CSO Perspectives (Pro) 12.12.22
Ep 94 | 12.12.22

Virtual/Fractional CISOs

Transcript

(SOUNDBITE OF SONG, "SAN FRANCISCO")

The Mamas & The Papas: (Singing) If you're going to San Francisco. 

Rick Howard: You're listening to "San Francisco," recorded in 1967 by the "California Dreamin'" folk band The Mamas & the Papas as an anthem to the Monterey International Pop music festival. It became the official theme song of the Summer of Love, when thousands of young people descended on Golden Gate Park in San Francisco for a Human Be-In, putting hippies in the national spotlight for the first time. When I hear this song, I don't know why, but it always makes me think about all the cybersecurity geeks and entrepreneurs who descend on San Francisco each year for the annual RSA Security Conference. 

Rick Howard: I love going to RSA. For me, it's like a combination of high-school reunion and rock concert, but a rock concert where only cybersecurity nerds come, and all the bands don't sing and play music. They show us their code on stage and play Fortnite in the background. And instead of wearing long hair and bell-bottoms, they wear jeans, a suit jacket and a polo shirt proudly displaying their company logo. It's like a high-school reunion because everybody you have ever met in the cybersecurity profession shows up there eventually. I swear I've met the same people at the same intersection of Third Street and Howard Street, where Moscone Center and the W Hotel stare at each other, every year for the past five years, and the conversation picks up right where we left it the year before. 

Rick Howard: And one of those conversations this past June was with a good friend of mine, Todd Inskeep. Todd is the founder and senior managing director at Incovate Solutions. And he helped us tremendously in getting the Cyber Threat Alliance, the ISAO for cybersecurity vendors, stood up and running. We actually met this year on the second floor of the Marriott Hotel in the sitting room just outside of the CyberWire's recording studio for the event. And he blew my mind with the latest development of CISO evolution, something called fractional CISOs. So strap in. 

(SOUNDBITE OF FILM, "JURASSIC PARK") 

Samuel L Jackson: (As Ray Arnold) Hold on to your butts. 

Rick Howard: This might blow your mind, too. 

Rick Howard: My name is Rick Howard, and I'm broadcasting from the CyberWire's secret sanctum sanctorum studios, located underwater somewhere along the Patapsco River near Baltimore Harbor, Md., in the good old U.S. of A. And you're listening to "CSO Perspectives," my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis. 

Todd Inskeep: I'm Todd Inskeep. I'm a cybersecurity executive adviser. I work with medium and small businesses on their cybersecurity programs as a fractional CISO. 

Rick Howard: Almost from the beginning of internet security - say, late 1990s to early 2000s - there have been big consultant companies like Accenture, Booz Allen Hamilton and Deloitte that you would bring in to provide advice and counsel for things like accounting, finance and technology. But in the last four or five years, there have been this trend where smaller, more boutique organizations, like the Krebs Stamos Group and Todd's company, Incovate Solutions, that have a raft of cybersecurity experts on staff, like former CISOs, who can be hired to come in and fill some sort of gap as a consultant or contractor. I knew this was going on, but I really wasn't paying attention to the trend until I attended RSA this summer. All of a sudden, this niche offering that some of my friends and colleagues had started had become a real thing in the industry. I mean, it feels to me like it has legs. I've been calling these new kinds of contractors virtual CISOs. But Todd has a better name for it. 

Todd Inskeep: Yeah. I like the term fractional CISOs. Virtual makes it feel like you're not really there. 

Rick Howard: That's true. 

Todd Inskeep: I mean, it's just - virtual. It's like we say virtual too many times. I really think of it as a fractional thing. I'm not at a company full-time, but I'm providing the expertise that you'd expect a CISO to provide and to provide that perspective and executive insight and strategic view. 

Rick Howard: And the reason we're doing this is 'cause you and I ran into each other at the RSA Conference this year in San Francisco. You were telling me about Incovate Solutions. So before we get into the details here, just tell us what Incovate Solutions does. You did a little bit there. 

Todd Inskeep: Yeah. So Incovate Solutions is really a executive cybersecurity advisory firm. And what we try and do is work with any companies that we can find an opportunity on their cybersecurity program, providing an executive view on strategy, on risk management and thinking about cybersecurity issues as they apply to the business. Not just about locking down servers - that's kind of typical cybersecurity activity - but really focused on the CISO's role, which is translating all those detailed requirements, the configuration controls in M365, for example, into something that makes sense to business executives. We're really focused on working with those business executives on providing the right program for their business. 

Rick Howard: What makes the idea of a fractional CISO attractive to business leaders as opposed to just hiring a full-time CISO? 

Todd Inskeep: Yeah. I think there's a couple of things that really are attractive to businesses and why they're thinking about a fractional CISO. We've seen over the years the idea of a fractional chief financial officer, a fractional chief information officer or information technology officer. And the next step is obviously to think about it from a security perspective. We've seen the SEC and others put more emphasis on cybersecurity as part of the governance of a publicly traded company. It's clearly in the headlines with ransomware and other threats all the time. And so companies are starting to think about, how do I get some cybersecurity expertise that's focused on business as opposed to the IT technology team that's thinking firewalls, configuration controls, a lot of details that matter for cybersecurity but don't really translate into business terms. 

Rick Howard: But why not just hire a CISO to do all that? Why would you contract that business out? 

Todd Inskeep: Well, because we've tried to make CISOs a very professional role. It's fairly expensive. 

Rick Howard: Yeah, they are (laughter). 

Todd Inskeep: Right. And for good reason. And, you know, you and I want to get paid and so do all the folks that are listening to us. And so it's important to be thinking about - for a small, mid-size business, even for some of the upper parts of the Fortune 1000 - having a full-time CISO is a fairly expensive proposition for a role that you may not need to be there all the time. If you've got the right controls, if you've been thinking about the use of managed services, some of the most advanced security tools that are out there now, you may not need a full-time CISO to direct all the processes and procedures and activity. You may need them during an event. You may need them quarterly as you're talking to your board and your executives about the security program. You may need them monthly or every other week to talk to the IT team about the security activities that the IT team is fulfilling to make sure things are going well. 

Rick Howard: Well, I think you're right about CISOs are expensive. Over at salary.com, the average CISO gets about 200 grand a year. And that's just, you know, the typical job. If you're working for a Fortune 100 or Fortune 500, I think that exponentially grows. 

Todd Inskeep: I'd say 200 is on the low end. And at that kind of a price point, often you're really getting somebody who's grown up on the technology side of information security and still hasn't really developed the expertise and the gravitas to present to the board and talk about business and cyber risk to the business. 

Rick Howard: Yeah. You're getting the - you might be getting the newbies there, which is not bad, but it doesn't come with a lot of experience, right? 

Todd Inskeep: Yeah. You may not be getting the focus that you need on business cyber risk. You may be getting a lot more focus on cyber technologies and the tools that are needed to build a good security program. I don't know if you know the old joke about the mechanic and the carburetor, but it applies. 

Rick Howard: No. Please tell me again. What is it again? 

Todd Inskeep: Yeah. So guy takes his car in 'cause it's running rough - you know, takes it to the old mechanic. And the mechanic looks at it, has him start the car, listens to it for a second. And he says, OK. And he opens it up, takes off the air cleaner, puts the screwdriver in, turns, you know, a carburetor adjustment just a tiny bit, closes everything up and says, that'll be $500. Guy says, $500? Can you give me an itemized bill? And the guy says, sure, turning the screw - $5; knowing how far to turn it - 495. 

(LAUGHTER) 

Rick Howard: Exactly right. 

(LAUGHTER) 

Rick Howard: So that's what we get with a fractional CISO. We're going to have someone who knows how far to turn the screw. I like that very much. 

