Strategic Consulting, Security

Cybersecurity Leadership: The Role of a Virtual Chief Information Security Officer

April 24

In today's increasingly digital world, cybersecurity has become a top priority for organizations of all sizes. However, many organizations struggle to develop and implement a comprehensive cybersecurity strategy that protects their information assets from potential cyber threats. This is where a Virtual Chief Information Security Officer (vCISO) can help. 


Will Slappey: Hello and thank you for listening to Technology Simplified-Tech Talk Everyone can understand I am your host Will Slappey, and today I'm joined by Tucker Green of Vala Secure. Tucker serves as the Director of Virtual Advisory Services at Vala Secure, an incredibly talented group of cybersecurity and compliance experts. 

Tucker is an Air Force veteran, including security operations associated with Air Force One. After reentering the civilian world, he contracted for the FBI as a senior cyber threat hunter, helping to protect some of the United States most prominent companies. We're so excited to have him as a guest today and to bring his wealth of knowledge and experience to our listeners. 

So Tucker, to get us started here, for our listeners that do not know, what does a virtual chief information security officer, also known as a vCISO, do?  

Tucker Green: Yeah, so some people call it VISO. Some people call it a CSO. But basically, the vCISO is like the head honcho of your company's cybersecurity. Um, making sure that everything's running smoothly and that your data is safe and secure. 

We work closely with your IT department to develop strategies and implement best practices to keep your company's sensitive information protected from potential threats.  

Will Slappey: And so like, you know, a lot of people out there listening are probably familiar with like a CIO, right? Um, and so it's, you know, instead of a CIO this is a C I S O. 

So, I know there's kind of some overlap, so what's kind of the difference if somebody's like, well, you know, we've already got a CIO. Um, do we need a CISO or a CISO? Also, what, what's kind of the difference between a classic CIO and a CISO?  

Tucker Green: So mainly the difference between a CIO and a CISO is the the S, right? 

So we're more focused on security and the, uh, procedures and documents that you would need to develop your security program.  

Will Slappey: Gotcha. Right. Yeah. There's a particular focus on the security aspect, and a lot of times the CISOs, work hand in hand with the CIOs as well. So when a business chooses to hire a vCISO, do they do that from more of as like preventative measure, or is that they just got ransomed or some other sort of breach? 

What's the driver for why a business would, you say, “Hey, you know, we need a vCISOs services?  

Tucker Green: By hiring a vCISO, businesses can ensure that they have the necessary expertise to develop and implement their cybersecurity strategy that aligns with their business objectives and can also meet industry standards that they have to meet. So, the proactive approach can help mitigate that risk of a data breach or a cyber-attack. Which you know, those can be incredibly costly in terms of both financial and reputational damage. Um, of course some businesses may choose to hire vCISO in response to a breach, uh, or an incident. 

But the trend and the best approach is towards proactive measures to prevent such incidents from happening in the first place.  

Will Slappey: Right, right. Yeah. And I'm glad that you brought up the point about compliance, right? So, I know some off the top of my head, but you probably know more of them than, than I do. What are some of those industries, or types of business that would have a vCISO help with their compliance? 

Tucker Green: Yes. So healthcare, finance, uh, government or, any industry that needs regulatory compliance, we can help with that.  

Will Slappey: Got it. And not only are there compliance already in place for many of those industries as you noted, but, there's a lot more coming. Anybody who watches what Congress is doing; there's a lot of talk, you know about more compliance being required as we see cybersecurity incidents increase. Um, so if you have some sort of incident and maybe just so everybody knows, when we talk about like an incident, what does that mean? 

Tucker Green: Yep. So incidents, um, in terms of like vCISO anyways, we don't typically, uh, respond to those incidents, but what we do is we work with your IT and security team, if you have one, to investigate the incident and the cause of a breach. So we can develop your remediation plans, provide guidance and support to the organization's leadership team. 

Talk to your legal team and make sure that they're doing everything they need to do there.  

Will Slappey: So, what are some examples of what we'd be talking about when, you know, like what is an incident? 

Tucker Green: So let's say a phishing attempt for example. Some bad actor sends your whole organization this phishing email, which is basically them just trying to get information out of your company. Um, you click a bad link in an email takes you to a bad website, and you type in your Microsoft login information and then that threat actor has that and can use it to log in to, you know, your company's SharePoint or whatever they're trying to gain access to. 

Will Slappey: So, an incident basically is any sort of breach, I guess. However that breach occurs. So, if there is an incident or we could say a breach, what role does the vCISO play in helping with that incident response?  

Tucker Green: Yeah, so going back a little bit to what I said earlier, we develop the plans for the incident response. Develop your remediation plan and provide guidance on how to get through this incident because a lot of companies have never been through an incident before, so they really need someone to hold their hand through the whole process, and that's where we come in.  

Will Slappey: So it sounds like that from what you said earlier, there's kind of like two different options, right? If you have a vCISO as a proactive measure, you have the plans already in place, have the policies in place, hopefully one that's preventing an incident from occurring. But even if there is an incident that occurs, then you have a plan sitting on the shelf, you're ready to grab and execute on. 

Whereas it sounds like maybe the other half of people are Bringing in a vCISO, um, after they've had a breach, and then now they're kind of behind the eight-ball trying to figure out how are we going to respond to this? And they're really not prepared. Would that be a fair assessment?  

Tucker Green: Uh, yeah, exactly. And, you know, they may bring us in like a post response, right. So, they have the breach, they see we didn't have any plans in place. Now they need somebody to get that in place so that the next breach isn't as bad because it's not an if it's gonna happen, it's a when.  

Will Slappey: So, in terms of like long-term planning, a lot of people listening out there, maybe in various executive roles that are working on their long-term planning, how does a vCISO assist with and work with the executive team in terms of long-term planning? 

Tucker Green: A vCISO helps with long-term planning by developing a cybersecurity strategy aligning with your organization's objectives. This includes identifying current vulnerabilities and implementing new technologies as a preventative measure. Updating old policies, conducting regular assessments, providing training to your employees, and helping your company stay up to date with emerging threats. We ensure a sustainable and effective cybersecurity program and can adapt to pretty much any cyber threat landscape.  

Will Slappey: So, from long-term planning, I mean, obviously speaking all the technological changes that you talked about there. One that comes to mind for me is that a lot of people are talking about remote work. Is that something that a vCISO would assist with in terms of that planning? And at what stage in that process? You know if a business owner is out there thinking like, okay, hey, you know, I'm thinking about having more people work remotely, you know, how does the vCISO assist in that conversation?  

Tucker Green: Yep. More and more companies are going to remote as opposed to coming into the office. We can help ensure that all the vendors that you're using for this new technology are legitimate and are doing their due diligence to keep your conversations and your data safe. And, you know, make sure that the VPN that you're using to access customer data or to access company data is also secure.  

Will Slappey: So, before you just jump into a fully remote, or partially remote or whatever that is, you need to make sure that the technology from a security perspective is ready to support that. 

So, one of the things we hadn't hit on a whole lot, but it is kind of in the name, right? So, uh, a company could have a CISO, which would be a Chief Information Security Officer. Or they could have a vCISO, uh, which is just simply a Virtual Chief Information Security Officer. And the difference being that the vCISO is, is a fractional, right?  

Instead of hiring a full-time CISO that could be really expensive. You're able to hire somebody on a fractional type that can provide those services. If you're a large multinational company you probably have somebody in-house, but the vast majority of companies out there are not big enough to have somebody like that on staff. So, I guess the question would come into play of like if there's an executive out there thinking, I need somebody in that CISO role, like when does it make sense to hire that CISO and when does it make sense to have that outsourced via some sort of like vCISO type of plan?   

Tucker Green: Yeah, so there are three main reasons why one of our clients would choose to outsource their cybersecurity to a vCISO rather than hiring an in-house team. Uh, firstly outsourcing to a vCISO is more cost effective, like you said earlier. Way more cost effective than hiring a full-time in-house security team, especially for smaller organizations. 

Uh, it allows 'em to access the necessary expertise without incurring the cost of hiring, training, and maintaining that dedicated security team. 

