Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall



Episode #25 - CISO As A Service

Companies are turning to Virtual CISO and CISO as a Service providers for help as cybersecurity requirements continue to grow. Some see CISO as a service value, while others might not consider it important. Is hiring a vCISO always the right option? What are the pros and cons? How do you find a good one? This week the guys answer these common vCISO questions and more.

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at
Be sure to rate the podcast, leave us a review, and subscribe!


welcome to the cyber rants podcast where we're all  about sharing the forbidden secrets and slightly  
embellished truths about corporate cyber security  programs we're ranting we're raving and we're  
telling you the stuff that nobody talks about  on their fancy website and trade show giveaways  
all to protect you from cyber security  criminals and now here's your hosts mike rotondo  
zach fuller and lauro chavez and we're back for  the cyber rants podcast thank you for joining  
us this is your co-host zach fuller joined by  mike rotondo and lauro chavez and today we are  
talking about virtual csos or some called cso as  a service but before we dive into that deep topic  
uh mike you want to kick us off the news linkedin  confirmed that it was not a victim of data breach  
we there was a message or messaging out there  that linkedin had been hacked apparently they have  
formally denied that the recent disclosed  data leak was caused by a security breach  
uh data that was was obtained was via web scraping  which whatever uh anyway they they're saying they  
didn't get rich how ransomware gangs are connected  sharing resources and tactics apparently they're  
starting to create cartels uh many don't realize  that they're often interconnected some of the  
gangs behind the ransomware campaigns that we  read about have established relationships being  
in league with each other in league with each  other they use shared data league sites and in  
some cases shared infrastructure fbi arrest man  to kill seven man for planned to kill 70 of the  
internet an aws bomb attack i don't think the guy  understands how the internet works but anyway the  
guy tried to blow up the internet and aws  uh aws data center in ashburn virginia um  
just in time for tax season watch out for this  w-2 phishing scam targeting the 2021 tax season  
apparently there's a email that will go out to  you to some people saying you can download your  
tax return here from onedrive it is a forum  that has embedded macros that will basically  
steal your identity microsoft has busy april  patch tuesday with zero days in exchange fixes  
uh they release patches for 110 security  holes 19 of those classified as critical  
88 considered important the  justice department announces  
authorized effort to disrupt exploitation  of microsoft exchange server vulnerabilities  
uh this is kind of an interesting one because  the courts authorize the fbi to go ahead and  
fix the exchange servers that hadn't been patched  altruistic sure the problem is they did it without  
notice to any of the companies that they fixed  and they're still trying to track down those  
companies they fixed and let them know that they  actually did fix them now you should have patched  
the exchange server when all that came out i'm  not sure how i feel about the fbi going in just  
randomly updating servers for you microsoft  patches for more critical exchange server bugs  
um again microsoft just is having a bad week  update your chrome browser to patch two new  
in the wild zero day exploits google continues  our problems coveted related threats powershell  
attacks lead to malware surge power trojans along  with solarwinds compromise and continued spread  
of sunburst malware were major contributors to a  massive spike in the number of observed attacks  
in the wild during the last half of 2020. this is  staggering mcafee said the tax averaged 588 per  
minute in uh q3 and q4 q4 actually was higher than  q3 was 648 per minute ran square attack caused a  
supermarket cheese shortage in the netherlands  this had me very sad uh they apparently um  
a distributor got hacked and they were unable to  deliver cheese in in the netherlands for almost  
a week fireeye has 650 new threat groups were  tracked in 2020 um continues to grow um mandiant  
experts investigating intrusion that involved  246 distinct threat groups organizations faced  
intrusions by four named financial threat groups  six named advanced persistent apt groups including  
groups of the nation states of china iran and  vietnam and 236 uncharacterized threat groups  
so it's bad out there uh intelligent reports four  nation po four nations pose serious cyber threat  
to the us this is a kind of like slap your face  palm one uh it's china russia north korea and iran  
big surprise but that comes from the odni global  attacker dwell time drops in just 24 days that's  
uh quite an improvement um 59 organizations  detected attackers with their own environments  
over the period over the period a 12 percentage  point increase on the previous year so that's good  
attackers target proxy log and exploit to install  crypto locker uh crypto cryptojacking can be added  
to the list of threats that face any unpatched  exchange servers that remain vulnerable to the  
now infamous privacy log on exploit um they're now  using a monero crypto miner for that and that's  
all the uh headlines laurel thanks mike blowing  up the amazon data center huh yeah real smart idea  
yeah um somebody's been somebody's been watching  fight club a little too much i think exactly okay  
anyways uh for exploitation this week  uh we've only got a couple things uh  
most importantly though is going to be jquery  again i've been talking about this for a while  
one of the libraries that i commonly see in my  pin testing work that organizations are failing  
to keep updated as part of their software delivery  and continuous uh patching and scanning programs  
they're missing the jquery libraries that are  you know doing a lot of horsepower work for  
the website so so make sure you're you're updating  those this is going to be the third or fourth week  
um that i've seen various types of attacks for  jquery one um and this week we've got two more  
uh from an independent tester for cross-site  scripting using jquery which which could end  
up being pretty harmful depending on where you're  pulling your library from or if you're hosting it  
and the other one this this week is really uh  forget simple cms if you're not familiar with that  
the smtp compact plug-in uh has a remote code  execution for it which is pretty serious so if  
you're using git simple make sure that you're  uh upgrading away from that contact plugin  
and that's pretty much it for this week  in exploitation just remember if you can't  
exploit it is it really vulnerable the question  of the century will we ever know the answer  
i thought it was at the center of like a  lollipop of some kind or something i don't know  
i'm pretty sure laurel and i have been at the at  the forefront of some of those wasted efforts of  
trying spending hundreds and hundreds and hundreds  of man hours trying to fix something that was not  
exploitable because some manager decided  that it had to be done all the wisdom
yeah that's that's that's a word for that sure  what was that one i don't know there's some hack  
that came out a couple years ago you actually  had to have physical proximity to the server  
in order to hack it so you know working for a  very large company with secured data centers  
who's going to hack it who's going to actually  have physical proximity to it and then  
that anyway the admin whatever yeah get a real  admin you got bigger problems yeah because  
he's going to he's going to exploit that server  you know instead of using his admin password so  
yeah i guess you've never seen mission  impossible tom cruise in action it could happen  
uh or swordfish yeah you have to have 16 displays  and a chair that lays all the way back in order to  
in order to get the hydra yeah yeah you can't  you can't find the hydra without at least  
six 27 inch monitors no way right  and halle berry helps true story well  
the topic of today speaking of great wisdom  is virtual c cell or cso as a service  
and before we dive into it too deep let's just  start with an overview of what it is basically  
what happens is when small or emerging companies  start growing they inevitably reach a point where  
they say hey we need some we need to do something  about cyber security we have technology now  
we have customer data we have systems that we  rely on for operation operations that need to  
be protected and we're not doing it adequately on  top of that compliance requirements and on and on  
and so the natural place to look is  for a virtual cso or cso as a service  
type solution and generally what these are  not always but for the most part a virtual cso  
or cso as a service is going to be an individual  consultant kind of a individual person that  
just advises companies you know they might  have a couple of clients that they work with  
at any given time and they will be there to help  guide and direct their cyber security program  
so there are a lot of pros and cons um and uh  there are companies that virtual csos are great  
for and others not so much but that's what we're  here to talk about today and before we do mike or  
lauro what you know what have you been seeing  out there in the virtual cso space um what if  
what's been going well for them and what where do  they fall short of companies needs well one of the  
things that i see is the expectations aren't set  properly uh for the vc so a lot of times and the  
you know everything may be spelled out on a  cell but there's still some miscommunication  
or misunderstanding that you know you see so  is not a button to see he's not necessarily  
uh going to be your security engineer  he's not going to be looking at your  
tools he's not going to be you know um  that's not really what he's there for so  
that's what that's what i see is that's the  biggest pitfall i see is that the expectations  
aren't set properly that being said um we also  run into issues where they go and they're excited  
they're they're jacked up to get the bc selling  because they're going to do all these initiatives  
and then you can't get meetings set and the  appropriate resources aren't available because  
they're running around uh fighting fires and  ktlo lands so um and then you have the other  
companies that uh just their game busters  where they're like yeah sign us more stuff  
we'll do it we'll do it and they actually track  it and go forward so that's what i see a lot of  
yeah i see i see pretty much the same stuff um  you know i think that there's a misconception  
that just because um the individual is titled as a  chief information security officer that they know  
everything about cybersecurity and so you know i  think back to those you know expectations right  
i think you need to understand that this  typical this typical individual is going  
to be a leadership type and it's going to have  kind of a more strategic overview to assist you  
in your activities but you're going to like  mike said you're going to be required to  
do a lot of the work okay they'll point out  shortcomings and things and you know probably  
one of the first things they're going to say is  you don't have enough people so i mean that's like  
kind of a reoccurring thing i'm here a lot um a  lot of the organizations that we see getting this  
kind of vcs of consultation type work or just  really finding out that they you know you know  
kind of the obvious right they need more tools and  they need more people to manage the tools yeah or  
they need more capabilities rather than tools  right and that in some sense is that that will  
come with tools but they need more capability and  they need more people to manage that capabilities  
yeah a lot of people just want to check that  box right oh we're going to see some now we'll  
get all the stuff done and it doesn't  work that way there's really actual effort  
um and no tool you know more tools necessarily  the answer it's more resources and we all know  
resources are scarce but you know you start  training people find interns do what you can  
yeah i certainly think there's value there i  think we you know we've we've seen organizations  
that see you know that that have obtained value  from from using you know various vcso resources  
to have that type of strategic vision for cyber  security but you have to remember that it's it's  
a couple year plan right they're not gonna they're  not gonna look at activities to help you you know  
get short up in the next couple months right um  they're you know they may have that capability but  
a lot of them are gonna be a strategic perspective  of the business and and dealing with privacy and  
risk over the course of the next several years  um and to try to position you in a place to get  
budgets right and get people right right to kind  of understand what that what assets you have today  
um not necessarily to come and be your full you  know cyber security team right or even a manage  
your cyber security team that you you know may  or may not have oh i was going to say and and and  
you know in all fairness to the organizations  hiring vcsos a lot of times they're marketed  
as a one-stop shop we're going to do everything  you know the website would make it appear that  
yeah you know you hire hire me and your entire  security program just falls into place um right so  
that we do see a lot of the marketing around that  stuff we do see a lot of kind of misrepresentation  
um but um that's not you know not always the case  now a good vc so i think will right up front um  
tell you where they are strong um which like you  you both mentioned is really around the strategy  
a high level governance and compliance right  they can support the development of policies  
and procedures for your organization guide the  leadership and better decision-making and then  
probably bring in help bring in other resources  or vet other resources but it's certainly not a  
one-stop shop want even more cyber rants be  sure to subscribe to the cyber rants podcast  
get your copy of our best-selling book cyber  rants on amazon today this podcast is brought  
to you by silent sector the firm dedicated to  building world-class cyber security programs  
for mid-market and emerging companies across the  us silent sector also provides industry-leading  
penetration tests and cyber risk assessments  visit and contact us today  
now the click bait is real right and um i think a  lot of you know a lot of it is is that is cutting  
through the you know i call them nothing burgers  right cut through that and then you know find  
yourself a good resource that does meet those  expectations you have but you're absolutely  
right zach it's very very common yeah you know  and sadly we're finding a lot of people that are  
fly by night you know one-stop shop guys or try  to be and they you know throw out some garbage  
and really create makes things worse uh than  when they started but they're great sales type  
people you know um unfortunately there's a lot  of that in the security world because they speak  
a language that people don't understand and you  know sound smart and then make a mess like that  
like that risk assessment we just looked at with  from that cissp that um basically just went down a  
list and checked check it was a check or an x over  control is implemented yeah oh man yeah absolute  
garbage and i'm sure they paid a ton for it you  know just like and actually you know we've seen  
like pen test reports from big companies too that  are absolutely machine language garbage you know  
but well it's sad because these organizations  are you know here's the thing is cyber security's  
popular right now right unfortunately i mean  um bad guys are working around the clock so  
everybody who every it company who that was in  the game before is now trying to get a leg in  
in cyber security right and so they're they're  offering different various services and you know  
i think that that marketing is is really driven  you know solely around a lot of that you know yeah  
you know the proliferation of ms mssps or  msps that are trying to sell themselves to  
security people because someone's reading a  cissp book at the office and they're now a uh  
they're not an expert yeah and that's sad  see the organizations right and they they're  
they're trusting these these  cyber security organizations have  
operations of high integrity and they're  really just winging it and so they don't  
what what's sad is it now they have a false sense  of risk right and and a false sense of objectives  
that they need to complete or that they should  have completed because you know the assessor  
wants to give them good marks right or you know  be lenient right be seen as a lenient assessor  
and unfortunately leniency doesn't drive proactive  cybersecurity processes no yeah i mean you have to  
tell truth right you have to say you know what's  wrong is wrong and what's right is right and  
you know yeah no let's be honest like no  no organization really there's a very small  
subset organizations that want to be proactive  cyber security on their own typically it's all  
downstream from a governance or compliance they  must be right right or client requirements and  
you know you got to go in as a vc cell and say  you know realize that facts don't care about  
your feelings so you know it is what it is right  this is wrong this is wrong this is wrong you know  
we'll fix it and it's going to take x amount of  time but you're going to have to commit to it um  
and a lot of these companies just want the check  box and you know the warm fuzzy that goes with it  
you know we've come across companies i mean  and and you know i'm not going to out any of  
our clients but you know we have people that are  hesitant because they've been burned before and  
you have to win that back and rebuild trust and  um typically we've done that by doing an ecra  
first an enterprise cyber risk assessment showing  our worth and then the vc so gig comes from that  
afterwards it's like it's like a it's like getting  in a relationship and the person had you know a  
bad previous relationship and you've you've kind  of got to get through all that right to make them  
make them understand that you're to be true you  can be trusted and that sort of thing right so  
it does it does increase our work but you know and  that said too it's it's just like anything else  
right there are there are in world-class vcsos and  there's people that should never use that you know  
terminology on their website and their marketing  materials and that sort of thing that are  
that are uh selling the service so there's  there's both sides but i think in order to  
kind of guide people in the right direction  um you know it's it's important to look at  
the background their previous experience do they  have actual cyber security experience working  
with within large organizations yeah right because  that's where yeah like through governance right  
you don't you don't just do you can't just  be in like small business cyber security  
your entire life and then and then really  function as a see so capacity right you  
need or be an or be an i.t manager and then get  an it was kind of a magical title of security  
manager because nobody else would do the job  right right right you need you need real world  
experience in a large environment where  there's a lot of structure where there's a  
there are a lot of systems and processes that  have to be in place in order to adequately manage  
cyber risks so i think that's one of the things  to look for in the background certifications  
of course but um like we you know talked about  there's not that's not everything right because  
people can go out and and study and get to  take the test right but i would look for that  
prior experience where they operated what um large  corporations fortune 500s what government entities  
things like that to see okay where's the basis of  knowledge coming from and uh if that's not there  
it's probably not not all that real right because  the books only go so far the certs are only going  
to take you so far that that actual experience has  to come into play um so it's something to look for  
and i think you'll find some there are some really  good vcsos or cso as a service out there that have  
a more um robust background and another thing  to look forward to is what are they how do they  
operate right so one of the things that i've seen  curious to hear thought about this but and i think  
this is a huge disservice but there are companies  out there that are that are charged by the  
hour virtual cso basically call us when you need  us now there's a severe problem with that because  
the vcs should be driving the show driving the  security strategy and operations continuing to  
push forward proactively at all times it's not a  it's not a reactive type measure and so i would  
i would consider that too what does  their structure look like are they coming  
to you with a plan that's well articulated well  laid out and reasonable or are they saying call us  
when you need us and book some time and we'll just  charge you by the hour because if they're doing  
the latter that's not gonna that's not gonna  build a program for you just it just won't  
it's not no that's that's a security help desk  that's not a vc so and you know we do do some  
things that are a bucket of hours but they're a  specific bucket of hours for a specific purpose  
right right as opposed to a vc so but um i  just wanted to go back to two things one uh  
when you're looking for a vc so you're looking  for someone that's had experience you don't want  
someone that's worked at the same company for 25  years and that's all they know they need to have  
breadth of experience they need to have done this  at three or four or five different companies right  
um you know you can commend the loyalty of being  there for 25 years in one place but in reality  
you only know one way of doing things then  um the other thing is on some of the search  
while all certs are not created equal some of  them do actually require experience um points  
to get like some of the cissp and sea risk  and you know those kind of things uh for my  
soccer and ice squared however we've also seen  where people are fudging that experience and  
that sort of thing so it is kind of still a crap  shoot even though they're requiring experience to  
get that actual serve so yeah good stuff and you  know you can always ask to you know you know first  
know for me with these these professionals ask  the company to you know have have you meet with  
the vc so it's gonna be assigned to you that way  you don't sign up for a service and you meet one  
individual and then when it comes time to actually  do the work you get somebody completely different  
that you never met before i see that happen a lot  right we'll have like the main the main individual  
is really really well versed very articulate in  the subject and then you'll you'll get kind of a  
b or c level player that'll get kind of put into  the into place so interview the the organizations  
and you know what i like to do is ask ask about a  linkedin page if you have a security professional  
that's claiming a lot of things that don't have  a linkedin yet you should be concerned um and  
and i don't do social media is not a a an excuse  for linkedin for a cyber security professional  
today right you don't have to do instagram or  facebook or gab or any of the other alt tech stuff  
but linkedin is you know certainly a place for  professionals so look for that and then also ask  
them to describe some um successes that they've  had in their career of doing bc so work and where  
they've had some failures and i think that will  give you a realistic picture of that individual's  
capabilities yeah very good points excellent yeah  it always kills me when the the these these people  
like hide even on even on linkedin it's like well  are you actually doing business you know because  
there's because if you're a security professional  you're not afraid of getting hacked through  
linkedin or the you know open source intelligence  gathering through linkedin right because you're  
protecting yourself in other ways but you reality  is you still have to do business so that that  
presence still matters and then another thing  i'd add to that too is all these certifications  
are verifiable right they each have everybody's  got a certification number assigned to their certs  
and that can be validated on the governing  bodies website so whether it's ec council  
or isak i see square any of those you can you  can validate that person does in fact have the  
certification and it's active um and that can  just be a step in the in the vetting process  
um but i think uh all all excellent points and  so to go back you know and and do a little bit  
of a recap so we've talked about the virtual  cso or cso as a service is is not a one size  
fits all approach right it should be tailored  to the organization the services should be  
tailored to the organization because every  company is unique right and and your vc so  
generally speaking it's a rarity to have both but  they're generally going to be on the strategic  
side not on the technical side so they're going to  handle the governance and compliance and strategy  
and then they're generally going to bring in third  parties to do things like penetration testing  
implementing tools technical configurations  building hardening images things like that that  
they're just they don't have the background or  skill set to do on their own if you get one that  
can do both that's a rarity um but generally  speaking you have to consider your budget  
and resource allocation of your of your  own team members if you have some technical  
people that can handle the you know these  projects at the direction of the vc so  
but you have to consider those those additional  factors on top of the vc so price right because  
it's not it's not going to be you know whatever  the vc so charges you um it's not going to be  
the end-all be-all budget that you need for cyber  security well the vc so needs to be technical  
i mean they need to at least understand or at  least have had you know done this in the past  
kind of thing like you know laurel handles you  know most of our or all of our fantastic his  
team does that but you know in the past i had that  skill set i don't do it anymore it's molded over  
but i still understand the language you  know where i focus more on compliance and  
that sort of thing so i mean it's they need  to have that background at least understand  
you know what's going on right you're still  a good hacker what are you talking about man  
well yeah i guess my point in the way we do  things is i think uh quite a bit different  
than what we see out there in the industry for  for a good reason that's how we've designed it  
right so it's bringing in a team  together to bring in all the components  
that are needed of course we don't sell  products and tools and things like that they can  
get those elsewhere but for us it's the focus  is bringing in the the strategic and technical  
realm of expertise and the hands-on support right  so we're not just going to stop at the guidance  
um we're going to do the um implementation and  support as well but that's generally that that  
for the most part in the marketplace that does  not fall under a vcso type service that's kind  
of a offering of its own you know excellent points  about the virtual cso or cso as a service uh they  
can be a tremendous asset for an organization  and just like anything else they're they're  
virtual sees those that are absolutely  world-class and do a great job and there  
are those that are completely misrepresenting  their skill set and their service so be careful  
when you're shopping out there folks it's not all  the same everywhere you go just because they say  
they can do cyber security doesn't mean  they can do cyber security so mike lauro any  
final comments before we wrap up just don't buy  into all the buzzwords and everything like that  
because you know they'll throw terms out there  that make them sound smart they don't necessarily  
are smart check the check the background check  the website check you know make sure it's  
who you're talking to is really who you're talking  to and you know if you are concerned then uh you  
know do the trial basis do a cyber risk assessment  see what kind of work they actually produce or ask  
to see if they can provide you a sanitized report  of some time you know that that type of thing  
um but it is a critical need and everybody needs  to have or every company needs to have some kind  
of security direction especially in this world  today i mean i think one of the headlines and we  
say there were 680 attacks per minute according  to mcafee um so cyber security criminals aren't  
aren't slowing down so you need the help  yeah good points click bait is real just  
add on to that you know clickbait's a real  thing they're using keywords right they  
want you to contact them right everybody's  trying to get in on this game right now so  
think of it as like car mechanics okay if you  google car mechanics in your area i'm sure  
there's a lot of individuals that operate out of  professional dealerships and their home garages so  
you know it may it may look like a cost-effective  option but then when you start having issues later  
you're going to end up going to the dealership  anyway so you know just make sure you're making  
the right choices for the problems that you need  to solve and if you're looking for that leadership  
that you're um you know like mike said you're  checking that individual and asking good questions  
make sure your virtual csos have good beards  well that that's required that's that's a sign  
of expertise i thought of wisdom right exactly  works for both of you just makes me look gold
well thank you everyone for joining us on the  cyber rants podcast check us out online at or grab a copy of the book  on amazon but most importantly if you like  
the podcast subscribe reach out let us know your  feedback comments all that uh we've always loved  
to hear from you and we will see you on the next  podcast pick up your copy of the cyber rants book  
on amazon today and if you're looking to take your  cyber security program to the next level visit us  
online at join us next time  for another edition of the cyber rants podcast