Why are there so many vCISOs who have never been a CISO? Isn’t it difficult to advise on a role you’ve never done? Do organizations feel comfortable hiring an inexperienced vCISO as their CISO?
Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our guest Steve Tran, CSO, DNC.
Got feedback? Join the conversation on LinkedIn.
HUGE thanks to our sponsor, runZero
Full transcript
[David Spark] Why are there so many vCISOs who have never been a CISO? Isn’t it difficult to advise on a role you’ve never done? And do organizations feel comfortable hiring an inexperienced vCISO?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I am the producer of the CISO Series. And joining me for this very episode is Geoff Belknap. You know him also as the CISO over at LinkedIn. Geoff, grace people with the sound of your voice.
[Geoff Belknap] David, this is what my voice sounds like. Let’s get into it.
[David Spark] Let’s do that. But first, let me mention our sponsor. Our sponsor for today’s episode is runZero, the asset inventory and network visibility solution. More about exactly that a little bit later in the show. Our topic for today – on LinkedIn, Michael Meis, who is the associate CISO of the University of Kansas Health System, asked the very question I posed in the tease for today’s episode. Why are there so many vCISOs who have never been a CISO? It was an honest question, and it was not meant to be derogatory. And as from the tons of commentary that was the response to his post, the answer is it all depends, and there are a lot of needs companies have of different shapes and sizes. So, this really didn’t play the way I think Michael though it would because a lot of people said, “Look, it comes in many flavors here. Lots of flavors.” Geoff?
[Geoff Belknap] I think Michael’s question was really exactly why are there so many vCISOs more than just why is their background not what you’d expect a CISO to be. But you know what, I think this all comes down to there is a lot of demand for security maturity and help maturing security programs. There are a lot of companies that are not large, well-funded organizations or companies that need guidance and leadership for those things. And vCISOs often fill that gap. Now, I think what’ll be really interesting to chat about with our guest is what kind of background should you expect from a vCISO. I think more importantly, what kind of work and what kind of input and impact should you expect from a vCISO versus a full time CISO.
[David Spark] Excellent point. And joining us for this very conversation is someone I did a live recording with in Santa Monica just in September of this year. It is one and only, Steve Tran, who is the CSO for the DNC or Democratic National Committee. Steve, thank you so much for joining us.
[Steve Tran] Thanks. Great to be here.
Why is this relevant?
2:45.518
[David Spark] Justin P. of Rapid7 said, “This is kind of like saying, ‘Why are there so many CISOs who have never been a CISO before?’ You got to start somewhere.” And Michael Meis, who replied to that comment, said, “Well, is it though? It’s one thing to get hired/promoted into a new role and then grow into it. That’s everyone. It’s another to be hired into a role to advise one or more organizations simultaneously on how to do a role you’ve never done.” And lastly, Brandon Rizzo of Amazon noted, “It’s a self-designated title in most instances.” So, Geoff, Brandon I think mentions this pretty clearly – most vCISOs are the ones who call themselves a vCISO. I don’t think anyone gives someone a designation as vCISO, do they?
[Geoff Belknap] Yeah, that’s not a designation that you’re granted. I don’t know if there’s a vCISO certification. But I also think there’s an interesting interconnection here. I think Justin is exactly right – you got to start some place. And I think the point that Michael is trying to make but I think he’s kind of missing here is what does a vCISO really do. When you hire a vCISO, most organizations are saying, “We need some improvement in the security area.” But they’re not saying, “We haven’t been able to find a full time CISO, so we’re going to hire a virtual CISO until we can hire them.” It’s rarely an interim role. Usually what it is is we’re a small organization. We have one, or two, or a small handful of technical folk, and we need somebody to just give us a little advice about what to prioritize, where should we start, what vendor decision should we make. Those are the kinds of things that I see vCISOs getting involved in. I rarely see them getting plugged in as a fractional full time CISO replacement. So, I think there is truth on both sides of these things, but it really just comes down to what are you expecting from this person.
[David Spark] That’s a good point. That, I think, is the better comment than, “It depends.” Steve, your take on this in that just sort of opening of the why do so many vCISOs have that title if they’ve never actually technically been a CISO?
[Steve Tran] One of my favorite quotes I’ve heard before is, “You’re a first time something at some point.” Every CEO is a first time CEO. Every CFO, CISO is a first time CISO at some point in their career. So, I look at it the same way. If they haven’t done it before, this is their first foray into it just like how many of us… I was a first time CISO at some point in my career. So, to me, I agree with what Geoff is saying is it really depends on the need. You’re not going to be a fit everywhere, so it really depends on the situation.
