RSI Security hosted a webinar on the role vCISOs can play in optimizing cyberdefenses and the benefits of outsourcing security efforts to a vCISO. RSI Security co-hosted the webinar with Macomb Community College and Mott Community College, both located in Michigan.
Nico kicked things off by introducing the webinar panelists:
- Cheryl Shelton, Chief Technology Officer (CTO) at Mott Community College, is a former instructor at Mott’s Information Technology (IT) department.
- Michael (Mike) Zimmerman, Chief Information Officer (CIO) at Macomb Community College, leads the optimization of academic, computing, and business technology efficiency there.
- David (Dave) Samara, Senior Technical Project Manager at RSI Security, has had multiple global IT roles in cybersecurity leadership, system design, DevOps, and project management.
- John Shin, Founder and Managing Director at RSI Security, has extensive experience in cybersecurity leadership, compliance, and project management across multiple industries.
Dave started his portion of the webinar by emphasizing that “v” in vCISO stands for “virtual,” meaning a vCISO typically oversees cybersecurity at an organization. A vCISO may be part-time or full-time, working on-premises or remotely, depending on organizational needs.
vCISO is a Challenging Role
Dave explained that vCISOs are expected to address the exponential rise in cybersecurity threats, but their authority is often underutilized. Many businesses also allocate lower budgets for the vCISO role. However, he emphasized that businesses must shift their mindsets to recognize the value vCISOs provide when addressing cybersecurity risks.
vCISOs help guide cybersecurity best practices that protect sensitive data (e.g., intellectual property (IP)) and critical operations such as those managing cyber-based revenue streams.
One of the most effective ways to protect sensitive assets is to invest in a vCISO solution.
Cybersecurity Incidents are the Biggest Business Risks of 2022
Dave then mentioned the Allianz Global Survey, which ranks cybersecurity incidents as the top business risk in 2022. He added that these incidents can disrupt business operations.
Dave asked John about his perspective on these statistics, from RSI Security’s experience with clients and conversations with peers in the industry. John noted his disappointment in the reality of the statistics, emphasizing that 77% of cybersecurity spending goes to defensive information security and compliance rather than proactive measures that support organizational growth.
With stronger security controls, organizations can focus more time and resources on developing strategic initiatives that drive business growth. Investing in a CISO or vCISO can help organizations develop cyber resilience and help boost their growth.
The Broad Roles of a vCISO
Dave emphasized the role a vCISO plays in helping an organization solve both technical and non-technical cybersecurity issues. Although threat assessments can help identify risks like web application threats, insider threats are driven by human factors.
Dave asked Cheryl to share Mott’s experience working with a vCISO. Cheryl mentioned that Mohan Shamachar, a vCISO from RSI Security, attends monthly board meetings at Mott and works with their team to perform quarterly IT updates.
vCISOs and Cybersecurity Advocacy
Cheryl added that Mohan helps her team speak to the board about critical security needs and the justification for spending on cybersecurity controls. The executive leadership views Mohan as an authority who can speak to emerging security needs based on his industry experience.
Mohan was also critical to successfully championing mandatory security awareness training at Mott. As a result, all employees have been fully trained on cybersecurity best practices.
Cybersecurity Challenges at the C-Suite Level
Dave then segued into the challenges Mike and Cheryl face when getting buy-in from executive leadership about security implementation.
Mike mentioned that cybersecurity implementation is often viewed as an inconvenience. As a result, it is easier to get executive buy-in before implementing changes to cybersecurity safeguards. A vCISO provides an external perspective, which helps identify blindspots and encourages security optimization. When asked about his thoughts on how to approach executive leadership to get buy-in, Mike emphasized the need to leverage every opportunity available, especially if a vCISO is involved in the ask.
Cheryl agreed and emphasized the need for vCISOs to support decisions around cybersecurity optimization as boards are more likely to agree with them.
Mike also added that smart teams and large amounts of resources do not necessarily translate into effective cybersecurity. However, there is a need to address existing blindspots before implementation kicks in.
vCISOs Guide Cybersecurity Focus
Dave then asked John whether organizations tend to optimize cybersecurity controls in response to crises or if they do so proactively. John echoed the need for executive buy-in to drive the implementation of security controls and develop internal cyber resilience.
He agreed that vCISOs soften the ask for buy-in.
Dave added that vCISOs play a major role in guiding organizations’ business security focus and help develop broader cybersecurity risk mitigation strategies. He emphasized the need to understand the balance between the involvement of people, processes, and technologies when managing cybersecurity risks.
Dave then opened the floor to questions.
Questions From the Audience
How do you choose a vCISO with diverse experience, but also with the focused experience that the specific client company needs?
John mentioned that it is critical to match the organization and its respective industry to the experience of the vCISO. Every CISO or vCISO is responsible for helping organizations make agile cybersecurity decisions. A CISO typically advises on the best approaches to optimizing security controls using human-centered transformation.
He added that a CISO or vCISO should function as a bridge between an organization’s culture and the best strategies for effective cybersecurity management.
Dave followed up by asking Cheryl and Mike to comment on how they decided which CISO to hire.
Cheryl mentioned that the need for a CISO started after Mott established its Security Operations Center (SOC). With a SOC in place, there was a need to address security gaps. The decision to hire a CISO depends on each organization’s perception of a CISO’s fit.
Although a potential CISO’s skillset and experience should be a good fit, it can pay off to hire a CISO with a different, complementary skillset or approach (as compared to whomever the CISO or vCISO would replace or who is currently overseeing CISO-like functions).
Dave agreed, emphasizing the value of an external perspective on security optimization.
Dave asked Mike about the factors Macomb considered when choosing a CISO.
Mike explained that Macomb’s process focused on finding a CISO with whom the team could have a great relationship. For Mike, the choice depended on finding someone who could:
- Resonate with the organization
- Earn the respect of the staff
- Listen and understand the security issues
- Advise on IT security best practices
Dave agreed with the idea of approaching change with unconventional solutions that may feel temporarily uncomfortable but help support cybersecurity in the long term.
Why is there so much emphasis on the multiple software tools available, and how does a CISO help navigate this?
Mike answered by re-emphasizing that organizations should not focus on investing in random software tools but instead identify the sources of security gaps. Cheryl agreed, explaining that sophisticated cybersecurity tools are ineffective if your staff is untrained.
Mike added that cybersecurity optimization should be led by an external party like a CISO who can identify internal blindspots in your security controls. Dave agreed with Mike and Cheryl, emphasizing the need for a CISO to support the decision-making process for all aspects of security optimization.
John also emphasized that security tools are only effective if used logically.
What are the three to four key elements that comprise a successful vCISO relationship with their client company?
Mike responded by emphasizing the importance of a CISO to:
- Gain respect from the client
- Understand the company’s vulnerabilities
Cheryl mentioned the need for a CISO to:
- Present to an organization’s executive leadership or board
- Prioritize the most pressing needs of the organization
Dave asked John to follow up on the above qualities.
John mentioned a CIO he spoke with said a CISO should be mobile, agile, and hostile. He added that there is a need to establish a vulnerability-based trust relationship to drive solutions to security problems.
Dave agreed that organizations should build trust-based relationships with CISOs. He concluded by thanking the panelists and other participants.
Nico also thanked all the participants and closed the webinar.
Optimize Your Security Infrastructure with a vCISO
Investing in a vCISO will provide you with the external perspective required to build robust and resilient cyberdefenses that will keep your organization safe from security threats. To learn more about the role a vCISO plays in optimizing your unique cybersecurity infrastructure, contact RSI Security today!