Security Leadership Without the Full-Time Price Tag for Small Teams

Michael Magyar: So what usually happens is an organization is breached. So a lot of times that's when they say, " Oh, we probably should hire a CISO." Hopefully it's not the security incident that encourages anybody listening to this to get a vCISO. So if you feel like you don't have the knowledge, that could be a great way to bring in an expert to do more of that analysis and talk that business language with the board or the executive team.

Jara Rowe: Gather around as we spill the tea on cybersecurity. We're talking about the topic in a way that everyone can understand. I'm your host Jara Rowe giving you just what you need. This is The Tea on Cybersecurity, a podcast from Trava. Welcome back to The Tea on Cybersecurity. So far, on all the seasons of the podcast, we have covered a lot of information about cybersecurity, but we've not necessarily gone into positions or roles at companies that help oversee cybersecurity. But that's what we are getting to on this episode. We are talking about vCISOs. Maybe you've heard the term floating around or maybe you're thinking about hiring one for your company, or you could simply be like, " I have no idea what she just said." Either way, it's okay. You're in the right place. I have a professional virtual CISO with me today, Michael Magyar. Hi, Michael.

Michael Magyar: Hey. How are you doing today?

Jara Rowe: So go ahead and introduce yourself to our listeners.

Michael Magyar: Sure. So my name is Michael Magyar. I've been in the security industry for probably about 10 years now, and I've worn a lot of different hats, done everything from managing a security operation center to being a cloud architect and cloud engineer, especially with AWS. But I've also spent a lot of time in the governance and leadership and compliance areas. So I spent a lot of time with FedRAMP and CMMC and SOC 2 and ISO and you name it. But I've also spent a lot of time in the leadership area, working with organizations to help them to prioritize initiatives, understand their risks, understand how to fix them, and just help them to be more secure as an organization.

Jara Rowe: Fantastic. I'm happy I get to talk to you today about this topic. You're well- suited.

Michael Magyar: Awesome. It's something that I really am passionate about too, so I love being here to do that.

Jara Rowe: All right. So in a previous episode, Marie touched on what a vCISO is a little bit. But let's go ahead and start with the basics and shorten our acronym down a little bit. What actually is a CISO?

Michael Magyar: I'll be honest, I think a lot of CISOs don't know the answer to that question either, which is fun. And so, what does it mean? Let's start with what it actually stands for. So it stands for a chief information security officer, CISO. What is that in an organization? An organization a lot of times have executive leadership. We're familiar with CEOs, chief executive officer. We're familiar with COOs, chief operating officers, chief financial officers, et cetera. But then we have the more technical side of the house. So you might see a chief technology officer or a chief information officer. And so, a chief information security officer, now if we add the word security to that, their job is basically to make sure that the organization is secure a lot of times in its information technology systems. But again that's not really well- defined. That can mean a lot of different things. There are some organizations out there like the Professional Association of CISOs that's trying to put more structure around it as a profession, but one of the reasons why it's so hard to define is that every organization needs something different out of their CISO.

Jara Rowe: Yeah. So, like you just mentioned, I'm sure each company needs something a little different. So what are some of those different things or the different needs that different companies may have?

Michael Magyar: So think about a company like a Walmart or a Microsoft and what that corporate leadership and just the organization structure looks like, and then think about maybe a taco joint. And so, how those are such different in the way that they... What they do as a business and number of personnel or staff that they have. And so, those can really affect what that business needs. So I've been in engagements where we have an executive team of a CEO, a COO, and a CFO. That's the entire leadership team, it's a 20- person company, and they don't know what security even means. And so, that is going to need something very different. Maybe somebody who understands the practical side of things and can actually get their hands dirty and do a lot of hands- on activities to help identify issues and remediate them themselves. But I've also been on a lot of organizations where maybe they have a 10% executive board and maybe they have a couple thousand employees. And so, from there, instead of being hands- on, there's a lot of security personnel that are able to do that. So maybe that needs a lot more management or a lot more leadership, directional decision- making. Does this make sense for the organization? Let's think about it from a business standpoint and try to identify what this business needs rather than actually doing it ourselves. So sometimes organizations need more hands- on, sometimes they need more leadership. Even the organization, what they do. A software development company is very different than that taco stand that I mentioned. Software development may be understanding the software development lifecycle and how to basically build out security in that, more DevSecOps. That might be something that a CISO needs to be more familiar with, whereas an organization that's like a medical clinic, they're doing something very different. And so, how do we make sure we're protecting patient data and enabling service orders?

Jara Rowe: Yeah, that totally makes sense. So CISOs are able to adapt to what the company they're working for needs.

Michael Magyar: Hopefully.

Jara Rowe: Hopefully.

Michael Magyar: Yeah.

Jara Rowe: All right. So how does a vCISO differ from a traditional in- house CISO?

Michael Magyar: Yeah. And so, we use the word V for virtual. A lot of people use fractional instead, like a fractional chief information security officer. To be honest, what that really means is that it's outsourced, just to put that in simple terms. They're not a full- time employee. They're usually a consultant or some type of staff augmentation. Well, that might be a little bit of a bad thing, but one of the things that it enables companies to do is bring someone on board that has a broader perspective of the industry. I've basically spent my entire time in consulting. I did actually spend a lot of time with a few organizations for about three or four years directly focused on them. But what you notice is that when you're in an organization and you only see that organization, you get very siloed in what you focus on and your knowledge and your experiences. Whereas when you work over... I've literally worked with probably 500 organizations over the last 10 years. And so, every single one of them I've learned lessons at that I can anonymously bring to another organization and say, " Well, I've seen this work for another organization in the past." So being able to bring in somebody who has that experience can really help to provide a lot of fresh ideas or fresh perspectives that you may not have. In addition to that, you can also use a vCISO or a fractional CISO to augment the areas that maybe your existing CISO or executive team maybe aren't strong in. So if your executive team is very strong in business decision- making and compliance, but maybe the technical side is not there, a vCISO can maybe fill that gap, or vice- versa.

Jara Rowe: Okay. Now that we've covered the basics, let's go ahead and move more towards the value and use cases for a vCISO. So why might a small or medium- sized business choose a vCISO instead of hiring someone full- time?

Michael Magyar: Yeah, a CISO can be very expensive if they know what they're doing. And so, a small, medium- sized business might not have the budget for that, but they might need help with a specific issue or maybe on a smaller basis. So really cost. That's a big reason why organizations, small and medium especially, can benefit from a fractional CISO. Also flexibility. You're not sure if they're going to be able to be an asset to your organization. Hiring is tough. If you spend all this money on a CISO and then they're not really helping you that much, you can make sure that you're not setting yourself up for failure and spending a lot of money and not getting the value out of it. So you can try on a smaller level too, which is nice.

Jara Rowe: Okay, so that totally makes sense. What kinds of cybersecurity challenges do vCISOs typically help businesses solve?

Michael Magyar: That's going to depend a lot on the organization again. So organizations that are more technically focused, maybe they have a lot more of a need for somebody to solve those challenges with application development and security in that regard. Some of them are going to be more maybe service delivery focused, so that challenges might look different. But typically a CISO or a vCISO or a fractional CISO will try to start off and identify risks. That's a big part of this. Now some organizations that are bigger might actually have a whole risk management team that's separate. And so, we're going to assume that's not the case here. But most of the time a CISO is going to start with risk management. What risks do we have? What are our solutions, potential options for solving them? Then what makes the most sense for us to try to present to the board to decide we should go this direction or that direction? So a lot of that is cost- benefit analysis and what's going to have the biggest impact. After that, a lot of times we're looking at security architecture. So what is good that we have? What is not good that we have? What can we shore up and make stronger and more hardened from attack? So it really can depend a lot on what the business needs. I see a lot of compliance. A lot of times now organizations don't have the expertise in what is a SOC 2 or what is an ISO 27001? What is the CMMC that everyone's talking about? Again, that could be a whole other arm of the business that focuses on that, but a lot of times it ends up bleeding into the information security space. Also customer questionnaires. This is a big one that I see a lot. People don't realize that their customers are going to be asking them for a lot of proof that they're doing security. There's these 300- question questionnaires, and now a lot of times that language is not familiar to a CFO who's got to fill that out, or a CEO or COO. So a lot of times they can bring in a third party to help translate that and help them to answer those questions in a more strategic way, if that makes sense.

Jara Rowe: Yeah. So vCISOs can wear quite a few different hats depending on what a company would need. You were going through a few examples, but can you go ahead and share a real- world example where a vCISO made a significant difference for a business?