[David Spark] Yeah, and we’re going to get more into that in the later segments here because you see that this is an interesting onion that peels in very, very different ways depending on the organization you’re filling, the size, and also the argument that the vCISO sees more than a regular CISO. It’s very possible these vCISO roles can be far more beneficial for a company than someone who’s been a CISO at maybe one company for ten years and would not have the perspective of whatever the said company needs that vCISO. Geoff?
[Geoff Belknap] Yeah. Boy, I say this a lot to folks, especially for as fast as the information security space grows, and changes, and morphs. It is very helpful and I feel very lucky that in my career I’ve been able to have security roles, security leadership roles at multiple different companies. Because those organizations have been vastly different. The choices I need to make have been vastly different. And I think I have had the benefit of being able to see several organizations work through this. I think for a lot of reasons it would be appealing to me if I was considering a candidate for CISO if they had done some vCISO’ing if I can make that a verb and had seen situations and challenges at multiple different organizations. I think that’s valuable. What do you think, Steve?
[Steve Tran] Yeah, I totally agree. It’s that key word – value. How is this person going to be that value add to the organization? And it’s really driven by the customers or the organization that’s seeking out this help. It requires both sides to be in clear alignment of what that expectation is and what needs to be delivered.
What are they looking for?
7:23.796
[David Spark] Joshua Copeland of AT&T said, “A vCISO is just a different flavor of CISO. Does the person have the requisite background, technical, GRC, business, etc., to do the job? If yes, why does it matter what the title they had before is?” And Linda Rust of SecuriThink said, “CISOs in truly large, complex settings have external strategy advisors. That has been my role, yet I’ve been on panels where a CISO for an organization that is five percent the size of my primary client and less than one percent the size of my largest client seemed to attempt to marginalize my ability to contribute because I didn’t hold the actual CISO title.” So, this speaks to what you were both saying in the last segment of what are they doing, what are the expectations. And like Linda says here, if I’m doing the things that you need, I’m probably the person you want as a vCISO. Yes, Steve?
[Steve Tran] Exactly, yes. And what stuck out to me was people saying that they feel marginalized because they don’t have the actual title. For me, I think one of the biggest things that gets under my skin is the gatekeeping mentality, the, “I’m here to judge whether or not you’re good enough to be part of this secret club or to have this title.” And it makes people… Because I’ve been on the other side where I was struggling to build up my career, and I know what it feels like when you know you’re capable of being able to do the work, but you have groups of people who have this arbitrary take on what it really means to have that title and how to get there.
[David Spark] You know what? I think people have that feeling in all businesses and in all industries. I personally have felt variations of that, not specifically CISO in my career. Geoff?
[Geoff Belknap] Yeah, I have very strong feelings here. Let me see if I can get them all out. I think number one, Linda, I’m only speaking to you right now… Everybody turn off your speakers. Hey, just because somebody has the CISO title doesn’t mean they’re not a jerk.
[David Spark] [Laughs]
[Geoff Belknap] That can happen in a lot of places. So, if somebody is marginalizing you, I would disengage. The other part, more seriously… And don’t quote me on this because I didn’t invent this. But it really comes back to that famous saying, which is talent and skill is equally distributed. Opportunity is not. We don’t need to be blocking people that could be future leaders because they haven’t had a special title, or they got those skills in a way that wasn’t the way you got the skills. Look, there is a critical need for security leaders in the space today. If you’re starting your leadership journey by being a consulting, or a traveling, or a visiting CISO, or a virtual CISO, or a fractional CISO, whatever it is… If you are helping organizations succeed, giving them advice in limited ways, that’s fantastic.
If that’s how you built up your experience in risk management, and in detection response, and all these other areas that are really valuable, awesome. Maybe you’re ready to be a real CISO. Or…and I have some friends that do this…maybe vCISO is your favorite thing. You’re helping smaller orgs that otherwise wouldn’t have access to high powered, intelligent thought about what they might prioritize or vendors they might choose. That’s excellent. So, I think in general info sec needs to be a little bit better about shutting down the gatekeeper and be a little more welcoming to people that have garnered their experience from different places. Look, CISOs didn’t exist, not really, not broadly, maybe 10, 15 years ago. So, let’s stop pretending like we know where all CISOs should come from, and let’s start looking at where value could be brought to our organization.
[David Spark] Where all CISOs come from. Steve, do you know two CISOs who have taken the same exact path?
[Steve Tran] No. No. Absolutely not.
[Geoff Belknap] I feel like the common path is you just start some place, and it turns out you’re okay at this, and you keep going.
[David Spark] Exactly. And one person’s path is not the same as the other. And also we’ve had a number of CISOs who do not have technical backgrounds who have been very successful CISOs on our programs before. So, the most classic of having a technical background, not necessary for some that is.
