Operating a small or medium sized business is hard enough without the burden of dealing with cyber security. As it turns out, the majority of small and medium sized business (SMB) leaders don’t believe that they have much to fear from cyber threats. A survey by Switchfast Technologies reported that 51% of SMB leaders are not concerned that their organization is a target for criminal hackers. However, the reality is much different. Symantec has reported that 43% of all phishing attacks target small and medium sized organizations. The Ponemon Institute in their 2018 State of Cybersecurity in Small and Medium Size Businesses study reported that 67% of SMBs experienced a cyber attack in 2018. That same study stated that nearly half of the survey respondents do not have the knowledge required to mitigate cyber risks.
In this environment, Greg Schaffer decided that he needed to do something. In 2017, he founded and is the Principal at vCISO Services, LLC, a small company dedicated to providing SMBs with the information security expertise only accessible to large enterprises. Schaffer has been involved in IT for thirty years and Information Security most of that time. A watershed moment for him was in 1999 when he was tasked with dealing with the performance and security issues brought on by the use of Napster by students at Middle Tennessee State University, where he was the Campus Network Manager. He worked his way up to being the Assistant Vice President for Network and Information Technology Security at the University, and has also been the Chief Information Security Officer (CISO) for the Metropolitan Government of Nashville and Davidson County and for FirstBank, also headquartered in Nashville.
I Felt a Calling “I felt a calling that I could do more with my talents” is how Schaffer explained why he started vCISO Services. “I never planned to do this. The more I thought about it, it occurred to me that small and mid-sized businesses don’t have access to the knowledge that experienced CISOs can bring to the table.” He also noted that SMBs can’t pay the salaries that experienced CISOs command in today’s market. The concept is that a virtual CISO can provide the expertise they require without the expense of having a full-time CISO on staff. Businesses can benefit from the advice provided by an experienced CISO at an affordable cost. All of the dozen or so virtual CISO consultants that Schaffer can call on have worked as full-time CISOs. He demands only one other element from his partners – Passion. “Ultimately, their main goal has to be service first and foremost.”
Schaffer is focused on small businesses because he sees this segment as the being “our biggest vulnerability worldwide.” Large enterprises have the resources to combat threats, but SMB owners and operators need to know if they are secure within their risk tolerance and, if not, what actions they can take to remediate problem areas. This is a tall order because, as reported by UPS Capital, up to 90% of small businesses do not have the processes or technology required to protect customer and company data.
Risk Management The key to a successful virtual CISO engagement is that the experienced CISOs must believe in guiding the client to improve their overall security posture. They truly want to help the client become as secure as they possibly can be. Schaffer explained that a CISO is not an IT Security Manager but instead is a business risk leader who is concerned about risk management and not exclusively focused on tactical efforts such as vulnerability management or penetration testing results. Instead, the virtual CISO focus is as a business advisor who helps companies understand their risks and explains to them, in business terms, what can be done to reduce those risks. Each engagement is different, with the virtual CISO providing a certain level of service per month, based on the needs of the company.
Schaffer said that his greatest challenge when it comes to conveying risk management information to business leaders is that the tools used to evaluate and communicate true risk exposure are not up to the job. “We produce heat maps, these red, yellow, and green charts to illustrate high, medium, and low risk, but they’re based on very little quantifiable information.” Those heat maps are based on experience and knowledge, but there needs to be more data-based risk assessments, and Schaffer and his vCISO cohorts are trying to advance this notion.
Handling risk assessments is just one of the areas he helps firms with. In addition to general virtual CISO services, offerings performed by the off-site CISOs include:
Building and managing robust information security program policies and processes,
Conducting qualitative risk assessments that identify and prioritize information security risks and provides a cost range of risk exposure,
Supporting SOC2 and other audits,
Conducting GDPR readiness assessments,
Performing maturity analysis based on ISO 27001, NIST 800-53, and other frameworks,
Leading security steering committee meetings and reporting to the Board of Directors,
Facilitating Business Continuity table-top exercises, and
Managing an organization’s information security awareness program, including conducting and managing online training.
The toughest part of being a virtual CISO, Schaffer explained, is “it is difficult to gain the institutional knowledge to fully understand the inner workings of the business.” He added that “when you’re working as a virtual CISO, you have to develop a methodology to really understand the business as best as possible in a short period time”. vCISO Services attempts to mitigate this by encouraging active communications between the virtual CISO and the clients, which can include management but also some IT staff and other subject matter experts, depending on how the client wants to administer the relationship. Additionally, best efforts are made to match consultant’s backgrounds with the needs of the customer organization. Another advantage of using a virtual CISO is the business benefits from interacting with experts from a variety of backgrounds, while having access to multiple virtual CISOs.
Compliance The genesis of many of the virtual CISO engagements is related to compliance needs. Schaffer states the many SMB executives realize that they need to become compliant with a particular standard or regulation, such as PCI/DSS or HIPAA or the information security standards set by the Federal Financial Institutions Examination Council (FFIEC). The small companies do not have the staff that can work with auditors with regards to translating between what they are doing and what they need to do. That is where the virtual CISO can add value, by both reaching compliance and advancing the information security program.
Schaffer believes that “privacy is going to become much more imperative, especially here in the United States.” The General Data Protection Regulation (GDPR) aims to protect European Union citizens regarding their personal data. The movement towards more restrictive data protection regulations is growing in the United States with a number of states, including California, expanding their privacy protection laws.
Peace of Mind Schaffer reiterates that people engage virtual CISOs because they realize that their information program is not where it needs to be. Executives at SMBs, like executives of organizations of all sizes, want to get better a protecting data and avoiding a disastrous data breach. They want the “peace of mind” that can come from understanding that you have a handle on the issue.
By working with their clients, Schaffer and all the virtual CISOs conduct “gap assessments, do audits, and help them understand it all and then coming out of that is a realization that we need to integrate this more with how we do business, both internally and externally with customers, partners, and vendors.”