Please tell us a bit about yourself, your background, and how you got into the cybersecurity industry.
In 2007, I was at a crossroads. I had two good job opportunities – to be a Product Manager for a speech-to-text product, or a Product Manager of SecurID at RSA Security. Obviously, I chose security! I haven’t regretted this decision once. I had always liked security. I knew that a security role would open up many more opportunities for the future. And boy was I right!
What is the origin story of Fractional CISO? How did it all start and what are your core values?
In the mid 2010s, I saw that the cybersecurity leadership I was providing was needed by many midsize organizations. I had been working in the enterprise space, where it is easy for them to hire a full-time cybersecurity leader. It is much harder for midsize organizations to do the same, so my idea was to use the “Fractional” model to provide this service to many companies.
When I quit my job to start Fractional CISO in 2017, I didn’t have any business lined up. The first month was more than a little nerve-wracking! But leads turned into clients and I was up-and-running. We made our first hire in 2018 and have enjoyed sustainable growth since then.
We’re now 15 employees and counting. We strongly believe that all organizations have a responsibility to society to secure their operations. To run a modern business is to collect data on your customers, your partners, and your employees. Every organization is responsible for safekeeping that data. We believe that by helping to secure our clients we are creating a safer world.
How do you think the role of a CISO has evolved in the last five, ten years and how do you see it evolving in the future?
I will answer for mid-market companies. 10 years ago most mid-market companies didn’t have any sort of cybersecurity leadership. Mid-market organizations have lots of stuff to protect and therefore the role of the CISO or another cybersecurity leader is valuable to them. Sometimes, they may hire a CISO or promote one from within. Frequently, the cybersecurity leader will move on to larger enterprises where the compensation is better. This is a real problem for mid-market companies.
Think about all the organizations of this size you do business with. They have millions of dollars worth of services, data and business to protect and can’t affordably retain a CISO. Either they take a non-security person and put security in their job, or they hire a CISO at a high cost.
Commonly, security is passed to another leader like the CTO. This works okay, they are technical leaders who are capable of performing the work. However, they lose time they could be spending on other tasks that are more central to their role as CTO.
Another, growing option, is the Virtual CISO (vCISO) model. It allows companies to have a dedicated security expert focused on their needs, even though it’s only on a part-time basis. We are in the early, beginning stages of CISO job growth still. Most mid-market companies don’t have a CISO, virtual or otherwise. I expect that to change over the next several years.
What are the top 3 cyber risks that your customers face nowadays and what are some best practices that you share with them?
Many companies undergo serious risk from these three threats:
These threats are all related, and are the most common attacks. The default situation for most businesses is that they are not well-protected from these attacks. Phishing and spoofing emails get through unprotected email systems and are put in front of an untrained population. The consequences are well-understood. Employees can easily and accidentally click on a link and get malware installed on their computer, or accidentally send money to the bad guys.
The attacker’s methods are getting more sophisticated all the time, making it easier to trick folks. Financial and reputational damage commonly result from these sorts of attacks – especially if someone compromises an email account and contacts customers and vendors.
For new clients of ours, fixing the email situation is a top priority. We help them harden their Microsoft 365 or Google Workspace – neither system’s default configuration is the most secure (especially Microsoft). Microsoft 365 customers also need some sort of additional email gateway. Next is training – all employees at all companies need to be trained to detect and report phishing and spoofing emails. Well-trained employees are much less likely to be fooled.
Insider threats are very difficult to combat. You have a trusted employee who is doing bad things. It’s hard to monitor trusted employees, you can’t restrict their access because it’s their job to run those key systems and programs. The consequences can be pretty dire. Whether you view him as a hero or a villain, Edward Snowden was a dire insider threat which cost the United States billions of dollars in lost intellectual property, adversaries changing their behavior and serious reputational damage.
Least privilege permissioning is an important practice to implement to limit the maximum damage any privileged insider could do. Also, treat your employees well, so they are less likely to be bribed or become irritated and take revenge. Tesla had a factory worker turn down a $1 million bribe by a Russian national!
Ransomware is dangerous because its attacks are so costly. They heavily impact business operations, and are difficult to recover from. It is important to take this threat very seriously. Thankfully, our clients have not seen much ransomware – though we are very proactive in ensuring that’s the case.
Good backup practices, technical email mitigations, and strong EDR/antivirus all go a long way in preventing ransomware attacks from striking. A Security Operations Center (SOC) capable of rapid response will also limit the damage any potential ransomware attack could have. And again, good employee training goes a long way in prevention.
What inspires you within your work?
Mid-market companies are incredibly exposed and we see an opportunity to help protect thousands of companies and millions of people with stronger security programs. The positive impact that we see on a per-client basis is incredible. We are materially helping clients reduce their risk profile, and it is so obvious to both them and us. It is very rewarding work!