Last Week As A vCISO

Share this post

What IS A vCISO???

www.lastweekasavciso.com

What IS A vCISO???

It means so many things to many people... let's go over it.

Ayman Elsawah
Jun 2, 2022
1
Share this post

What IS A vCISO???

www.lastweekasavciso.com

I came up with the term on my own in 2015, no one had heard of it at the time and it was a hard sell. Fast forward now to 2022 and vCISO’s are EVERYWHERE! Even in the last 6 months, there has been a 50% increase in vCISO titles on LinkedIN.

So what is a vCISO?

Well, they’re actually a CISO! (Just part-time)

They can also be a:

  • Security Architect

  • Security Analyst

  • Security Project Manager / Coordinator

  • Audit Liaison

Hint: 💡 They can be the same person or multiple people. 🤔

See my related post…

Last Week As A vCISO
Do You Really Need A Ciso?
Had an excellent discussion with another CISO on what companies actually need (or have the capacity for), especially when first starting out. For example, you want to go towards SOC2 compliance. You’re the CEO or CTO of a company and buy a tool out there, of which there are plenty, that will help outline for your organization all the necessary steps you …
Read more
a year ago · 1 like · Ayman Elsawah

A lot of people are actually moving away from the term vCISO and using Fractional CISO instead. I’ve also run into clients not comfortable with the term CISO at all, and prefer to use “Security Advisor”.

Another reason people are moving away from vCISO is because you have inexperienced folks with 1-2 years of experience in security as an engineer or analyst calling themselves vCISO’s. In this case, they would be a Staff Aug Engineer, or at best an MSSP (aka MDR).

So maybe this article should be “What Makes A Good vCISO?”

What Makes A Good vCISO?

One of the most important aspects of a good vCISO is

Understanding The Culture

This post describes this best…

Last Week As A vCISO
3 CISO's Walk Into A Startup...
I was watching a video on beekeeping and how three different groups of beekeepers came to 3 different conclusions on the same beehive. The answers were very surprising and touched on emotional intelligence in a way I had never considered in beekeeping…
Read more
a year ago · 2 likes · Ayman Elsawah

A vCISO is often coming into either one of two scenarios:

  • Completely Greenfield - No Security

  • Taking over someone else’s work - partial security

So they need to be nimble and understand how to get up to speed quick.

(Shameless Plug: We’ve developed a custom assessment framework to help understand the issues and build a security roadmap quickly. Get in touch 👉🏼: info@cloudsecuritylabs.io)

Technical Breadth

Another important aspect for a vCISO, imho, is having some technical breadth, understanding, and alignment with the client organization.

Technical breadth doesn’t mean that you have to be a developer or can do a source code review, but you do need to be able to carry a conversation with Engineering, Legal, and HR. So understanding the lingo of these various departments (at the stage the company is in) is paramount. Knowing the tools and having the experience of workflows of similar company sizes is also part of this.

In a way, Technical Breadth is part of culture.

Consultative, Educational, Empathic, and Creative

This also goes back to culture, but to be more specific a vCISO is typically brought in as an expert. So they are looking for guidance on a difficult topic.

In fact, this has to apply to all security people.

At the end of the day, security people are educators. We are there to help the client with a difficult problem.

We either:

  • Have to explain it for them in the simplest terms (see ELI5)

  • Walk them through how to do it

  • Do it for them but be able to explain why we did it the way we did

The Empathy part means that you understand the difficult situation they are in (trying to gain an enterprise client, or reduce their risk, or ship a product) and are going to be creative in how you solve their problem.

Wait… You Do All That?

Yes, and more. vCISO’s, CISO’s, and many good security people end up doing a lot for an organization to keep it secure and well oiled.

Here is some additional context into what goes on in our world:

Last Week As A vCISO
Mental Health In The Infosec Field
The news of Simone Biles, possibly the greatest gymnast in the world, pulling out of Olympic competition due to mental health reasons shocked the world. I cannot commend her enough for shedding light on such an important topic. The brain and body are more connected than we think, and more needs to be done in society and the medical field to reconcile it…
Read more
2 years ago · Ayman Elsawah

I hope this helps paint a clearer picture of what a vCISO is.

Do you have another interpretation of a vCISO? Leave a comment below.

Share this post

What IS A vCISO???

www.lastweekasavciso.com
Previous
Next
Comments
TopNewCommunity

No posts

Ready for more?

© 2023 Ayman Elsawah
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing