RSI Security recently partnered with Vanta to host the webinar Streamlining Cyber Resilience: How a vCISO & GRC Tool Can Strengthen and Automate Compliance. Mohan Shamachar, our Director of Information Security and Compliance, hosted and was joined by RSI Security’s Ti Sanders (Information Security Assessor) and Peter Phaneuf (Senior Security Assessor), along with Tim Blair, Senior Manager and Governance, Risk, and Compliance (GRC) expert at Vanta.
Understanding the Role of vCISOs in GRC
Shamachar began the webinar by introducing the overall agenda and providing context on the speakers’ organizations. RSI Security was founded in 2013 and is regularly recognized as a leading cybersecurity and compliance advisory provider. Vanta, founded in 2018, has produced the #1 GRC Product in 2025, per G2, and is likewise considered a leader in the security space.
Shamachar noted that leaders from both organizations would present on the following:
- Defining the role of the virtual chief information security officer (vCISO)
- Analyzing two real-world applications of RSI Security’s vCISO services
- Explaining Vanta’s GRC tool and providing a live demonstration thereof
Shamachar also noted that the floor would be open for questions and guidance at the end of the webinar. Attendees and readers are encouraged to reach out with further questions, as well.
How vCISOs Optimize Security Operations
Shamachar began by providing a definition and context for what virtual chief information security officers are and the value that they provide. A vCISO is a service, not an individual—at least for RSI Security. It’s a fractional, on-demand, and/or project-based approach to the CISO function.
A vCISO builds and manages security strategy, risk assessments, compliance efforts, and framework implementation—all tailored to the organization’s needs. They scale support as needed and focus on aligning business and security goals, often working closely with internal IT teams.
The best way to understand the vCISO is that it does everything a traditional CISO does from an external position. Rather than being a full-time employee, vCISO services offer greater flexibility and the potential for many individuals’ expertise all while reducing labor costs.
In particular, Shamachar noted that traditional CISO salaries start at $215K annually, not including bonuses, benefits, and auxiliary costs. In comparison, organizations can implement vCISO services for as little as $100K per year, significantly cutting costs across the board.
Case Study: Macomb Community College
Moving on, Peter Phaneuf introduced one instance of RSI Security’s vCISO services at work in our engagement with Macomb Community College. Macomb is in Michigan but welcomes 50K+ students from all around the world. The college brought in RSI Security’s vCISO services to unify and optimize its overall security posture, preparing for streamlined compliance.
In particular, Macomb’s IT infrastructure faced challenges related to disparate systems and sensitive data stores with limited oversight and control. Shared manufacturing facilities used for job training, along with medical infrastructure for nursing and dentistry programs, illustrate the broader environment. On the tech side, about 90% of Macomb’s IT relied on SaaS. However, its most critical ERP tools were still tied to in-house systems.
To help Macomb strengthen its security posture, RSI Security conducted a full assessment of its governance and compliance structures. This included interviews with college deans and department heads. Together, they identified which regulatory frameworks were required, planned for adoption, or under future consideration.
The top priorities coming out of this exercise were achieving compliance with the Payment Card Industry (PCI) Data Security Standard (DSS) and implementing the Center for Internet Security (CIS) Controls up to Implementation Group 1 standards. The former is mandatory because of the various cardholder data (CHD) environments on campus, and the latter was a discretionary step that Macomb targeted to streamline all other compliance and baseline security assurance.
Other goals were established but deprioritized according to risk profiles, requirements, and general efficiency. For instance, the college also ensured compliance with the Health Insurance Portability and Accountability Act (HIPAA) and California Privacy Rights Act (CPRA). Working with a vCISO allowed leaders within the college to determine action plans and achieve their goals despite the challenges of budget allocation and the bustle of ongoing academic calendars.
Overall, Macomb had solid compliance and security governance in place. Still, Phaneuf noted that a robust GRC tool could streamline processes even further.
Case Study: Midsize Military Contractor
Next, Ti Sanders shared how RSI Security used similar vCISO strategies for a very different client—a Department of Defense contractor. With the DoD a top cyber target, every supply chain partner must prove strong security or risk losing contracts. A vCISO helps ensure compliance, threat resilience, and long-term security best practices.
Sanders provided the following overview of the cybersecurity landscape in this sector:
-
- Regulations – Organizations need to implement CMMC, along with frameworks like the National Institute of Standards and Technology (NIST) SP 800-171, Defense Federal Acquisition Register Supplement (DFARS) 252.204-7012, and others. Organizations may need to implement other frameworks like HIPAA depending on their focal points.
