Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall
 

 

Episode #105 - Cybersecurity Expertise for Rent - vCISOs

This week the guys talk about vCISO challenges from the perspectives of both the vCISOs and their clients. But wait - what does it really mean to be a vCISO? How do you know if a vCISO is right for your organization? Which vCISO is best? You’ll get answers from the guys as they share their vCISO stories and discuss cybersecurity expertise for rent in today's confusing marketplace! 

 

News Clips

Mass attack on WordPress sites targets bug in WooCommerce plugin

Malicious Microsoft Office docs drop LokiBot malware

Citrix warns of actively exploited zero-day in ADC and Gateway

Virustotal data leak exposed data of some registered customers, including intelligence members

Google Cloud Build Flaw Enables Privilege Escalation, Code Tampering

FIN8 retools backdoor malware to avoid detection

Microsoft blocks attack on cloud email accounts by Chinese APT group

US Gov adds surveillance firms Cytrox and Intellexa to Entity List for trafficking in cyber exploits

Hacker Infected & Foiled by Own Infostealer

Utility Experts Highlight Chinese Threat to US Electric Grid

10103417-small

Send Us Your Questions & Rants!

Hello and welcome to the Cyber Rants podcast once again. Feels like we've been it's been a little while. I think it's been a few weeks since we've last recorded. Been too long. Yeah, a lot of things happening. 

Quick announcement on that note, we are planning to go to a tempo of every other week, which is probably closer to what we've been hitting anyway with work and different things getting in the way, travel, all that kind of stuff. 

We figured, well, hey, we've got lots going on. Let's go to every other week and we will do that moving forward. Still cover a lot of great content and maybe that just means we'll let shows run a little bit longer. 

We'll just kind of see how it goes. No rigid set of parameters here for the Cyberans podcast. We just want to get good information out for everybody that needs it. So with that said, this is Zach Fuller, joined by Mike Rotondo, Laura Chavez. 

We are going to talk about things in the virtual CISO realm today. More specifically, how to get the most out of your relationship while using a virtual CISO, but also for those people looking to be virtual CISOs, challenges that come up in working with clients, and how to really make the best for everybody in this relationship. 

Because a virtual CISO can be an incredible asset to an organization who needs support, who doesn't have that in house expertise. But not all are created equal, right? Not all are going to offer the same things. 

And so we'll cover all these things today and dive in as much as we can. So with that, Mike, you want to kick us off with the news? Good day and welcome to the news. It's been a, you know, keep your heart happy. 

There's always plenty of news. Now, this first story may actually throw Laura into fits of rage, streams of obscenity. But here we go. Mass Attack on WordPress Sites Targets WooCommerce Plugin threat actors have carried out large scale attacks against hundreds of thousands of WordPress websites, exploiting a recently patched vulnerability and popular WooCommerce Payments ecommerce plugin. 

This campaign, carried out by unidentified hackers, began on July 14 and peaked at 1.3 million attacks against 157,000 sites on July 16, according to a Monday post by a threat analyst at WordPress security firm wordfence WooCommerce Payments is installed in over 600,000 WordPress sites to enable payment processing. 

The attackers seek to exploit a critical vulnerability patched in March that enables adversaries to gain unauthorized administrative access via the plugin. The vulnerability, tracked at CBE 2002 328121, has a Cvssv three rating of 9.8. 

This is just another example of just patch your stuff when it comes out, pay attention. Don't use WordPress if you can avoid it. Well, there you go. We've gone, I think maybe a couple of months without saying that word and man, he broke the streak. 

I actually got permission from Laura to use that story. I wanted to make sure that wasn't going to throw him. I had to throw up a little bit of my mouth to allow that. But it's fine. It's a newsworthy story for sure. 

I think he's sweating over there a little bit. WordPress Payments? Like, who thought that was a good idea? He's white knuckling his office chair right now. Yeah, I kind of am, you know what I mean? Unidentified hackers. 

Of course they're unidentified. That's the whole point. Like, what, are you going to just bust in and leave, like, a calling card? My name is Mike. I'm here to hack you today. If you have any questions about what just happened to your WordPress Payments plugin, please give me a call at my cell phone number. 

Is this. And there'll be a survey after the hack to see how I did. Did you enjoy your hack? How would you rate it on a one to five? Would you recommend it to friends? Would you recommend this to friends? 

Hopefully not. WordPress Payments Plugin let's just take this. Whole thing and put it in a box, in a steel box and put a big old padlock on that and bury it deep down inside and just pretend everything's fine. 

Breaths, deep breaths. Drop it in the trench. You know what I mean? In the water. On that note, we're going to move to microsoft so malicious Microsoft Office drops docs drop a Loki bot malware it's been a busy week for Microsoft with a Chinese apt attack and exploited zero days fixes in patch. 

Tuesday, FortiGuard Labs observed several malicious Microsoft Office documents that when executed, dropped the Loki bot malware onto a victim's system. The malicious Microsoft Office documents exploited known remote code execution vulnerabilities in CVE 2021 4044, which is a 7.8, and CVE 2002 230190, which is also a 7.8. 