Michael Magyar: Yeah, I'll talk about a few examples I've had myself. Again, we do this anonymously because we care a lot about customer confidentiality and such, but there's been a lot of times where I've had a customer that their customer was giving them a lot of pressure to show security, whether it was, " What are you doing and how are you protecting our data?" and, " What controls do you have in place?" I've seen organizations struggle to answer that in the right way, and I've seen organizations not give themselves the right credit for what they're already doing. I can think of a lot of examples specifically on the customer call side where large organizations that you've heard of, their own due diligence teams are evaluating using one of my customers. And so, I'll jump on a call with them and we talk through all the different ways that we have. " Here's where your data's located, Here's where your data's not going. Here's how we control access to that data. Here's how we encrypt that data. Here's the different security protections that we put around that from a detection and response capability, et cetera, et cetera." I've had organizations tell me, " I realize I'm doing those things, but I never would've thought to mention that," and the customers a lot of times have really felt a lot more comfortable. I've specifically one time created a data flow diagram for a customer. Really simple, just, " Here's a box of where this is. Here's a box where that is. Here's a couple of lines between," and the customer said, " Wow, this is exactly what we needed. We can just move forward now and use you and not have to worry about delaying any type of business deals that we had." So I think that's a big one. I'll give one more that's more technical. I had an organization that was struggling from a business standpoint. They had some perspective customers, but they needed to satisfy some government requirements, a FIP specifically, a certain type of encryption, and there's a lot of nuances around that. So they were given advice to change everything about their technology stack in order to satisfy this encryption requirement. Well, the interesting part, I had worked a lot with this encryption requirement on a technical level. And so, I pointed out that actually all they had to do was change two settings. It was a little more complicated than that, but change a few settings in their technology and they were able to actually satisfy that requirement. So they probably avoided a yearlong delay and multiple hundreds of thousands of dollars of redevelopment when all they really just had to do is understand the requirement better. So I think there's a lot of different ways that you can see those examples of a vCISO actually having impacts, depending again on what the customer needs.

Jara Rowe: Yeah. I'm sure having you there to answer some of those questions and things was a lifesaver for them, too. So it's fantastic that you were there. All right, so let's go ahead and switch more to getting practical a little bit. So what does a typical engagement with the vCISO look like? I understand it could be different for different companies, but is it project- based? Is it ongoing? Is it both? What does that typically look like?

Michael Magyar: Yeah. I think if you're doing more project- based, it's probably more of a security architect that the customer's actually looking for. That's not wrong. You could still hire a vCISO as long as they have those capabilities. But I think most vCISO engagements are going to be ongoing. Now they usually... I've just seen this in the industry. The CISO position itself, sometimes people are in that position for 10 years- plus, but a lot of times a common timeframe is two to five years at the most. So a lot of times the vCISO is a little bit shorter than that. So a lot of times it's a yearly engagement or maybe a two- year engagement. Sometimes it's a six- month engagement, but usually it's ongoing. That's because it's hard to really give good advice to a business if you're not familiar with what their needs are and what they're doing. So while you can use a project- based approach, and that does have benefit for specific things, that's usually more of you're hiring the vCISO when you should have hired someone else, which still was fine, that's good, but a lot of times it's an ongoing thing of six months to a year, sometimes a little bit longer than that, too.

Jara Rowe: Oh yeah, that totally makes sense that it would be more ongoing than project- based. But again I understand if someone had a different need. So that makes sense as well. All right. So how does a vCISO prioritize cybersecurity efforts for companies that are just starting their cybersecurity journey?

Michael Magyar: There's a lot of different directions people can go in. I think, again, this depends on the company. So the first thing I like to do is better understand their business. I know that seems weird. We're talking about information security, and what I want to talk about is business. But at the end of the day, if the company doesn't make money, then it's not in business anymore. Then I don't have a job. So the first thing I like to think about is what helps make the company run? What are the challenges? What are the information security risks inherent in what that business does? And what are the roadblocks that could be in the way for either delivering business or acquiring new business? That doesn't take very long. That can be a couple of quick conversations. We all want to pretend that we have this unique business, but we're all very similar. And so, a lot of times in an industry, similar challenges crop up over and over, but still I want to know what the nuances are for them. Then a lot of times we'll do a risk assessment, and that can be really formalized or that can be really informalized. But we want to know what type of technology the organization has. We want to know how they're protecting that technology. Let's talk about some really simple basics. Do you have MFA turned on in all these different areas? Have you ever done a vulnerability scan? Or we can get a lot more deep. Depending upon what level of maturity they have, we might start looking at more nuanced items like with AWS, maybe do we have cloud security posture management tools? What types of results are they giving us? Let's look at a few of those and see what kind of maturity we have here in our organizational controls. The first thing is understanding the business, and then it's understanding the technology and what they're currently having from a security perspective. Again, that can be done very quickly and informally for a smaller organization that doesn't have the time or patience to do a really deep assessment before making these large decisions that can cost a lot of money. But for the larger organizations, you can really create a lot of quantitized approaches where we say, Here's the reasons why we came up with these thoughts and suggestions of what we need to prioritize." So really prioritization based upon what we currently have.