Will Slappey: I'm glad that you noted too there, you know, as a team, right? Because you know, it's not just about hiring like a CISO, right? Because even if you hire a CISO, they’re going to need other people supporting them as well. 

You're really getting a fractional vCISO team, not just a fractional CISO.  

Tucker Green: Exactly. Yeah. And with that comes a broader range of expertise and experience. A vCISO and our team typically have experience working with a variety of organizations, which means we have a deep understanding of the latest threats and vulnerabilities in multiple industries and not just, uh, maybe the one that you're working in, but maybe your clients' industries or industries that you partner with. 

Will Slappey: Yeah. It kind of reminds me a lot of even like legal services to a certain extent that at some point you might get big enough to have an in-house council. Um, but even when you have in-house council, you usually always continue to have outside legal experts that you work with, right. It sounds very similar to what people might do in the security world because there is so much to see and it's almost impossible for any one person to know it. 

And so, having a team of people that can be looking at something, it sounds like a much better way for it to go than trying to do it all as an individual. 

So, you know, some of the businesses out there might not have as big of an understanding of the need that they have. So, they might say something like, you know, we're not regulated. You know, do we really need this? You know, we make clothes hangers or something like that. Why would we need this? Hey, we're just a small company, you know, we've only got, you know, 30 employees. And why wouldn't anybody wanna target us, you know? What would you say to, to a business that were to say something along those lines to you? 

Tucker Green: Yeah. In today's day and age, everything's online and all businesses are at risk of cyber-attacks. Regardless of your size, regardless of your regulatory status. Small businesses are often targeted as they may have fewer resources and less sophisticated security measures in place. Cyberattacks can lead to more significant financial loss and reputational damage than people realize. Real life examples of small businesses being targeted exist. As more businesses move online, the risk of cyber-attacks will just continue to grow. And all businesses should take their cybersecurity seriously and consider a vCISO service to protect their data and assets. Just like they would a physical security team to keep somebody from breaking into their building, they also need cybersecurity to keep people from breaking into their databases.  

Will Slappey: Right. Yeah, I think you brought up a really good point there, which is that, hey, yeah, maybe what you have is not worth as much as a big, you know, fortune 500 company in terms of like what the payout that they could get, but you might be an easier target. Um, you don't have as much security in place, you know, so I think it's like any crime out there. There are people who are trying to steal a hundred million dollars and there are people are trying to steal a thousand dollars. And, uh, and different criminals attack, you know, different areas, uh, and different size targets based upon their level of sophistication. So, it would be foolish to think that you wouldn't get attacked.  I did hear something the other day that I thought was a really good point.  

The customer says, I don't have anything that anybody would want to steal. There's nothing that I have of value. You know if you were to get my data, you wouldn't be able to do anything. And, and the person telling the story, they said, what they asked the customer was, well, does that data have value to you? 

And would you be willing to pay to get that data back if somebody stole it? And the answer of course, was yes. And so it's you know, sometimes they're like, I mean, hey, you want my data? You can have it. But when they come in with something like ransomware and encrypt it where you can't get access to your data, would you be willing to pay to get it back? 

And so I thought that was kind of a good answer, you know, to that.  

Any final thoughts, Tucker, for our listeners that are out there that you know, are thinking about vCISO and trying to understand it. Any final thoughts that you would share with them about your industry and what's going on? 

Tucker Green: Cyber threats are growing every day. There's more and more coming as we go more and more online. So, if you don't have a good security posture, or maybe you don't even know if your company has a security posture period, you know, maybe talking to a vCISO or someone similar would probably be a good idea. 

Will Slappey: Yeah, yeah, for sure. For sure. Um, alright, well, hey, that, concludes our time here today on Technology Simplified. Thank you everyone out there for listening. And thanks to you, Tucker Green, for coming on board, here with us and telling us about all that you do there at Vala Secure, and for sharing your expertise as a virtual Chief Information Security officer. 

Make sure to follow Technology Simplified to help keep your business technology running efficiently, securely, and productively. Have a great week everyone.

Watch Full Episode Below: