Almost 7 years ago I started my journey as a Virtual CISO, or vCISO. At that time, this term hadn’t even been invented.
I had to develop a framework of creating custom security programs (and security teams) for very diverse types of businesses. Startups are not a “one-size-fits-all” kind of deal. Some are struggling for cash, some get lavish investments, some founders have an appetite for risk, some don’t…
One of the first tasks in front of me was to develop a list of “what works” kind of tools. On a limited budget, you don’t have the luxury of trial and error, so my experience from the trenches served me really well.
Another thing I had to get good at was to understand the companies’ goals – did they want to become compliant with some regulation, did they care about security, what kind of risk posture were they looking for?
After that, I could write the right policies to help them achieve these goals. A startup has to be nimble to succeed, so you can’t add a lot of policy and process overhead, or you’ll lose your founder’s support very quickly.
Lastly, I had to have very clear communication with the executive team on the risks – explaining what could happen to the business if something gets or doesn’t get done. Sometimes, the naked truth hurts – some people could see a security scorecard as “finger pointing” (especially devops teams), but it is not. Its purpose is to show weaknesses that can be exploited. Breaches happen, and when they do the CISO must explain why – because people will “forget” that they didn’t allocate time for patching, security alerts investigation and so on…
Take all this and multiply it by a few clients and soon you’ll need to manage your time extremely carefully so you don’t drop any balls. A virtual CISO must be always on, no matter what – so the laptop and Internet connection becomes part of your vacation and work never really stops.
Would I go back to my days of being tied to a desk and daily commute? Never. If there are any good things that came out of the pandemic, it is the freedom of working remotely – or on-site, if one chooses, but nevertheless a freedom that wasn’t there before. Let’s hope this trend will continue and that soon startup founders will realize that a great vCISO, even if part time, is much better than an average full time one.