The Cyber Defense eMagazine January Edition for 2024

More documents

Recommendations

Info

Virtual CISO, on the other hand, is a bit more ephemeral and implies someone who can work full-time, but remotely. The implication being that this virtual person is the only security expert working for that company which in turn means the company is relatively small or has an immature security program. I like this distinction that she made but I am not convinced that the industry has adopted it. In my more recent conversations with vCISOs, some of them expressed an opinion that they originally called themselves vCISO only to now switch to fractional CISO. I picked up that the term vCISO has been degraded. I see on social media posts that “anyone can call themselves a vCISO” without requiring the corresponding experience or credentials, which further gives evidence that the community is becoming skeptical of the term. And that list bit is an interesting point because even though there are several certifications and credentials in the cybersecurity space, most of them are younger than the cybersecurity professionals. Therefore, not everyone is credentialed. Regardless of that debate, I see the movement to “fractional CISO” more and more, so if you are launching your own firm, choose which term you want to use on your website with full knowledge that the line, while still fuzzy, is getting drawn. Mapping Your Path: Finding Your Niche The vCISO market is diverse, offering a range of client needs and engagement models. Identify your sweet spot. Will you specialize in specific industries? Focus on project-based work? Or do you charge hourly? Or maybe you prefer to cater to long-term engagements for larger enterprises? Choose your path wisely, honing your expertise and value proposition to become the go-to vCISO for your chosen niche. As I explained in the previous section, vCISO has varying meaning. Some vCISOs I have spoken to only focus on pre-audit readiness. These are limited engagements, varying from 6 months to a year, where the vCISO builds the security program for the client, maintains it during the audit period and coordinates with the auditor during the audit. This type of vCISO then terminates their contract at the audit conclusion. Another practice focus for vCISOs is the fractional cybersecurity professional who charges a flat fee, monthly, to their clients for building and maintaining a security program. With this work, the vCISO conducts a gap analysis, builds an action plan for the client that is customized and mapped to a specific framework and then works with the client on implementation, all the while helping with responses to security questionnaires and insurance assessments on the client’s behalf. Sometimes the vCISO charges an hourly fee instead of a flat fee and I usually see this type of billing when the vCISO is early in the life of the firm and trying to establish that initial client base (because hourly earns them less money). These services are usually referred to as “Advisory Services” and MSPs and MSSPs are also offering them. Finally, the third most common vCISO offering is what I refer to as a secondment. The vCISO works fulltime, but for a temporary period of time, within the client’s business. In this work, either the client lost their in-house CISO and needs someone to cover for a period, or they have never hired a CISO and need coverage while they conduct their search. With the dearth of high level, c-suite talent (and the fears over liability since Joe Sullivan of Uber was prosecuted), a CISO search can take up to a year, so these vCISOs cover the gap. Usually, these vCISOs also have a whole separate engine built for discovering and training new talent so that when they receive the client call, they have a pool of aspiring CISOs to Cyber Defense eMagazine – January 2024 Edition 120 Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
call upon. I find this fascinating because the vCISO is part cybersecurity advisor, part strategist, part practitioner and part recruiter. I am sure more niches will evolve, but, based on my interviews, these are the most common. One consistency I have noted is the initial due diligence required with each client, usually called a gap analysis or gap assessment. My takeaway is that if you are offering vCISO services, you have to be offering gap analyses. Go It Alone or Build a Scaling Business It is exciting to start your own business working for yourself. While consulting businesses are often considered “lifestyle” businesses, they still can grow and scale like a startup. I personally like to analogize cybersecurity consulting firms to law firms and I think the model works well. The most highly experienced partner starts the firm and starts to grow enough client work such that they need help due to bandwidth constraints. At first, they have a few vCISO friends who can pitch in and consult when needed. Eventually, they need to hire someone to take over the client work so they can focus more on marketing and sales. Eventually, the founding partner is managing several other vCISOs and also associates who are earlier in their career. In this model, a vCISO partners with the associate. The associate has a cheaper hourly rate than the vCISO and works on more of the heavy lifting, like conducting the due diligence for gap assessments, reviewing vendor evidence of security and responding to security questionnaires on the client’s behalf. The vCISO partners focus more of their time on high-level tasks, training the associates and keeping abreast of changes to any standards or regulations (like NIST CSF 2.0 or CMMC). Meanwhile, the founding partner now spends almost all of his/ her or their time managing the business, hiring and firing and marketing and sales. It is worth taking the time to understand what you want. Do you want to run a business or do you like doing the work for the clients? Your decision will determine whether you stay a one-person firm or grow into something much larger. Back to the law firm analogy, I see vCISO firms eventually having specialties like law firms do now. One firm may have an entire practice area that focuses on audit readiness while another practice area that focuses on secondments within companies. Basically, those choices you made to start your firm, which niche to offer, becomes one division of your much larger firm. 2023 was the year of the explosion of the vCISO market and I do not anticipate that it slows down in 2024. If anything, we will start to see larger and larger firms emerge as top-tier with reputations for being best in class. If you have been thinking of starting your own firm, I say the time is now before the price of entry gets too high. As you dive deeper into running your own firm, you'll discover even more insights and nuances. Stay curious, adapt to the changing landscape, and never stop learning. With dedication and the right strategies, you can build a vCISO firm that brings you challenges that are worth experiencing and enjoyment in your work that you never thought possible. Cyber Defense eMagazine – January 2024 Edition 121 Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
Page 1 and 2:
3 New Risks That CISOs Will Face in
Page 3 and 4:
Top 6 Security Challenges of SMEs -
Page 5 and 6:
Reducing Burnout and Increasing SOC
Page 7 and 8:
@CYBERDEFENSEMAG CYBER DEFENSE eMAG
Page 9 and 10:
Cyber Defense eMagazine - January 2
Page 11 and 12:
Page 13 and 14:
Page 15 and 16:
Page 17 and 18:
Page 19 and 20:
Page 21 and 22:
1. AI development and use will dema
Page 23 and 24:
How Small and Mid-Sized Businesses
Page 25 and 26:
Achieving SOC 2 Type 2 attestation
Page 27 and 28:
lights can be turned on at the flip
Page 29 and 30:
About the Author Victor Atkins is a
Page 31 and 32:
The Distinct OT Cybersecurity Envir
Page 33 and 34:
About the Author Dave Purdy is the
Page 35 and 36:
Two critical enablers for autonomou
Page 37 and 38:
In conclusion, while the parallels
Page 39 and 40:
Advanced AI-Powered Attack Methods
Page 41 and 42:
Why Cybersecurity Maturity Model Ce
Page 43 and 44:
What CMMC Accomplishes It’s essen
Page 45 and 46:
AI: The Human Touch in Cybersecurit
Page 47 and 48:
with human intuition creates a powe
Page 49 and 50:
How does shifting from a reactive a
Page 51 and 52:
About the Author Paul Brucianni, Cy
Page 53 and 54:
AI and cybersecurity Cybercriminals
Page 55 and 56:
Conclusion In conclusion, combining
Page 57 and 58:
2. Selective Attention: Concentrati
Page 59 and 60:
NIS 2: From Obligation to Opportuni
Page 61 and 62:
Once the risks and challenges are i
Page 63 and 64:
Top 6 Security Challenges of SMEs B
Page 65 and 66:
Proactive Remediation is the Way Fo
Page 67 and 68:
Is 2024 the Year of Cloud Repatriat
Page 69 and 70: Resource optimization: Workloads th
Page 71 and 72: What to expect in the metaverse The
Page 73 and 74: SolarWinds Lawsuit Reinforces the N
Page 75 and 76: Inviting Others to the Table By inc
Page 77 and 78: e used for an information protectio
Page 79 and 80: work and not only the good guys can
Page 81 and 82: terrorism. The criminal groups most
Page 83 and 84: statement, and the other actions it
Page 85 and 86: MGM & Caesars Cyberattacks: Lessons
Page 87 and 88: Companies must also adopt a zero-tr
Page 89 and 90: Another reason why threats keep gro
Page 91 and 92: Cyber Insurance: A Smart Investment
Page 93 and 94: data protection. However, the two a
Page 95 and 96: Cyber Resilience - Beyond Cyber Sec
Page 97 and 98: • Leveraging External Expertise:
Page 99 and 100: Cybersecurity Preparedness 2024 By
Page 101 and 102: approach and a focus on providing e
Page 103 and 104: enabled hacker groups to increase t
Page 105 and 106: Enhancing PCI DSS Compliance: The U
Page 107 and 108: Understanding how adversaries opera
Page 109 and 110: cryptocurrency favorably, and there
Page 111 and 112: About the Author James Hunt holds o
Page 113 and 114: streamlined architecture with fewer
Page 115 and 116: From the SIEM to the Lake: Bridging
Page 117 and 118: About the Author Omer Singer is the
Page 119: The Hardest Part: Marketing and Sal
Page 123 and 124: Getting AI Right for Security: 5 Pr
Page 125 and 126: Against this backdrop, it’s criti
Page 127 and 128: opposition, and even complete inter
Page 129 and 130: As we have seen in Russia, VPNs off
Page 131 and 132: Understanding Hyperautomation Hyper
Page 133 and 134: Learning (ML), Robotic Process Auto
Page 135 and 136: Identity Providers Are Still the Bu
Page 137 and 138: About the Author Jason Martin and I
Page 139 and 140: in terms of reputational, operation
Page 141 and 142: New Year, New Consumer Demands in C
Page 143 and 144: 2. Transparent communication: Highl
Page 145 and 146: Key Trends in Cybersecurity Evolvin
Page 147 and 148: Better and Faster Sandboxes Traditi
Page 149 and 150: Over an 18-month period, Conti accu
Page 151 and 152: • During wartime, reduce the atta
Page 153 and 154: SOC roles aren’t for the faint of
Page 155 and 156: Safeguarding Children in the Era of
Page 157 and 158: strategy. Parents should seize the
Page 159 and 160: Securing Space Infrastructure for U
Page 161 and 162: For new satellite constellations, p
Page 163 and 164: Understand Cyber Insurance: Rising
Page 165 and 166: costs for such an incident. This is
Page 167 and 168: What You Need to Know About the Cyb
Page 169 and 170: deployment and time to value. Typic
Page 171 and 172:
Why Companies Are Still Investing i
Page 173 and 174:
technologies (PPT) could be an AI a
Page 175 and 176:
• Abundance of sensitive informat
Page 177 and 178:
5. Upgrade to Newer, More Secure Sy
Page 179 and 180:
they came under armed attack. Howev
Page 181 and 182:
incursions have probably never been
Page 183 and 184:
Keywords - Wireless peripheral devi
Page 185 and 186:
nearby. The best way to prevent suc
Page 187 and 188:
devices are found vulnerable, they
Page 189 and 190:
Page 191 and 192:
Page 193 and 194:
Page 195 and 196:
CyberDefense.TV now has 200 hotseat
Page 197 and 198:
Books by our Publisher: https://www
Page 199 and 200:
Page 201:
show all

The Cyber Defense eMagazine January Edition for 2024

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?