Patches have been available for both bugs for well over a year, but apparently people don't patch luckybot exploits. Various vulnerabilities employs Visual Basic macros to launch attacks. It also leverages a Visual Basic injector to evade detection or analysis. 

Leveraging the injector can bypass certain security measures and post confident threat to users. Citrix warns of actively exploited zero day in ADC and gateway. Citrix is warning customers of a critical vulnerability tracked as CVE 2023 3519 which is a score of 9.8 in NetScaler application delivery controller in their gateway. 

It's actively being exploited. The vulnerability is a code injection that could result in unauthenticated remote code execution. Citrix warns of the availability of exploits for this vulnerability that have been observed in attacks against. 

Mitigated appliances company added that the successful exploitation requires that the appliance is configured as a gateway. The Citrix Cloud Software group is strongly urging affected customers to install the relevant updated patches. 

Really? That's a good idea. Virus Total data leak exposed data of some registered customers, including intelligence members online malware Scanning Tool Scanning service Virus Total leaked data associated with some registered customers at the end of June, a small file of 313 KB containing a list of 5600 names was exposed online. 

The file included data associated with employees of the US Secret Service. NSA Cyber Command german intelligence services registered with Google owned security platform. 20 accounts alone lead to the US Cyber Command, part of the American military and the control center for the offensive and defensive hacking operations also represented the US. 

Department of justice, FBI, Secret Service. NSA. Official bodies from the Netherlands, Taiwan and Great Britain. The leaked data reveals who deals with It security and malware in the impacted companies and governmental organizations. 

Threat actors could use this information to target these professionals with spear phishing attacks. The exposed records came with names and email addresses on to Google google Cloud Build flaw enables privilege escalation code tampering Google Cloud Build enables attackers to tamper with and inject malware into images stored in an artifact registry. 

Google's repository for hosting software artifacts such as packages and container images. Any applications then making use of these compromised container images risk malware, infections, denial of service attacks, data theft and other negative impacts. 

It's been dubbed bad build by the researchers who recently discovered the flaw after analyzing the APIs. The call requested with a Google cloud platform resource. They reported the issue to Google, which investigated the problem and issued a fix for it in June. 

However, the researchers described the fix as insufficient and only partially addressing the vulnerability. According to Orca, which is the researchers, the flaw really is a design issue and has to do with the default permissions associated with a Google cloud build service. 

The excessive permissions associated with the service gives adversaries a relatively really easy way to access audit logs that contain a complete list of permissions associated with all GCP accounts. 

They would simply need to execute three lines of code to build a public G cloud image on the cloud servers and run the commands that Orca provides an improvement concept to escalate the user's privilege and execute any action that the cloud service account is allowed to perform. 

So get that going for us. I want to call like fake news story on that because the key giveaway to this is that somebody got a Google representative on the phone, which is. Never. A dead giveaway. Fake story. 

I'm just kidding. It's probably not, but you really got to have a lot of money in your pockets to get Google on the phone. I don't think. I've only managed it once. Google is just a big empty building, really. 

I just run by those robot dog things that I sent you guys. That's what it's run by. I actually had Google on a phone with a company that I worked at about five or six years ago and actually got a sock two report from them, but we were dangling like a $10 million project in front of them. 

Anyway, there's a couple of big headline lens you want to look at. Microsoft Blocks attack on cloud email accounts by Chinese Apt Group fin eight retools backdoor malware to avoid detection. Hacker infected and foiled by own info stealer. 

That's kind of a funny one. They kind of hose themselves. And in really, that's news. Utility experts highlight Chinese threat to US electric grid. Really? Surprise. All right. With that, I don't know if Laurel still has a corner or not, but I think that's where we're heading now. 

Yeah. Thanks, Mike. I definitely, definitely have a corner. It's not as dangerous as WordPress or Microsoft, but since we're talking about dangerous things like payment processing, plugins for WordPress, driving without seatbelts, and drinking and driving while you're on your UTV or scooter, let's talk about the dangers of data loss real quick. 

And so I've had some friends and family. This is where all my Laro's corner stuff comes out of, is what I get pawed at with during the week data backup. And I've brought this up on a previous episode, but I think it's worth to talk about again. 

How do we handle data? I think, you know, Mike and Zach and I all have different methods of that, as everybody does, but I'm going to give you my method and silly or complex or genius, whatever you want to decide it is. 

I hope that you adopt something similar to help protect your data. I think the number one devices like computers, tablets, phones, are all consumables. It takes quite literally, just a little spill of water from a three year old who's trying to grab for her toy on the table and spills the water in your laptop to just ruin everything that you've ever done in your entire life. 

So in order to get around that, I've adopted the method of backing up my data to USB drives. Now, there are online methods that you can use. There's lot of online services that you can use to help you do this, but you can't just walk into the data center at Google or at Microsoft and pull your data off a drive. 

