What is a Virtual Chief Information Security Officer (vCISO)?
In the video below, Mike details the attributes of a good Virtual CISO, and also tells you the various services that they offer. He also compares this to other cybersecurity services, like MDR, XDR, etc.
Want Mike’s recommendations for your organization, specifically? Click the button below and ask him today.
About Mike
Mike Smith has been helping companies select the best telecom, WAN, security, and cloud services since 1999. He founded AeroCom in 2003, and has been the recipient of numerous business telecommunications industry awards, including being recognized as one of the top 40 business people in tech-heavy Orange County, CA. Follow Mike on YouTube, LinkedIn, Reddit and SpiceWorks.
Transcript
Hey! I hope everybody’s having a great day out there. As I’m recording this video in Southern California, gosh, we just got through a bunch of big rainstorms and everything was falling apart. Now we’ve got winds, so nothing boring going on here in Southern California where I’m sitting today, but hope you guys are doing well, watching this video.
I wanted to make a video on virtual CISO, virtual CISO, vCISO, whatever you want to call it, Virtual Chief Information Security Officer. What is that service? So, as I was going through topics that I could talk about, I just came across that one and thought, you know what? It’s obvious what it is initially, but there’s a lot of details that what’s included with a vCISO. So what’s included with that? What should that entail or what can that entail?
I’m here when you need me!
So, I wanted to make a quick video on that, but before I get too deep into it, quick plug. If you’d like my recommendations on the best vendors to quote for a virtual CISO service, go ahead and reach out and contact me an email, give me a call (714.593.0011). What I’ll do is I’ll ask you a few questions based on those questions about your company’s requirements. I’ll tell you which virtual CISO vendors your company should be quoting and why, and I’ll actually pair you up with them and oversee the quoting process. Make sure you get the best pricing and everything, and it’s absolutely free of charge to you. So no reason not to reach out to me. More information on that at the end of the video. And please, as always, don’t forget to hit the button and subscribe to the channel. That had really helped me out. We’re just over 900 subscribers at this point in time, and I’d love to get over 1,000. That’d be a lot of fun. So really appreciate it. That’d be a big favor to me. Okay.
What are the attributes of a good vCISO?
So a Virtual Chief Information Security Officer. So your company is obviously in the market for something like this. So you’re looking around going, “Hey, with this cybersecurity thing going on there’s a lot going on.” Every company, they need to do more and more in terms of protection, but the problem is that they don’t really know where to start, or they don’t know… There’s so many different things they could do out there. They just need some direction. And a virtual CISO is a great avenue for that. But what’s included with that? So if you go look for a virtual CISO, what does that mean? Really? What are they going to bring to the table specifically compared to all the other cybersecurity services that you could be purchasing out there?
So whether it’s like MDR or XDR or Endpoint Management, or cybersecurity as a service, or all these different types of things you could be purchasing as a business. Why should you purchase a virtual CISO as opposed to all those other things? What’s included with that?
Certifications and Credentials
Well, the first thing that’s included with that is credentials. All right. So when somebody is becoming an expert in the field at cybersecurity, they have to go out and get certified. You don’t have to, but that’s definitely a mark that shows that you’ve gone through the steps, you’ve gone through the classes, you’re certified. So those certifications aren’t cheap to attain. They’re very lengthy in time. It takes a lot of education, a lot of time, a lot of money to achieve, especially the higher certifications in cybersecurity. So that’s first as you’re purchasing someone who’s gone through the time and money to educate themselves.
Education
Which brings me to the second point is you’re getting an education with somebody, when you’re hiring a virtual CISOs, you’re getting somebody who not only has the certifications, but has educated themselves on cybersecurity, has gone through all the classes, has learned everything. I mean, that just takes, again, a lot of time and a lot of money.
Experience & Wisdom
The third thing that you’re getting is experience. So we all know you could have all the credentials in the world and all the education in the world, but what about practical experience? Well, the cool thing is when you are hiring a virtual CISO, what you should be looking for is experience in the field. How many companies have they worked with? How many companies do they work with? How many years of experience do they have as a virtual CISO, how many companies have they helped over the years?
So if you get somebody who’s one year into it, that’s not saying a whole lot, but if you get somebody who’s been doing this for 10 years, hey, that’s starting to make a difference, and that’s somebody that’s going to be very hard for your company to hire out. So hiring someone with 10 years of virtual CISO experience is going to be really expensive. And then it’s going to be hard to find the right person. And on top of that, it’s going to be very hard to keep that person and constantly be hiring a new person for that role. So getting somebody with experience is going to help you out a lot, and it’s not easy to find. So it’s a lot easier to just hire that out from a third party. And the last thing that you’re getting is somebody who’s attending ongoing training.
Ongoing Training
So not only have they been trained in the past, they’re attending ongoing training throughout that you are not having to schedule, you are not having to pay for, you are not having to search and find, because as we all know, cybersecurity is changing every single day. So you really need that person to not only be experienced and educated and certified, you need them to continue to educate themselves as it changes every single day. So you’re getting that hopefully with a virtual CISO. Okay.
What Services do vCISO’s offer?
So what specific services can a virtual CISO do for your company? Okay.