- DoD requirements – Within these over-arching frameworks, there are specific controls that the DoD requires that can be challenging to implement and maintain. Sanders noted that many entities struggle with log management, encryption, and physical protection.
- Common threats – Complex threat vectors and actors plague the DoD supply chain, making it one of the biggest threats to the DoD. These include nation-state attacks for exfiltration, advanced persistent threats (APTs), and other issues that could compromise controlled unclassified information (CUI), which is the primary focus of CMMC security.
Our client, a midsized aerospace parts manufacturer, needed to achieve Cybersecurity Maturity Model Certification (CMMC) at Level 2 to retain an existing contract. This meant implementing NIST SP 800-171 controls and updating them to newer CMMC standards, along with optimizing processes for visibility and reporting. The client had little to no formal cyberdefenses in place, as it had been managing security systems manually. Additionally, there was no third-party risk management (TPRM) in place, which meant that vendor networks needed to be secured.
On a more granular level, our initial gap assessment identified needs for access control, asset visibility, and continuous monitoring. We addressed these gaps with a four-pronged approach:
-
- Governance and policy alignment – We implemented and mapped existing controls across CMMC and DFARS requirements, with a formalized risk management process.
- Technology updates – We implemented multi-factor authentication (MFA) and zero trust architecture (ZTA) for access control; we also deployed a security information and event management (SIEM) system to monitor for, detect, and swiftly address threats.
- Supply chain security enhancements – We worked together to develop vendor requirements for CMMC compliance, including conducting TPRM risk assessments.
- Training and awareness – We implemented robust and flexible DoD and CMMC training modules, including general CUI protection and role-specific exercises.
Through this process, budgetary and other challenges emerged. Externally, third parties could be hard to account for. Internally, there was some cultural resistance from leadership and the rank and file, accompanied by legacy systems that had to be retained for logistical reasons.
Nevertheless, RSI Security’s vCISO team helped this DoD contractor overcome these challenges and achieve CMMC Level 2 compliance with efficient planning and execution.
How an Effective GRC Tool Works in Practice
Both case studies illustrated the value that vCISO services bring to organizations, regardless of their industry or IT environment. However, they also showed how critical comprehensive tools and systems can be to ensure efficiency across security governance programs. This is where Vanta comes in, and Tim Blair explained exactly how it works before showcasing it in action.
To begin with, he provided an overview of the Vanta continuous monitoring workflow:
- Organizations connect target apps and systems (e.g., AWS, Okta, MS Office, etc.)
- IT personnel (i.e., vCISO teams) substantiate the evidence, policies, and reviews
- IT personnel use the software to identify compliance requirements and challenges
- IT leaders leverage the software to complete requisite audits and demonstrate trust
- The software continuously monitors systems to maintain security and compliance
As a result, Vanta automates up to 90% of the work required to prepare for audits. Organizations can complete the entire compliance process using just 10% of the usual time, money, and resources. Certification audits take about 50% less time on average using Vanta, which streamlines security governance for all parties involved.
Blair also explained that Vanta is extremely flexible, with over 350 integrations and options for customization. Organizations can choose any configuration they need—baseline, recommended, or custom—while Vanta handles logistical tasks like employee notifications. During the demo, he highlighted Vanta’s coverage of major regulatory frameworks, including visibility into those not yet required. Organizations can begin planning early for future implementation by seeing which controls they already have line up with other requirements. This includes easily accessible, percent-based completion visibility dashboards.
Ultimately, Vanta allows vCISOs and other security leaders to identify and address gaps before it’s time to audit officially. This allows for room to mitigate issues and ensure that there are no miscommunications when it matters most. Thus, saving time and ensuring smooth operations.
Optimizing GRC with RSI Security and Vanta
Working with a vCISO is the best way to optimize GRC and overall security operations at an organization. And vCISO teams are at their best when they have access to powerful, flexible tools like Vanta’s platform. Rounding out the webinar, attendees were encouraged to explore RSI Security’s vCISO whitepaper and purchase a cyber risk report. From Vanta’s side, the one-page overview is an accessible entry point to seamless, efficient security governance.
RSI Security has helped countless organizations maximize their security posture through our vCISO, compliance, and border suite of cyberdefense offerings. We believe that discipline upfront unlocks freedom long-term, and we’ll help you achieve that with sound guidance.
To learn more about our vCISO, GRC, and cyberdefense services, get in touch today!
Contact Us Now!