Todd Inskeep: May not have been exactly the analogy I wanted, but you get the idea. You're - you want somebody who really knows what to do and what to prioritize, in business terms and from a business perspective, without trying to overcompensate and secure an industrial complex like they were, you know, running a bank. It really is about trying to fit the right amount of security and manage risk correctly for today's threats, which have evolved a lot over the last 10 years and for your business, which may be very different from the next business down the street. 

Rick Howard: I'm guessing most of the businesses that would use a fractional CISO would be small to medium - in some cases Fortune 500s. But I would guess it's mostly smaller companies. Is that right? 

Todd Inskeep: It's mostly smaller companies. But when I was in a larger consulting firm and we were working with global companies, what I found was that even at the Fortune 500, 550, 560 level and sometimes down in the Fortune 300 to 400 range, those companies don't always have a staff of 50 people and a full-time CISO guiding them. I was amazed at the number of companies in the Fortune 450 to 1,000 that had a handful of people on staff doing security. And a lot of the security functions were really performed by IT, driven by security policies, and then with the security team that was doing investigations and support when there was an incident that needed investigation. 

Rick Howard: So let's talk about some of the use cases. We talked about why it's attractive to bring these folks on to help. But what do these virtual CISOs get asked to do when they're contracted to come to work? What are a couple examples? 

Todd Inskeep: Yeah, it's a wide range of things, but we typically find ourselves starting off with some kind of a security assessment. Sometimes a company will have already hired a typical consulting firm to do an assessment, but then they've got an assessment that lists the 700 and some controls in NIST Cybersecurity Framework. And now they're trying to say, well, which ones are most important? Which ones should I implement first? That's a little bit of an art and a little bit of science, right? The science, as you know from the Center for Information Security, that there are certain priorities that need to be done first. You need to know what the inventory of assets are. You need to have multifactor authentication deployed. You need to have some controls so that you're limiting vulnerabilities, and you're making patches. But then you also have to think about what are all - looking at all these other controls, what are the things that are most important for this particular business? And that road-mapping and translation of controls from an assessment into building a program becomes the first thing that we often work on. 

Todd Inskeep: Other things that we work on are managing projects, helping do vendor selection, considering and building out decks to talk about the security program to the board of directors or to business executives, working with the business executives on implementing compliance regimes with privacy controls, with security controls. A lot of times we get called in after an incident when a company is getting told by the lawyers, hey, you're going to get reviewed because of this incident, and you need to be thinking about how you're going to build a long-term security program. That's where a fractional CISO can really come in and be a big help in prioritizing what needs to be done, how it's going to address risk and how it's going to prepare you for the things that happen after an event. 

Rick Howard: So you get this long laundry list of things that you should be doing in your infosec program. You don't have a CISO on board to look at that. And so you bring on a fractional CISO, a virtual CISO to come in and prioritize for you to get the biggest bang for the buck, right? So that'd be one instance. And then the other thing you said was after you've been breached and you don't already have a CISO, this person, this virtual CISO, can come in and put their fingers in the dike and rebuild the program from the ground up to show progress. 

Todd Inskeep: Yeah, those are the two big use cases. The third big use case is recognizing that you haven't invested in security over time and that you want to start getting a perspective on what a program should look like, how you start to kind of overcome the long-term problems that have arisen from a lack of security investment and kind of the technical cybersecurity debt that you've built up or even thinking about moving from below the security poverty line to above the poverty line. 

Rick Howard: One example that comes to mind right away is that - you mentioned a breach. And let's say the leadership team fires the old CISO. You can bring a virtual CISO in here to fill the gap until they hire the new one, right? Is that another... 

Todd Inskeep: Yeah, I've done that a couple of times where we work on an interim basis, basically providing that quick response to - we need a CISO now. We let the last one go for some reason. 

Rick Howard: Yeah. 

Todd Inskeep: We need somebody quick, and we need somebody that can help us start making the transition to a long-term CISO. The other thing - and this is really critical. For a lot of companies, they've never had a CISO, and so they don't know exactly what they're looking for. And we see that in job descriptions for full-time CISOs, that, you know, you have to be able to do everything from cutting the wheat and turning it into flour to baking the bread and delivering it on the truck and... 