Compliance Management
The first thing that comes up a lot is compliance consulting. So if your company has to be compliant in certain areas like HIPAA or PCI compliant or any of the other type of certifications that your company has to uphold, you have to be compliant in certain areas, a virtual CISO can help your company maintain its compliance in those areas.
Framework
Another service that a virtual CISO can provide your company is help you determine which framework your organization should be using for your cybersecurity. So what roadmap should you be following? Should you be looking at NIST? Should you be looking at CIS? There’s so many different frameworks out there. Where do you start and which one should you be using and why? Well, someone who’s very experienced and educated in this field can come in and give you some great advice in that territory. So that’s a great start. All right.
Posture
So moving from the framework, the next step is obviously creating a cybersecurity posture, which is like your company’s cybersecurity strategy overall. So taking that framework and saying, “Okay. From this framework, here’s the most important things, and here’s our overall strategy for cybersecurity. This is our posture.” So that’s something else that they can help you determine. So playing off that framework there.
Cybersecurity Insurance
Another service that they can perform for you is helping your company obtain cybersecurity insurance. They can, number one, tell you, “Hey, should your company seek and purchase cybersecurity insurance?” And if you should, they can help you go and get the cybersecurity insurance. Make sure you’re in compliance so that if there is a breach or there is an incident, the cybersecurity insurance will actually cover it. Because a lot of times your company may go out and get cybersecurity insurance, but if you don’t have somebody really helping you translate that policy and understand what that policy is saying, if there is a breach, you might not be in compliance with the policy. So you might still have to pay out of pocket, and it may go completely to waste. So something else that a virtual CISO can help you with.
Policies and Procedures
Okay. Well, what about incident response? What about policy and procedures? What about pen testing? Should you be doing it? How often should you be doing it? These are all also things that a virtual CISO can help you with. They can help you create those policies and procedures. They have templates that they’ve already used with other companies that they can help you just plug and play. Okay. These are the policies. These are the procedures that you should be communicating to your employees. Here’s how to communicate them in the most effective manner. Here’s how to do the test. Here’s how to test it regularly. If there is an incident, here’s what you’re going to do. Here’s how to respond. Those are all things that a vCISO can help you with.
Roadmap of Future Projects
And the last thing on my list as far as what a Virtual Chief Information Security Officer can help your company do is create a roadmap moving forward. So when you first decide on that framework and you first start looking at your current state of affairs in terms of your company’s cybersecurity, you’re going to find a lot of gaps. Everyone has all these gaps where there’s so many different things that you can do. Well, which projects do you tackle first? And then which project is for next year and the year after, and the year after that?
Because we all know that your company can probably only do maybe two major cybersecurity projects per year at most. Well, which projects are going to be the most important, and then which should be on the roadmap for the future years. That’s really hard to determine if you don’t have the experience, if you don’t have the education, if you don’t have the credentials. So that’s something a virtual CISO can help your company with is not only decide this year’s projects, but next year’s projects and create a roadmap for your company for the next five years out in terms of the best cybersecurity projects for your company that you should be working on in addition to just the day-to-day stuff.
Reach out with a Thank You!
So I hope that helped a little bit in terms of defining a virtual CISO, and I hope that gives you some clarification. If you’d like my recommendation on the best companies to quote for virtual CISO services, just reach out, give me a call (714.593.0011), shoot me an email. I’m happy to help. What I’ll do is I’ll ask you a few questions based on your company’s answers to those questions, in terms of your company’s requirements. I’ll know exactly which vendors your company should be quoting, and I’ll introduce you to the right people within those companies. And I’ll also oversee the quoting process to make sure you get the best pricing from each vendor.
And the nice thing is, if you end up choosing one of the vendors and purchasing from them, one of the ones that I recommended, that vendor pays me my broker fee. So you don’t ever have to pay me for my services. So there’s no reason you shouldn’t at least reach out and get my opinion as opposed to going on the internet. There’s a thousand different vendors you could choose from. You’re probably going to end up with the wrong one if you don’t talk to someone who knows what they’re doing. So feel free to reach out, contact me. I love talking about this stuff. I’m happy to help. I do this all day every day. You’re not wasting my time. Just give me a call. And then again, if you like the video, please do me a big favor, hit the like button and subscribe to the channel. Have a great day.
Related Content
The Best Cybersecurity Awareness Training Vendors Do These 4 Things
Your company is trying to find a good cybersecurity awareness training vendor. But there are a ton of […]
Cybersecurity Insurance Requirements for EDR
Your company is applying for a cybersecurity insurance policy, but what are the requirements for EDR? These […]
5 Cybersecurity Insurance Requirements for Email Protection
Your company is in the market for cybersecurity insurance, but you’ve heard there are some specific […]
Network Infrastructure Management | Cybersecurity Risk Assessment Template
What is the best template to use for a cybersecurity risk assessment, for Network Infrastructure […]
Cybersecurity Risk Assessment Template: Data Recovery
What is the best template to use for a cybersecurity risk assessment, for Data Recovery?
In this video, […]
Cybersecurity Risk Assessment Template: Malware Defenses
What is the best template to use for a cybersecurity risk assessment, for Malware Defense?
In this […]