Like you have to make sure that there's internet connectivity and these services are up and operational. And if there's a mass solar ejection, they may not be. So. When you want to look at all those little pictures of your kids growing up and the videos you took and possibly the accident you had while drinking on your UTV. 

I recommend USB drives. So I'm going to show you kind of an option that I have. But I want to take a note that my drives are only 256GB. And I was on Amazon this morning, right before this recording. 

Today is is July 21, and I was able to find a 1 TB yes, terabyte with a T USB drive on Amazon for less than $11. It was ten point $69. Now, would I buy that one? Well, heck no. I'd spend the $40 and get a SanDisk. 

But my point is taken, right? This is getting a very cheap it's very affordable. I urge you to try to fill up a 1 TB drive with the pictures of your kids. You might be able to do it. I thought we took a lot of pictures, but it's not that much. 

Okay, so this is what I do. I have these USB drives and I have a schedule. The schedule is managed through personal devices that have them put in the Apple calendar. Real simple, I know. However, I need reminders. 

So what am I doing? I'm backing up my data from my computer to these USB drives. And I don't just have one, I have four of them, all located in different places. In case something happens to one, I have at least a recent backup of the other. 

So two are real time, two are about a week behind, two weeks behind, usually on the data. So I don't suffer a lot of loss if something happens to two thumb drives at one time, which hopefully won't happen, which is why I have four. 

But I want to show you real quickly, and those of you who are just listening see this. But I have a little jar enclosure, and I think it's for jewels, or maybe it's for like a ladybug if you go out in the garden and you catch one. 

But it's just a very small little plastic acrylic jar, about a half an inch tall, and it's got a little rubber seal in it. And my thumb drive fits right in there. And I have a couple of these that are weather sealed proof, and that way, in case they get rained on or moisture, the drive inside is safe. 

So, just as a word of mouth process that has worked for me for a very long time, I thought I'd share this with you today. For you to share with your friends and family about making sure that your data is not on your laptop or your phone or your tablet. 

Because those devices are, quite simply, one wet hand or one misplaced foot or one misplaced jar of water away from being completely destroyed and your data not being obtainable ever again without probably egregious lots of money to get that taken off the drive, if it's even possible. 

So do yourself a favor. Get on Amazon, buy some thumb drives of various sizes. If you want to do the terabyte, go for it. I urge you to try to fill that up. But buy you some thumb drives, get at least two or three, and make yourself a backup schedule where you're taking this data off of your computers onto these drives at a very frequent interval so that if something happens to your device, you're not without your critical data. 

All right, and I think with that's enough from my corner, zach, I believe we're talking about VCSOs and the challenges that VCSOs have in the VCSO world today. That's exactly right. We are going to dive into that here shortly. 

But first we are going to take a quick commercial break and we'll be right back. And we're back with the Cyber Ants podcast talking about virtual chief information security officers, also called fractional chief information security officers, although there's some debate and some nuances perhaps, and what those really are, but I find them to be. 

Interchangeable words for the most part, and also CISO as a service, right? So when we say these things, we're going to use them interchangeably. In essence, what we're talking about are cybersecurity consultants. 

So to preface the conversation, generally speaking, virtual CISOs, fractional CISOs, CISO as a service are those people that are fulfilling some sort of an information security leadership role for companies that don't have that in house, maybe they have an It department or a development group, what have you. 

They don't have somebody that's leading the show on the cybersecurity side. That said, they should always have somebody internally. That is the primary, right? Somebody that's actually hired, employed by the company full time, but they're relying on outside expertise. 

So with that, that's what we're talking about. So don't get too caught up on the different verbiage of how these things are described. That's generally what we're talking about. Now, I'm going to share something first before we dive in that generally we differentiate because a lot of times, virtual CISOs, there's a lot of variance in the marketplace. 

When people are shopping for a virtual Chief Information Security officer, they tend to see different skill sets and areas of expertise and what they bring to the table and so on. Generally speaking. 

Now, this is a big generalization, but a lot of these virtual CISOs are people that have worked their way up in the corporate world in their cybersecurity career to some sort of leadership management role and then have since stepped out. 

Maybe they're on the tail end of their career and they're taking consulting gigs, right? And they're doing this on a consulting basis. They might serve one company at a time, they might serve ten companies at a time. 

So that's generally what we see, the progression. Would you guys agree with that or do you see anything else out there that varies, that differs from that? I'd say that's? Right, yeah. Okay. And then, of course, in the marketplace, it's also important to watch out for. 

There are a lot of companies that have been It companies for a long time that all of a sudden jump into the cybersecurity game, somebody gets a CISSP Cert, and all of a sudden now they're a virtual CSO. 

Right. So we probably want to go with the earlier description, somebody that's actually done this in the security world for a long time, rather than somebody who just all of a sudden jumped in, got a Cert. 

Yesterday they were a system admin, and today they're a CISO. Right. There's far too many of those, though. Yeah, definitely. I bring it up because it certainly does happen. So with that, you can hear them flipping pages when you ask them a question that's actually really happens. 

