafin sits down again with Skeet Spillane of Pillar Technology Partners to discuss the VCISO, an information security officer who can provide everything your business needs and nothing it doesn’t.
Culture of Compliance is available on iTunes, Google Play Music and Spotify. Listen now using the player below or download for later. (If you cannot see the player, please accept functionality cookies and refresh the page.)
The Virtual CISO: An Emerging trend in Small Business Data Security Transcript
This transcript was assembled by hand and may contain some errors.
It has been edited for readability.
Sabrina: Welcome to Frazier & Deeter’s Culture of Compliance podcast series. I’m Sabrina Serafin, Partner and National Practice Leader of Frazier & Deeter’s Process, Risk & Governance practice. Today, we’re talking about an emerging trend: the Virtual Chief Information Security Officer or the VCISO. Our guest today is Skeet Spillane of Pillar Technologies.
Skeet: Thank you for having me.
Sabrina: First, can you give us a bit of a background about the role of a Virtual CISO? What are the factors that drove the need for this role in the marketplace?
Skeet: Well, as everyone knows, today there are a lot of information security challenges for organizations of all sizes. Large organizations have been able to create information structures that allow them to hire a Chief Information Security Officer who has the breadth of expertise to help them across a wide variety of these threats that are facing their organizations.
Smaller organizations don’t have this luxury due to the expenses involved. They have to deal with the costs associated with it, the headcount allocations. This is a challenge because the organizations still face the same threats that the larger organizations have to address, but they have to do so with a much smaller team.
Also smaller organizations are viewed a lot of times by bad actors as a softer attack vector, somewhere they can establish a foothold and potentially get to some of these information assets, whether they’re personally identifiable information (PII), personal health information (PHI), financial information, strategic intellectual property, etc. These smaller organizations, while they’re handling this, don’t necessarily have all of the controls, protections and capabilities in place, because they don’t necessarily have the guidance necessary.
Sabrina: That’s a great point, Skeet. Can you give our listeners an example?
Skeet: In today’s world, an attacker looks at a third party supplier of a upstream target and uses the softness in the smaller organization’s security posture to establish a foothold and leverage that weakness into an attack vector to their partner upstream. This has played out in numerous examples in the media, from large retailers to the hospitality industry to even our federal critical infrastructure, where it’s under attack. We’re seeing nation state actors attacking smaller vendors to try to get to our critical infrastructure.
Sabrina: So how does it work to have a VCISO in place?
Skeet: A VCISO is giving you the depth of expertise in the information security world at a fraction of the time. What will typically happen is you’re able to engage a Virtual CISO for one to three days per week, or even less in some situations, to be able to provide you that guidance that you need as an organization to achieve your security goals and give you the breadth of expertise across a wide domain of security topics, not just technical expertise but also regulatory interpretation, process and also policy and governance.
So, what will typically happen when we engage with a client, is we will come in, establish a upfront program where we will look at the organization, and determine the best framework for them to institute, whether it’s the NIST CSF or ISO 27000, etc. We establish a program that will really give them a common lexicon, an understanding of the language of security. Everyone has the same understanding of the security topics in play, what the standard should be for implementing that, and then how the tools need to be configured in order to achieve that.
We take what we call our “Protect First and Comply” approach to the implementation. One of the first things we do after establishing the program structure is, we look at what assets are under protection. What are the critical assets that the organization protects that make that organization unique? It could be anything from intellectual property to patient information to financial data to personally identifiable information. These are things that an attacker would view as valuable and marketable out on the dark web and other locations where they’re going to actually make profit off of the attack. We’re going to put in strategies, both technical and procedural, to ensure that the assets have a appropriate defense and depth strategies in place and have the right technologies configured appropriately to protect those assets.
What we have found is that once we implement those defense in-depth strategies and that protect first approach, in many cases they are actually very close to compliance in whatever regulatory requirements they may have for their industry. Once we have those pieces in place and we’ve established that initial program, typically the Virtual CISO steps down to more of an advisory role. We provide guidance around strategic direction, interpretation of new legislation and then also assist in any type of incident response requirements. They may need expertise and guidance on when do you engage law enforcement? How do you ensure that you’re meeting the notification requirements of any federal state organization and that you’re remediating the threat appropriately as quickly as possible to minimize damage?
Sabrina: So if financial resources are not the constraint, but an organization is trying to apply their spending accordingly, what are some of the advantages and disadvantages versus a traditional approach to hiring a CISO?
Skeet: So, the biggest advantage is the depth of expertise in a part time role. In many cases, an organization may not necessarily need the executive presence of a chief information security officer on a full time basis. They do need the guidance, and they need the quality assurance to make sure that the program is being implemented appropriately. But after a certain point, they don’t necessarily have enough work in that space to keep that CISO busy in a full time capacity. So, therefore, they get allocated into other programs, projects, and it dilutes the focus of the security program into a lot of other avenues of the organization.
By having a Virtual CISO, they have one role, and that is to ensure that the organization’s information security program is established appropriately and is operating to the best of its capability to reduce risk for the organization.
Sabrina: Well, thank you, Skeet Spillane, for being with us today and for sharing your insights about this creative approach to dealing with the critical role of the CISO.
Skeet: Thank you for having me.
Sabrina: For our audience, thank you for listening to Frazier & Deeter’s Culture of Compliance podcast. Please join us for our next episode as we continue to discuss transforming various compliance requirements into investments into your business.