Sponsor – runZero
11:54.501
[David Spark] Before we go on any further, I do want to mention our sponsor, runZero, the cyber asset management solution. It is the fastest and easiest way to build a full asset inventory, get proactive about your security program, and accelerate your incident response. All sounds like good things, right? So, get the data and context about your devices, services, and configurations needed to affectively manage and secure your environment. You can take advantage of their integrations with your existing IT and security stack together with their proprietary scanner to cover all of your assets – local IT, OT, IOT, Cloud, external, work from home, and even your unmanaged assets. runZero is so easy to use that you can get started in just minutes on your own. So, just go to runZero.com for a free trial. No credit card required. I like that. That’s runZero.com. Or you can also get a firsthand look at runZero in action. Just search for them on YouTube to check out their video demonstrations. I love that – that they’re making their video demos available. You don’t have to register for a demo, or book a demo, or anything like that. Just check them out on YouTube, runZero, or go to runZero.com and get yourself a free trial. That’s awesome. Sans credit card, even better. Love it. Thank you, runZero.
Why does this still happen?
13:22.116
[David Spark] Collin Graham of ClearDATA said, “The question of why is that there is a demand for CISO experience at a lower price point, and there is a low supply. So, others are stepping into that role in a limited capacity with less experience.” And Daniel Kennedy of the 541 Group said, “It’s similar to the difference between having a third party accountant versus hiring a CFO.” Steve, I think both Colin and Daniel make really cogent points of one is there’s a demand for this security leadership talent. And B, a lot of people need this help but don’t need a full time CFO or CISO like the need for a third party accountant or a CISO. For example, I have a third party accountant. I don’t have someone full time, but I definitely need that person, third party. Steve, what do you think?
[Steve Tran] There’s no size fits all. Everyone has different needs. This could also relate to what we talked about before. It’s we’re constantly trying to find ways to broaden that talent pool because that drastically affects the options that customers have, organizations have when they’re looking for someone to come in to help them with X, Y, Z. Not just at the CISO level but at all levels within information security.
[David Spark] And, Geoff, let me throw this to you. What is it…? Again, this would all change on your situation. But let’s say you’re at a smaller organization that doesn’t, A, have the budget for a CISO but has the need for somebody to say, “This is how you got to get your security program together.” I’m assuming a vCISO is the solution here. And if so, what would you be looking for? I know there’s a lot of ifs here in terms of what the scenario is. But sort of start us down that road.
[Geoff Belknap] Yeah, look, the most common two places that I see people coming to me and asking me if I know somebody who’s doing this is either a small company… I think the most recent one I had was a friend who owned a few dental offices. That’s a company that’s making significant income, has risk, and is carrying PHI and PII. They need help with security, but they’re not going to hire a CISO. The other one is small to medium startups. So, startups that are going like pre-C to A [Phonetic 00:15:52] round. It’s not yet time for them to hire another executive to run just the security program when it’s 25 people, something like that. So, I think in those cases what both of those organizations are looking for is somebody to sort of assess and help them think about the risks that are facing their business, how to mitigate those.
And in both cases, they’re looking for the same advice, which is I don’t have millions of dollars or even a million dollars to spend on this, where should I start, what should I prioritize. Do I start by building a SIM and buying Azure Sentinel, or Spunk, or something? And the answer is no. A good vCISO is going to tell you, “No, here’s the kind of thing you should think about. Here’s the kind of software…” Maybe you’re using the built in software on Windows, or maybe you’re running everything on iPads, and Chromebooks, or something like that. That’s the conversation in both of those cases that those organizations need to have. And whether you’re coming at it from my background… Maybe I’m a vCISO someday, and I’ve got tons of enterprise experience.
Maybe that’s helpful for them. They don’t care whether you were doing that or whether you were…you used to do something else, and you were a big fan of security, and you have good concepts and opinions about these things. They just need that help getting started or continuing. Then they need help thinking about audits or whatever else they might be doing. But what they don’t need is full time security support, and a vCISO is a great way to get access to that.
[Steve Tran] To add to that, too, even I seek out other vCISOs or other CISOs.
[Geoff Belknap] No!
[Steve Tran] Right?
[Geoff Belknap] Say it ain’t so.
[Laughter]
[Steve Tran] An organization can already have a CISO, but that CISO could be faced with really complex, potentially unsolvable problems. But they still have to work through those challenges. And in those cases, from my personal experiences, that’s where I go and seek out diverse perspectives – other people who have maybe been through some experiences that I’ve never personally been through. Because to me, that’s valuable. It’s all about what is that value add, the contribution. We’ve already gave some great examples of how diverse that is in itself. So, it could work both ways where, “Okay, we don’t have someone, so someone can help augment that.” Or they already have someone, but they need additional help.
[Geoff Belknap] Yeah, hey, let me add onto this real quick by letting the listener in on a secret that’s probably not a secret because I think we’ve talked about this before. Steve and I are both members of a big Slack group with a bunch of other CISOs. You know how we use that all the time is to talk to other CISOs about a problem we’re having, or something we’re dealing with that we don’t…we’re not sure about. And we’re getting information from our peers because we don’t know the answer to everything. It is okay to ask for help, and it is okay to hire people that don’t have your specific experience set to get that help. In fact, most times it’s better.
[David Spark] I was hoping you’d have the answer to everything, Geoff.
[Geoff Belknap] I think as long as live can be edited as well as this show is I have the answer to everything.
[David Spark] Oh my God, yes. If life could be edited like this show. Editor, keep that in.
[Geoff Belknap] That’s right. I’m going to need you to follow us around.
[David Spark] [Laughs]
How do we determine what’s most important?
18:57.584
[David Spark] Taylor Hersom said, “I was a CISO for one organization and saw one IT environment. I’ve now become a vCISO and have seen close to 100 environments. The amount of use cases, vulnerabilities, tools, obstacles, etc. that I’ve seen as a vCISO has been an amazing ground that I could never have gotten as a CISO.” So, arguing for the value of becoming a vCISO, a greater education path as Taylor says. And Shane Roberts of CoreLogic said, “There is no single answer because there is no single scenario,” as we’ve kind of mentioned all throughout this episode. He goes onto say, “The role and responsible of a CISO/vCISO is defined by the business and the traditional CISO/vCISO role is evolving. There are a ton of very sincere and sharp IT/IS professionals that are not typical CISO/vCISO candidates trying to do the right thing and fill in the gaps. And in many cases, they are doing a great job.” So, essentially cheers for everyone trying to fill the gaps, whether you’re a CISO or a vCISO. I’ll let you, Geoff, start with this of a vCISO role kind of sounds cool if you want to get a lot of experience, seeing a lot of different environments. That does sound pretty cool.
[Geoff Belknap] Absolutely. And I think you learn the most from seeing problems and how they intersect with the business in multiple different places. I think this is… Shane and Taylor have the exact right concept. I was just thinking about this in our last segment – the stigma that people try to attach to vCISO. I think we all know Wendy Nather. She’s a consulting CISO.
[David Spark] From Duo Security.
[Geoff Belknap] Duo and now Cisco.
[David Spark] Well, that’s all part of Cisco.
[Geoff Belknap] My point is nobody would accuse Wendy of not having the insights, and skills, and experience capable of doing the CISO role. So, I think…
[David Spark] Yes. She’s never held the title, but her wisdom is kind of endless.
[Geoff Belknap] Her wisdom is truly endless, and her willingness to engage on all sorts of problems is amazing. We should all try to be more like Wendy. Wendy, you’re welcome. You can Venmo me the 20 bucks.
[David Spark] That only cost 20 bucks?
[Laughter]
[Geoff Belknap] I don’t know, 20 bitcoin. I’m out of touch.
[David Spark] 20 bitcoin is a lot more.
[Geoff Belknap] That would be better. Yeah, Wendy, if it could be 20 bitcoin that would be great. My point I’m trying to make that turned into a Wendy stan is as long as somebody is trying to help, everybody needs a little bit of help. And if you’re an organization that needs a little bit of help, try a vCISO. Maybe that’s the way you need to go. I think even more so, certainly I’ve talked to lots of orgs that are trying to hire a full time CISO. And more and more, I’ve been like, “Maybe you should try a virtual CISO or hire somebody who’s a fractional CISO.” And you as an organization can also learn about what does that CISO provide, what are you learning from them, where are you deriving your value. And maybe you need to shift how you think about hiring a CISO based on your experiences there instead of starting with a full time deeply experienced CISO. I think a lot of places and a lot of businesses could derive value from learning in a little more here.
[David Spark] I’m thinking… I’m going to have you close this out, Steve, in that especially for the organizations who are probably going to hire their first CISO or bring in their first security leader that for both cost and just basic understanding of what they’ve got, starting with a vCISO, which is really an advisor to some levels here, is probably a great starting point. Yes?