That's really happens. Listeners or asking chat GPT, right. Typing away. Yeah. Anywhere in the background. So, fortunately for those listeners, we have two highly experienced individuals here on the call that are both in the world of cybersecurity, have been for a long time, didn't just get their Certs yesterday, and can speak to this. 

So, first of all, what do you guys think in terms of let's put ourselves in the shoes of somebody that is with an organization that's looking for cybersecurity help. They're out there looking for help. 

What should they be looking for when they're talking to potential virtual CISOs? Well, the first thing I want to say is, based on your description, you basically just called Laura and I old. Yeah. So well, yeah, it wouldn't be the. 

First time on the show. I think the listeners are well aware. Well aware. It old but not obsolete, right? Yeah, definitely not obsolete yet. Goodness wise. Wise and experienced. Thanks. As my dad used to say, old age and treachery will outweigh youth and enthusiasm anytime. 

There you go. Well, to answer your question, go. I think, first off, you need to truly understand what it is that you're trying to accomplish inside your organization. Right. From a cybersecurity perspective, are you trying to do real risk program management or are you just trying to suffice the leadership's willingness to want to get an ISO or a sock too? 

Because they're trying to get the next big gig in the door sales deal in the I think, you know, understanding your goal is probably the most important thing. And then when you're out looking for and you're shopping for the VCSO or the fractional CISO or the plethora of other names they're calling it these days to try to sell to you, you want to have some interviews with the individuals. 

And then I think the good thing is to try to get some references of companies that have been supported by said option. You're trying to pick and try to understand what the customers of said option are feeling about the services they've been getting from said option company. 

And I think if you know those two things, you're going to be set up in a place of success. Understand what your goal is internally and then shop around in a manner that allows you to look at references for the services. 

Hopefully we've even been asked for resumes, which is that's yeah, ask for the VC. So that's going to represent you from company X. How long have they been doing this? Like Zach say, did they just get a CISP? 

And like two years ago they were an analyst. Doing windows logging or something and now they're V CISO. So I think it's important to gauge the technical capabilities of the resources that you're getting and resume is a good way to do that. 

And I think even EC Council has a master's in being a CISO. You can take their class for two years and all of a sudden you are considered and credentialed to be a CISO. But that's does that how does that translate over to the real world of companies that are moving at a million miles an hour? 

It doesn't. I mean, I looked at it because I've got the CEH from EC Council, so I looked at their university and it was like, what are you going to teach me? This is nothing I haven't learned in real life. 

Well, that's true, but I think a lot of students of the craft today don't really have the option of getting file or trial by water hose like we did, just having to go through this. And so I think there's a lot of options now for people that are interested in cybersecurity work. 

That doesn't mean that the curriculum is going to prepare you for being a VC. So out there for multitudes of different companies that are all moving at different paces, that are in different parts of maturity in their business evolution. 

And so I don't know anything about the program, but I do like that there's an option, how good it is. I don't know. My feeling on this is if you are too reliant on credentials by a third party for finding that individual, I mean, there's an issue with credentials in the society. 

How many masters do we have in worthless degrees out there? But hey, I have my Master's, so you have to listen to me kind of stuff. So my point being is that there's a lot of education out there that isn't real education. 

You really need to have a basis in security. You can't go from CFO one day to CISO, the know kind of thing. No, you can't. And that sounds interesting coming from you, Mike, because I think you have more letters behind your name than anybody I know. 

Well, there was a time when those meant know, and I don't think they do anymore. I think called yourself old, Mike. You just did. Yeah. You're the only person or am I. Calling out the security professional in Fortran? 

Am I calling out the overpopulation of security certs? Yeah, maybe. Well, I guess we're kind of getting off the topic. But what's happening is the world of cybersecurity is just getting fuzzy, right? 

There are new certifications, there's new I'll call them pathways to this profession that they're advertising out there. And I consistently get professionals coming to me and friends coming to me, asking me how do I do this? 

Which certificate is best for me? How do I move into the role of a security officer or how do I get into cybersecurity in general? So the certificates don't hold the weight as they once did. I'll say that I think that demonstrated work competency holds far more weight than any paper test certification that you can get. 

Right. And this will date me real old, but back in 1999 when I got my MCSE, that was like gold. And now MCSEs are dime a dozen. That was back when you had to take five. Right. You had to have five core competency tests to get an MCSE. 

Right. The two Microsoft Networking essentials I two that's back when they were are twelve people in the cybersecurity industry. Yeah, two of them are laura and. I drives were 4GB and that was massive, you know what I mean? 

So. But back to organizations, you have to review the companies you're working with. I think getting references from companies they serve is one of the best ways to understand what you're going to get into. 

Right. And then just having to the other thing I think is frustrating is that you may speak with the VC, so like myself or Mike, the sales call and we'll set everything straight and you'll feel all good and fine and then your engagement starts and you've got some outsourced individual from another country or Zippy the intern. 

Yeah, exactly. Skippy the intern. Or Taylor Pat. You know what I mean? The new dangerous individual, enthusiastically dangerous. So you really have to be clear with the company you're contracting with, where is your resource coming from? 