Jara Rowe: Fantastic. All right. So you're covering a lot of information for us here. If I were a business owner, I could be thinking like, " Oh, wow. Michael really touched on this," like, " Do I really need a vCISO right now?" So what are some key indicators that a company might need a vCISO?

Michael Magyar: The answer is probably every company that is more than 10 people probably should be thinking about that, or at least some type of security leadership. But that's not the reality of the way that the world works. We all got to make money, so we're not always going to prioritize something that is not in our faces. So what usually happens is an organization is breached, and after their breach, they have to now address that. Either they have concerns from the customers or concerns from shareholders or regulators, et cetera. So a lot of times that's when they say, " Oh, we probably should hire a CISO," unfortunately. So that's a lot of times where people will reach out and say, " We need to start talking with you," that looks a little bit different as an engagement, trying to make sure that we shore up that existing problem, but then also avoid that exact same issue from happening again, but then a lot of times building out security program around that organization. But other things that can trigger the need for a CISO, like maybe more proactive things, maybe you have a lack of security knowledge in your team and you realize maybe you've had the same three or four technology employees for the last 10 years, 15 years, and maybe they really haven't kept up with what's changed. AI is a big buzzword now. What do we do about that? And so, now there's all these new... Technology changes so quickly that it's hard... Again, as a siloed employee in an organization, you don't see what all the other organizations are doing. So I think if you feel like you're lacking security knowledge or you have skepticism about are we doing enough, that's a good indicator that you might want to bring in an expert. Again, that could be a CISO, that could be more of an architect. A lot of times they're the same thing in this industry. But the other thing I see is bored skepticism or unwillingness to get the executive leadership team to move on certain security initiatives. If, let's say, you see a problem as a security worker, as a technology worker, and you can't get the board to upgrade from maybe Windows XP still or Windows 7 and... Windows 10 is about to go out of life near the end of this year. So now we have to upgrade from that, but the board doesn't want to spend any money on that. Well, so how do we get somebody else to help convince them? And so, a third- party expert, expert I put in air quotes, my dad used to always say an expert is somebody from 50 miles away with a briefcase. Another voice that's not the same voices can have a big impact on getting security moving forward. So I think there's a lot of different things. Hopefully it's not the security incident that encourages anybody listening to this to get a vCISO or a CISO of any type. If you feel like you don't have the knowledge or if you feel like your executive leadership team is not being responsive and receptive to your suggestions and thoughts, that could be a great way to bring in an expert to do more of that analysis and talk that business language with the board or the executive team.

Jara Rowe: Yeah. I would go on the side of being a little more proactive versus reactive when it comes to this. But again, like you said, people have different priorities and things like that. So, all right, Michael, you already mentioned that you have several years of experience, so I would like to dive a little deeper into some advice that you would give a company looking for a vCISO. So if a business is considering hiring a vCISO, what should they look for in terms of experience or qualifications?

Michael Magyar: It's tough because, as I mentioned earlier, there are no certifications or professional organizations yet. Again, there are some that are in the infancy, as I mentioned, the Professional Association of CISOs and some other ones. So it's really hard. We don't have this, " Oh, you have a PhD in vCISO." That doesn't really exist. Honestly, I'd say education is useful, but also things change so rapidly that just because somebody has a master's degree or PhD... I mean it's not a bad thing, that's a plus, but that doesn't mean that should be the main driver of whether or not this is the right fit. I like to look at a few different things. Again, it depends on the goals. So an organization that's focused a lot more on software development would want to look for somebody who has a background in that or has experience working with those types of organizations. So similarity of organization type that somebody has worked with can really help. Another thing, just in general, I mean experience is good, but it's hard to know that. I would try to have a conversation with them. If you have a conversation with somebody and they can show that they, A, care about your business, because if they just come in and shove a bunch of security requirements on you, and maybe some of them are important and maybe some of them are less important, but they don't help prioritize that, they might blow that organization's budget because they weren't business- savvy. So I would talk to them and see, do they prioritize the same things that you do? You don't want to be too much in line because then you just cloned yourself. But you want to make sure that they understand the needs of your business and you want to make sure that they have the experience that matches that. Really a conversation about talking a little bit about the business, talking a little bit about the challenges you have and seeing what their thoughts are initially a lot of times can help you to realize if they're going to be a good fit or not.

Jara Rowe: Yeah, that makes sense as well. So what's one piece of advice you would give a small or medium- sized business trying to manage cybersecurity on a limited budget, which we know is fairly common?

Michael Magyar: Prioritization. It really comes back to that. There are a few ways to more specifically answer that. So we could spend a lot of time and money doing risk assessment, but if you're a small or a medium business, you don't need to spend six months and$50, 000 on a risk assessment. So how can we get a lay of the land quickly and understand what we need to prioritize is probably a first goal. There are a lot of tools that can help do that. A good CISO can help to do that just by bringing their experience and having conversations with different parts of the organization. But I would also say there's scanning tools and frameworks that we can use, too. So like the NIST Cybersecurity Framework or CIS Critical Security Controls are great ways to say let's just evaluate a lot of pieces of our organization and determine what's priority. Also, Australia has a top eight, and that's a really good place to start too, because that's even a smaller list of things just to start with. Do we have MFA? Honestly, I hope everyone does at this point, but a lot of organizations still don't. So if we don't have that, maybe we start there. Not because passwords are actually bad. A long, unique, randomized password is just as good as MFA, but at the same time maybe it's prone to people being fished on it. But I think identifying what the priorities are is probably your first goal.

Jara Rowe: That makes sense. MFA, I feel like it's mentioned in every single episode. So if my listeners don't have it enabled by now, I feel like they're missing out.

Michael Magyar: Not only on your corporate systems, but also on your products. If you build a product like a SaaS application or something where the organization is hosting that, do you have MFA turned on for your customers? Do they have the ability to do that? Is it required? It should be required nowadays.

Jara Rowe: You have covered a lot of information for us around the vCISO and CISOs in general. But before we wrap the episode, is there anything else you think our listeners should know about a vCISO or a CISO in general?

Michael Magyar: Yeah, I'm going to answer this from a different perspective. I'm going to answer this from those who are in the security industry and are considering being a vCISO or just a CISO in general. I think the first thing I'd say is this is a hard, hard, hard job. I mean every job is hard and has its own challenges, but a lot of times you're looked at as being the leader for everything, like the sole source of knowledge for everything, and it could be exhausting at times when you have to be an expert in Azure and AWS and GCP and Windows Active Directory and Google Chrome, everything. It could be a lot. Security compliance frameworks and dealing with customers and all these different things. I think it's really hard and challenging, but I also think it's really rewarding. It's something that is more accessible to people than they might think. Obviously having a strong background in security is a good idea, a good place to start, because if you don't understand the subject matter, it's hard to really provide management or leadership of that. But I think it's really rewarding because you can see impact. You can see the problems and the challenges that an organization has and help them to solve that. If you focus on the business aspects of an organization, things that matter to that business, what helps them to generate revenue and retain customers and gain new ones, that can really be a big help to you in your career because then you're able to help talk the language of the business people. When you do that, the things that you see that need to happen, that really would be impactful, you can better make those occur. You can better effectuate them and push them forward because you're talking the right language. So I think it's challenging, but I think it's also really rewarding. I would just say make sure that you don't forget about the fact that a business is there to make money. And so, we try to find the balance between good security for people, customer, society, everyone else, and also the business has to survive. So how do we meet those two together? But I think it's a really rewarding career, and I enjoy doing it.

Jara Rowe: That's fantastic. I love that answer. All right, Michael. Well, I really appreciate your time and knowledge. Thanks for being on another episode of The Tea on Cybersecurity.

Michael Magyar: Yeah, thank you so much for having me.

Jara Rowe: Now that we've spilled the tea on vCISO, it's time to go over the receipts. I learned a lot from my conversation with Michael around this topic. So let's dive into these key takeaways. First up, receipt one, what is a vCISO? Michael explained it as being a virtual CISO, which a CISO stands for chief information security officer. The V simply stands for virtual. There are some organizations that also refer to this as a fractional CISO, and people in these roles are more so on the executive board and they're in leadership roles. Receipt two, so what does someone in this position even do? So they can take on several different things depending on what the company needs and what their business goals are. So they can be a technical leader. They can help with risk management. They can help with application development security, as well as compliance. So someone in this vCISO or CISO role should be able to adapt to that particular company's wants or needs, depending on what they are trying to accomplish, which leads me to receipt number three. Michael stated several times that it's important for a vCISO to know what that company that they're working with's business goals are. From there, you are able to help them navigate what makes the most sense and evaluate their security maturity levels to help make those decisions, and just to really help push the business along to make sure they have that revenue coming in. My final receipt for this episode, I asked Michael what should someone look for when searching for a vCISO? He pointed out that it would be beneficial for a company to find a vCISO that has knowledge in the industry that they have worked in. I hope you took as much information away from this episode that I did, and I will see you on the next episode of The Tea on Cybersecurity. Thank you. That's The Tea on Cybersecurity. If you like what you listened to, please leave a review. If you need anything else from me, head on over to Trava Security. Follow wherever you get your podcasts.