WATCH What is A vCISO and Why Do I Need One? – Day 30 of Cybersecurity Awareness Month
Shelly Miller 00:06
I went to the doctor last week. I’ve hired electricians and plumbers to fix things in my house earlier this year. These professions are all based upon consumers hiring these folks on a part time basis. Cybersecurity industry is doing the same thing these days with something called virtual or fractional Chief Information Officer of vCISO. With us today to discuss these vCISO services is Craig Taylor, CEO and Co Founder of CyberHoot, a learning management and vCISO service provider to small businesses and MSPs. All over the world. Craig, please tell us why companies should use a vCISO to help them build their their cybersecurity programs.
Craig Taylor 00:43
Surely that’s a great question. Businesses are increasingly turning to vCISO to build their cybersecurity programs. And those programs include things like risk management, risk assessments, risk registries, and that all leads to a cybersecurity roadmap where you remediate the most egregious things or risks that you face. A good vCISO so can help you establish governance policies awareness training programs, conducts phishing testing of your staff and handles security incidents are answers cybersecurity questionnaires from clients and insurance providers. They also act as consultants on your IT projects to ensure cybersecurity is baked in from the beginning. So there’s just so much that goes on within a modern business that requires advice from a cybersecurity professional. And the only way to find those people because there’s 3 million unopened or unanswered jobs in cybersecurity in the United States today, is to hire a part time professional known as a vCISO.
Shelly Miller 01:44
Wow. Okay. So there’s, there’s more that goes into cybersecurity programs than most people imagined. Can you tell us what process you follow for CyberHoots vCISO program and building out a cybersecurity program for your typical company?
Craig Taylor 01:57
Sure I’d be happy to, for most companies in the small to medium sized business space, and that includes managed service providers, cybersecurity maturity is quite low to non existent in many cases. Unfortunately, that’s not a criticism of these companies, though, because, you know, you can graduate from an Ivy League school in the United States and have no cybersecurity training whatsoever.
So we have to sort of start from scratch with so many companies. Put simply, business owners don’t know what they don’t know, which means I have to do a lot of education when I get in there to start. So during the onboarding phase, first thing we do is we conduct a risk assessment. And in parallel, we start awareness training to educate people on why we’re doing the things we’re doing and why it matters so much.
So we teach them phishing, we teach them password, hygiene, and things of that nature, right off the bat. But that risk assessment is really important because it codifies the administrative, physical and technical risks that accompany faces. And we prioritize those in the risk assessment, and then decide what to do about those risks.
So we rank order them by probability impact and materiality to the business, we get a list that goes from the highest risk to the lowest risk. And then we decide as a in jointly with the business owner, we’re going to accept the risk, we’re going to remediate it or transfer it transferring it is done through cyber insurance. So out of all of that, in that initial risk assessment, we build a 12 to 18 month roadmap that addresses various projects to remediate restaurant business.
Shelly Miller 03:28
So Craig, what process do you follow with your vCISO? So clients?
Craig Taylor 03:32
Good question, Shelly. So we follow a pretty orchestrated engagement process for all of our vCISO clients, they typically have the same immaturity. So we do have to do all of these steps in this order. The first thing we do is we perform a risk assessment. And remember, when we talked about the risk assessment, it builds a risk management framework for quantifying and managing your cyber risks in your business.
And it leads to that roadmap for remediation of things. But we also know that on that roadmap, we’re going to find things like adopting the newest NIST password standards to migrate off of nine character complex passwords that you change every 90 days, which is time consuming and a waste of time to 14 plus character passwords.
That means 14 or longer, that are non complex and non expiring. We adopt a password manager because very few have done that. And that is the only way to secure good password hygiene across all of your employees. So we definitely have a project there. We make sure we examine the multi factor authentication into things like email systems, VPN, banking, and SAS solution software as a service online. So financial applications and Salesforce, things of that nature.
We start awareness training right in the beginning in parallel to all of these other steps, because we find that employees that know more, are more willing to accept the Password Manager and the change of password complexities, things of that nature. And then finally, we also draft up a set of cybersecurity policies that govern the employees behaviors when they have to make independent decisions on their own outside of the controls of technology. So that’s a very important step as well.
Shelly Miller 05:20
Great advice, Craig and very timely with Cybersecurity Awareness Month. How can companies interested in vCISO services contact you?
Craig Taylor 05:28
Well, thanks for the shout out Shelly. They can email me at Craig@cyberhoot.com or if they want to learn more about our vCISO service offering visit cyberhoot.com/vCISO, there we have a service description and you can find out a lot of information and engage with with us that way.