And am I going to get the resource that I'm talking to, you know what I mean? Or is it going to be a filler in the past? And so I think those are some of the issues I see with just engaging with a VCSO or fractional CISO organization. 

Just once you realize that that's what you need. And then there's the whole mess of once you're in there. I want to add something to that too, when it comes to experience. So here's what I see a lot out there in the marketplace are there a lot of VCSOs out there that have worked and been in cybersecurity leadership roles for these just massive companies. 

Which is great, nothing wrong with that. But if you're a 20 person SaaS company and growing and trying to land your first enterprise contract VC so unless they have experience in working with. Companies that are in your state, they don't have to be in your industry per se, but at emerging growth companies, mid market or smaller organizations, that's a different realm of cybersecurity than a Fortune 50 that has almost infinite resources, right, and massive manpower behind it to get these initiatives done. 

So when you're shopping around, consider the size of your organization and the state at which you're in right now. If you're a Fortune 500, well, you're not going to have a virtual CISO anyway, but you're a large enterprise, you have sophisticated systems, that's one skill set to be able to run and manage that. 

But if you're a smaller emerging startup or whatever the case may be, find people that have experience in that realm. Because if you get somebody that just came out of the Fortune 500 world as a CISO, and now they're a virtual CISO and they're trying to consult your 20 person startup, you're going to run into a lot of headaches there, because you're in a very different state than what they have experience with. 

What do you mean? We don't have a $20 million It budget. Yeah, just buy this tool, it's only 3 million a year. Yeah. And then hire six guys to run it. That only cost you a couple of million a year. It's easy, we'll get it all done. 

Just where's the money? Oh, there's not any. I would also say you shouldn't hire a VC, so that's only worked for one. Yeah. Because you need to have that breadth of experience. But yeah, you're exactly right, Zach. 

You can't take someone from a Fortune 50 and plug them into Bob SaaS service and it's just not going to work, even though they've got all the credentials in the world. I would also venture to say that someone at that level hasn't really had to deal with those problems, so it may not be as technically in tune as you need. 

Yeah, it's great that you were a leader for a Fortune 50 as a CISO. Right. I mean, that's certainly accomplishment in your career, but it doesn't mean that you're prepared enough to shift gears to support lots of organizations that are very inferior budgets and inferior technologies. 

And so again, you've been this privileged individual in this massive organization and gotten everything that you wanted all the time, and that's just not the reality at some of these know, again, definitely screen the companies and the VCs that are going to be working with you. 

I think that's very important to understand where they come from, what their history is, what their track of success is, to understand if they're going to be a fit for your organization. Because like Zach said, you'll be speaking a completely different language and they're not going to understand why you can't just come up with $20 million to fix the problem. 

Right. The other thing is, I would recommend for those of you who are listening that are like senior security engineers and want to be v CISOs, take a job at a small company and be their CISO. Yeah, maybe a cut and pay, but that's where you start. 

You work with a 20 person company, it grows to maybe a 30 or 40 person company. You bounce to another company, you bounce to another company, and then all of a sudden you're VCSO at a top 50. You have to build that experience somewhere. 

That resume. I'll add too, on a slightly different note, but similar in nature. One of the concerns I think people that don't have familiarity with cybersecurity in the industry in general is a lot of times they say, oh, well, we need a VCSO that is specific to our industry. 

We need a CISO that only specializes in credit unions or specializes in a certain type of health care or whatever. And from a cybersecurity perspective, I'd say. It's probably more important to have a VCSO that has a breadth of experience. 

Like you said, Mike, not just working at one company. It's probably better to have a VC so that has experience working with companies in your stage of business, not necessarily your industry. Chances are you're using the same types of products and such that you have similar infrastructure and all that to everybody else. 

I mean, not everybody else out there, but there's a lot of overlap, right? There's a lot of skill sets and such that cross between industries just fine in the cybersecurity world, so I wouldn't worry so much about that. 

You get into a few little nuances in terms of compliance, but that's pretty easy to follow. If they have experience in compliance elsewhere, it'll be quick for them to step into your realm of compliance. 

It's not going to be a major lift for them, so be conscious of that. Don't cross somebody off the list because they're not focused on your industry. That's going to make it very hard for you to find somebody good if you do that. 

And then again, it's more also just make sure they're a fit for the culture of your company. Are you going to enjoy working with them? I think that's the main thing because you're going to be talking to them at least once a week, if not more, for quite some time. 

So make sure that you enjoy that relationship. I would also recommend that if you're dealing with consultant, make sure they have a spine and that they're willing to say, no, that doesn't work that way. 

And even though you're their client and you're there to service them, they to say, look, this is not right, this isn't going to work. I mean, I'm just not going to go into details, but I'm dealing with that right now with someone has some unrealistic expectations and it's like, no, we're going to need more time for this. 

That's fair. Yeah. You have to maintain your integrity, right, as a security professional and. The organization is really relying on you to help them understand what the best course of action is for any given risk. 

So you do have to stand on that shifting gears a little bit. I kind of want to drive our conversation to the challenges. I think that some of not only the organizations, like what can you expect when dealing with a VCSO and also what challenges do the VCSOs have working in these organizations. 

And Mike, you just brought up a great one, that there's a lot of times where the organization wants to shift gears and it's not a viable option, right. Or they're trying to move in a not. It's not a place for them. 

But one thing I'll bring up is that being a VCSO is a lot like being a first responder, even though a veteran. I've never been a first responder in that sense, but I kind of think of it in maybe the same family of it's fun, it's interesting, it's new, you don't really know what's going to happen. 

But I think most importantly is that the organization that is looking for a VCSO understands that they have to have pledged leadership's backing to make sure that whatever it is that you're trying to accomplish with your VCSO risk program management is going to get done. 

Because if you haven't gotten clarity from leadership and you're an It manager and you know you need cybersecurity and you're going to get a VCSO package from anybody, your leadership is going to push down on you and they're going to make your life very hard. 

And so know, I know we've talked about top down approach, right. Leadership has to understand and accept these responsibilities of duty before we start going down the pay for services and doing all this work because it'll just turn it right upside down and you'll be in a worse place than you were when you started if you don't have leadership support. 

And that's probably the biggest challenge I see. As a VC. So coming into an organization where leadership is kind of aware of what we're doing, but they're not fully aware until policies start getting at their desk. 

Yeah, I'd agree with that. Yeah. You have to have CEO buy in or owner buy in or whatever senior management buy in. Otherwise it's just going to be kicking the wind. Yeah. And trusted advisor, you, you once you've done your due diligence to pick your VCSO company that's going to support you, they're going to be a trusted advisor. 

That's what they're there for, you know what I mean? For you to trust the advice that they're giving you, that is high integrity and it's based in science and data and reality and we're not requesting something ridiculous. 

The biggest challenge, I think, for VCSOs is making clients. At least one of my challenges and I'm curious to hear from you, Mike, but one of my biggest challenges as a VC So for these organizations is getting them to understand that we can't do all the work in a vacuum. 

They have to participate. And a lot of times you think you're going to get a VC So package and they're going to just take care of everything for you and you don't want a company that's going to do that. 

Right. They can't operate in a vacuum with policies and procedures and security controls and recommendations and architectural changes. And that all has to be a part of the It operations and the general business at all times. 

Otherwise, again, none of these changes are going to be impactful. Things are going to get turned upside down on you because, again, you don't have that support that you should have and it's not as holistic as it should be. 

So I think that's the other challenge is that organizations are going to put in probably 30% work time that the CISO is going to take 70% away from you, but you're still going to probably I don't know. 

You think that's fair, Mike? Somewhere between I don't want to use the 80 20 rule, but it might be closer to that, like, a VC So is going to do 80% of it and you're going to have to do 20. Or do you think it's more like 70 30? 

I think it's actually more like 60 40, to be honest. Yeah, I'd say so. Especially when it comes to policy creation and that sort of thing, unless you're going to empower this VC so consultant to fire people and to make changes inside the organization that need to be done and remove roadblocks, the company has to do that, right. 

So I can't as a VC so come in and say, all right, we're going to do this, this and this. The company can just look at you and go, no, you don't have the control. You're observing or you're reporting. 

You're recommending you guide them through the creation of their policies, procedures, make recommendations, but at the end of the day, that individual on the other end of the I would say phone, but I would say zoom call or whatever can just say, no, we're not going to do it. 

And that just makes for unsuccessful events sometimes and that's the frustration point and that's where you as a VC so have to understand your limits. Right. I mean, I was on a call a couple of days ago where if I was running the company, I probably would have fired five people just for the stupidity of their actions. 

That being said, I observed, I reported, I recommended and I documented. That's all I could do. You got to think you got a captain that's commanding the ship and the ship's on its way someplace and we're pretty close to the captain, but we're not making the commands that change the boat's direction. 

That's still got to come from the captain. And so we can scream at the wall until we're blue in the face. That doesn't mean that it's going to be an impactful to that captain to make that maneuver change in the ship. 

Right. That's always a challenge. Right. So understanding how to massage these types of controls in and really understand the I'll call it the cultural dynamic of your organization because some organizations want to go down a NIST government path and they're so far away from that today that. 

Doing something like this would just make most people want to leave your company and go work at Subway. So there's certain things that have to be understood before these changes for risk management and risk program operational management can actually happen and happen consistently. 

Because again, this stuff's, Pandora's box, you can't just do it once and be done. But you're right, Mike, maybe to 60 40, we can create a lot of the policy for you. You've still got to proofread it because it's legalese, right. 

Whatever you sign into policy, you're going to be bound legally to, right? Especially if it's pulled in a subpoena. And two, we can't make you proofread it. We can't make you sign it, we can't make you follow it. 

Yeah, we can't even make you follow there. That's another challenge for VC so is to understand when your company is trying to check the box and how to change their direction when you see them trying to simply just check a box. 

Right? And that's the high integrity point that you need to have as a VC. So to understand when the company leadership is trying to undermine one of the good controls just so that they can be, quote unquote, compliant with something, right, so that they can get a sales deal through or anything else. 

And I always drive back to the point, and this is something too, that I think is another thing that's not only a challenge, it's a good thing to look to in a VCSO company, is that they should be preparing you for being in court with anything that they do, right? 

Documents, processes, architect, actual security controls, everything that they do should be done in a manner that would stand rigidity in questioning in court. Because if you get pulled in and they have a technical witness, they're going to be asking all kinds of questions. 

So you need to have Vcco that has. You know, I guess down the road side enough to understand that there might be a potential we have to end up in court one day. What steps did we take to make sure when that day comes that we can prove that we did the best that we could through due diligence? 

Right. And that's really the ultimate goal is to be able to protect an organization in court if that day ever came. Not to mention to just do good security, risk management, mint follow your processes and your standards and your policies. 

But we know, right, that doesn't always happen. And companies are going to go in and out of compliance multiple times through the year as they make changes. And I think the Vcco function you are part technical expert, but you're also part educator, mentor, and you're part legal counsel, like you were referring to. 

Yeah, we're not lawyers, but we certainly have seen enough of this and dealt with enough attorneys to say, this is what's going to hold. This isn't what's going to hold, but please run it by legal if there's something questionable. 

But yeah, I mean, educator, mentor, technology expert, and legal expert. So at least as it pertains to policy and procedure, I can't help you with your criminal defense or your DUI, but that kind of thing, this is not legal advice. 

Yes. Another challenge I see is the time it takes to get through a compliance framework, like NIST CSF as an example, or ISO 27,001. We typically prep an organization for a twelve to 18 month journey, but we tend to find, like during about week five or week six of going through this assessment. 

They're like, are we ever going to be done with this? And I think that's another challenge. And like what you said, Mike, that's part of the education. The professor type tag that we carry to help. Those organizations and those leaders understand why we have to go control by control, why it's important to ask these questions and not just review documents in a vacuum and make answers, right? 

Like we have to for that due diligence of the process. We have to look in three places for evidence, the technology, the documents and we have to inquire of the humans. So if your CISOs is not doing all those things and they're willing to operate in a vacuum, that should be a red flag because anybody who's doing this stuff is right there with us. 

They understand these challenges that you're going to get from organizations, especially when they have admin. Everybody's an admin. I think that's another big challenge right. That I can speak of and you probably can too, Mike. 

When companies have issued devices and everybody's an admin on their device and that's one of the big no nos in all the frameworks and that is always a very big cultural push to get everybody to realize that that's a no no. 

It's frowned upon. I won't call it a no no. It's highly frowned upon. There's a time and a place for it, not in corporate with everybody being admin, right? So that's a big cultural shift and just that one control in itself may take a year to massage and message and campaign the right way. 

Champion, as our old leader would tell me, you got to champion that change to champion that right. And so you're quite literally defending what I would just consider to be basic right thing to do knowledge. 

Right. But you're having to really push these ideas and over educate the organization on why these things are important certain and why they're not going to make a compliance initiative if they don't make these changes. 

And so, like you said, that education piece is key for a VC. Well, I mean I've had battles recently as something as elemental as passwords. And it's like, well, talking to an MSP, he's like, well, they're just going to write it down on their desk anyway, so what difference does it make how long I make the password requirement? 

It's like, really? You've given up? Why don't you just log off and go home and turn the contract over to someone else? Because we all got to fight the good fight. And I think that when you engage with your VC, so company, like Zach said, and you got to like the personalities of the individuals you're working with, it's going to be a relationship. 

It's going to be a relationship that might last four or five years, right? Because risk program management doesn't stop. So these individuals you want to make sure, can they articulate adequately? Do they make you angry when you just look at their face? 

You know what mean, right? Like if anytime they say something, you want to punch them, that's probably not the good VC. So for you, right? You want to make sure that you're looking for an organization that you really quite literally can have a relationship with. 

And you can ask them questions and there can be light and funny jokes and they don't get angry when you go off tangent for something else that might be happening in your organization. And that's the other thing, is that the VCSOs need to be able to pivot expertise very quickly because you may get on a call and you're expecting to go through asset management for ISO 27,001, and they've got an actual emergency and they're asking you questions or there's an incident, and now you're a VC, so and you're on the hook for incident management. 

So there's a very big chance you're going to have to shift gears throughout your just Risk Management program. And how can you do that? And again, that comes back to that resume and making sure that the people that you're dealing with are the type of people that you want to be. 

Yeah, if you're just reciting chapter and verse from C Risk or CISSP books or any of the Isaka stuff like that, then. You're not able to adapt to those things because I've been on many calls, especially this year, where it's, oh crap, we've got all this stuff going on right now and we need to really talk about that. 

Or how do I remediate this on my web server? So they expect you to do everything from forensics to creating the program and that's another challenge. And you have to have someone that's at least knowledgeable or at least knows is confident enough in their own character's ability to say, look, this is way outside my realm. 

I will gladly put you in touch with a professional that I know that can help you out with that. Ego is a big part of it too, right? So your VC so has to be confident in who they are, what they are, what they know and their understanding enough to be able to be honest with you. 

But they can't be so ego driven that they're offended. If you challenge so from a customer. I think from the other side, what you said earlier, Laura, about the liking your VC so I think it goes both ways to be a likable customer, right. 

Or for those VC. SOS out there, people looking to be that try to make sure you're working with now you're always going to have customers and stuff that are kind of a thorn in the side or whatever, but try to make sure it could happen. 

But try to make sure the majority of the companies you're working with you enjoy that working relationship. I think that's true in any profession, right. The point, right, if you're miserable all the time, but when you're having your discussion with your potential VC So or you are the VC So, having discussion with a potential client, make sure that works well both ways and that the client is going to be receptive. 

To what you have to say. If they're not, they shouldn't be hiring you in the first place because they're wasting their money, right? So make sure that they're going to be receptive. And the other thing that I've seen out there too, in the market is just false promises. 

Oh, yeah, sure, we can get you ready for your sock two audit in three months, even though you're starting from nothing. If anybody ever tells you that that's a lot high, move on. And VC. So is out there. 

As tempting as it might be, give them the reality that, hey, this is going to be an ongoing process and you're going to have to do this stuff forever. It's not just a one shot. Yeah, we're done and we're moving on. 

So just know that going into this, it is a long term relationship, right. You're always going to need some level of cybersecurity expertise once you go down this path. It's not just one project. It might be somebody different you bring in down the road, but it's not just a one project type. 

Oh, we're done. Cybersecurity set for the life of the company. So with Mean, we're running pretty long here. Any other final thoughts? Anything you want to wrap up? I mean, in the cybersecurity world, there really is and there's no Switzerland. 

You're either covered or you're not. And you're at the mercy of the cyber attackers or you're proactively protecting yourself. There's no way to just hide from it. So everybody, every company, I don't care how big you are, needs to be aware of it, of cybersecurity, and you need some kind of professional advice to get through this. 

If you don't have that expertise in house, you just need to choose wisely and kind of dovetailing off about she said about liking someone. I actually had one of our clients actually tell me at the beginning of the engagement, if I don't like you, we're not extending. 

And she was just blunt. So it was just kind of like I appreciated the honesty. Awesome. I love it. That is awesome. I'll say that. My closing thoughts here are going to be that a lot of these companies will use different tools. 

There's a lot of tools out there to do this work for VCSOs, right? Everybody's coming to the plate with a new tool that's AI, quote unquote AI assisted AI VCSOs. Unfortunately, and we all know this, there's no replacement for humans right? 

Now that robot dog things pretty cool. That might be the closest thing to a new Vcco you might want to get. But all of these organizations that offer VCC are going to come in with the different tools and the different techniques or whatever the case may be. 

But don't judge them based on what tool they're using, right? Because using a good old fashioned spreadsheet still works. What's important is that you're compliant. You maintain compliance and risk. Program management doesn't matter that you're using the new cool, expensive tool that nobody can afford, you know what I mean? 

What's important is that you're managing the program. How you do that, it doesn't matter. Does it look cool to have a bunch of cool charts on a web app someplace? Well, yeah, of course. That's super cool. 

And leadership probably likes to look at the pie graphs. But there's really no difference from being compliant with an online tool or being compliant with a spreadsheet. Spreadsheets are probably a little harder to manage, but those of you who have been managing spreadsheets for the last 20 years would probably argue that point, saying that I can do much more in Excel formulas than I can with any kind of web app right now, right. 

Having to learn the dashboards and all that. So don't judge your VC so by the tools that they're bringing to the table. Meaning the tools of, what do you call it? Compliance? Adherence, I guess. Or to demonstrate compliance with a tool, judge them based on their expertise, the stuff that they've done in the past, clients they've served, and most certainly try to get some recommendations from some of the clients they've served. 

Right. Get those out there and see how they've done. Yeah, that's a great point. If they can't get you compliant without the latest and greatest tool, then they aren't the guy for you or for you. My dad used to tell me, like, you don't need a fancy pull stick to go play in a bar room. 

If you can't play with one of the crooked sticks on the wall, you're not a billiards player. Because you should be able to work around the warp. You should be able to turn that so that the warp doesn't matter. 

The warp is in your favor, you know? Definitely. Definitely, Mike. That's a good one. If they're saying they can't do without expensive tools, red flags should be raising in your head. Outstanding. Well, hey, thanks, everybody, for listening to the Cyber Rants podcast. 

We will see you again in a couple of weeks. Please be sure to rate the show share it help us get this information out there to people who need it. Really helps us spread the word. And we want to see cybersecurity and compliance done in a way that's effective, a way that's right. 

That we can really help protect the backbone of our nation's economy and way of life. So thanks again, and we'll see you on the next episode. Bye.