[Steve Tran] I agree. I’ve seen so many different CISO job descriptions out there. Some of them, it’s quite evident that the organization doesn’t quite know what they’re looking for, so why start there? If you have an opportunity to engage with a vCISO to help you define what that full time role should look like for your organization. So, that way when they go through that hiring pipeline that they know exactly what they’re looking for. It’s a great thing for the candidates, too, because they’re not going to get frustrated going through the pipeline, realizing that the organization doesn’t even know what they’re looking for and what they need.
[David Spark] That’s a really good point you make there. It is okay to say to a vCISO, “We don’t know what the heck we want.” It’s not okay to say to a CISO you’re going to hire full time, “We don’t know what we want.” Is that a good way of putting it? Yes?
[Steve Tran] Exactly. Well said.
[Geoff Belknap] Yeah, I think I would go slightly different. I think you are running a huge risk if you hire a CISO and you can’t articulate what you want them to do, what you want them to focus on.
[David Spark] Yes, that’s a monstrous risk.
[Geoff Belknap] Yeah. If you want to dabble and you want to learn about that, yeah, vCISO is a fantastic way to go. And a vCISO has seen so many different places they can help shape your thinking about that. I think a lot more partnership there is really positive.
[David Spark] And that’s a good point, and that goes to what Taylor said of, “When I was a CISO, I saw one environment. As a vCISO, I saw a hundred.” So, that vCISO who has seen a hundred is going to be able to help a hell of a lot more, especially when you don’t know what the hell you want than every a very, very experienced CISO who’s just been in a couple of environments.
[Geoff Belknap] This show brought to you by Virtual CISO Union for America – America’s virtual CISOs working for you.
[David Spark] I’m taking as a summary for this show we’re very bullish on the vCISO. So, if you out there are a vCISO, feel free to distribute this episode around to get more clients. [Laughs] There you go.
[Geoff Belknap] There you go. There you have it.
Closing
24:40.876
[David Spark] All right, that brings us to the end of our show. I ask our guest and cohost here which quote was their favorite and why. Steve, I will begin with you. Which quote was your favorite and why?
[Steve Tran] Got to start somewhere.
[David Spark] You got to start somewhere. That was Justin P. at the very beginning, and you actually echoed this later. Like everyone is a first of something at some time. So, good point. I appreciate that. All right, Geoff, your favorite quote and why?
[Geoff Belknap] I think I’m going to go with Daniel Kennedy’s very nuanced quote here. “It’s similar to the difference between having a third party accountant versus hiring a CFO. vCISO versus CISO, they’re two different jobs. They’re two different sets of expectations for the same kind of outcome. You’re not hiring a virtual CFO. You’re hiring to run an accounting team. You’re not hiring a full time CISO, you’re hiring somebody to help you usually with a focused set of problems.”
[David Spark] Excellent point. Well, that brings us to the very end of this episode. Huge thanks to our sponsor, runZero. That’s runZero.com. runZero, the asset inventory and network visibility solution. If you don’t have that, well, what can you really do with your cyber security program. I also want to thank our guest, Steve Tran, who’s the CSO, handles both physical and digital security over at the Democratic National Committee. Steve, I’ll let you have the very last word, so hang tight. The question I ask all my guests, are you hiring. So, make sure you have an answer for that. But first, Geoff, who is always hiring… And if you don’t for some demented reason want to work for Geoff, there are a lot of job availabilities you can get over at LinkedIn. Geoff, any last thoughts on today’s topic?
[Geoff Belknap] Just like I said before, I think we should think about vCISO and CISO even though they share a lot of letters in common as two very different roles.
[David Spark] Yes.
[Geoff Belknap] And we should be willing and interested in engaging people in the vCISO role that have not been CISOs before. That’s not what people necessarily are looking for when they’re hiring a vCISO.
[David Spark] Very good point. Steve, are you hiring? And any last thoughts on this topic.
[Steve Tran] We are hiring. And if you go to democrats.org you can see the open roles that we have available.
[David Spark] And if they were to contact you, Steve, and mention they’ve been on this show, how would that help them?
[Steve Tran] They would get cool points.
[David Spark] They would get cool points, that’s for sure. You would not hang up on them. You might actually respond. Possibly. Who knows? Can’t guarantee anything. Don’t want to paint you in a corner. Any other last thoughts on today’s conversation?
[Steve Tran] It’s been a great conversation and one that’s important to me because I feel like as a community we need to try to do better to make this more accessible, to broaden the talent pool because our nation’s cyber security requirements depend on it.
[David Spark] We need everybody who wants to be a security leader to be a security leader, yes?
[Geoff Belknap] Amen. Absolutely.
[David Spark] I’m all for that. Well, thank you very much, Steve. Thank you very much, Geoff. And thank you to our audience as well. We greatly appreciate your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site, CISOseries.com, where you’ll also see plenty of ways to participate including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.