Rick Howard: And turning the screw, by the way. Let's not forget that. 

(LAUGHTER) 

Todd Inskeep: And - absolutely. And, you know, there aren't many CISOs that can do all of that, right? 

Rick Howard: Yeah. 

Todd Inskeep: And so you're really - a lot of times in that position as the first CISO inside a company, you're helping the company figure out what their expectations for a CISO are and what their needs really are. As much as we try and think that the CISO job is kind of the same every place, it really is different based on... 

Rick Howard: Oh, yeah. Yeah, it's not... 

Todd Inskeep: ...Where a company is from a maturity perspective with cybersecurity and what their business actually is. Some companies need somebody that's much more focused on product security; others need somebody that's much more focused on the IT infrastructure that the company uses. 

Rick Howard: Yeah, I can vouch for that. In my last gig, I was a CSO for a big company, lots of resources. And here at the CyberWire, you know, we're just a small startup, and I guarantee you what I'm worried about at the CyberWire is not what I was worried about at the big company, right? It just wasn't. So every situation is different. And a virtual CISO can come in and help fill those gaps - right? - if we don't really know what's going on there. 

Todd Inskeep: Yeah. We can help fill the gaps. We can help the executives figure out where they need the most help, right? Some people may understand the underlying technology of their business very well but not be thinking about it from a cybersecurity perspective. Or they may be thinking much more about their compliance requirements and not really thinking about where reducing risk could improve their business or create new business opportunities. 

Rick Howard: We could bring in a virtual CISO, a fractional CISO, to come in to fulfill a specific task. And what comes to mind immediately is maybe creating a compliance program where one didn't exist before. But there's probably lots of examples like that - right? - build the first SOC or build the first red team. 

Todd Inskeep: Absolutely. We've seen build the first SOC, build out the first capability. And sometimes it's as simple as building an initial set of policies and some governance routines... 

Rick Howard: Yeah. 

Todd Inskeep: ...Put some metrics into place so that we can see what's going on. The other thing that I've seen - and I've got a nice project where I'm doing this now - is working with a new CISO who needs some help to kind of build up that gravitas that we were talking about. Maybe... 

Rick Howard: As a mentor kind of, right? 

Todd Inskeep: Absolutely. Acting as a mentor becomes a tremendously important role, and there's times when you want a paid mentor that's actually going to spend some time with you, hands-on working with your projects and the things that you need to do. It's a little bit different from the mentor that you meet, you know, once a quarter at a coffee shop to actually give you some help in growing as a cybersecurity executive that's going to have a bigger role in the company. 

Rick Howard: I think that's a really interesting idea. And I also think there's another use case, too, where an existing CISO who's been around for a while, maybe running a big organization, needs some help to do something specific in his or her own program. So hire a virtual CISO who's got a lot of experience, and let them develop it for you. You don't have to spend time building something from scratch. 

Todd Inskeep: Yeah. I've seen that a lot in industry. Sometimes, you know, in a big company, you can have a trusted lieutenant, a chief of staff, somebody with cybersecurity experience that can go just dig in and drive some of the... 

Rick Howard: Right. 

Todd Inskeep: ...Projects that you need driven. At a smaller organization, it's not always easy to find somebody or to pull somebody out of their operational role so they can really help you implement a new program. And it's one of the reasons people hire consultants in the first place is because you need some extra manpower to help drive out something new and turn it into a regular operation that then you can bring in and manage as part of day-to-day operations. 

Rick Howard: After the break, Todd and I will discuss this new evolution in the CISO job description. Come right back. 

Rick Howard: So we've talked about the business reasons why a leadership team might want to bring in a fractional CISO or a virtual CISO, and then we've talked about some very specific use cases. What - but all this brings me to the realization that this CISO position, in its current state here in 2022, is not what I thought it was going to be. 

Todd Inskeep: (Laughter). 

Rick Howard: You know what I'm saying? You and I have talked about this, right? 

Todd Inskeep: Yeah, we've had a lot of conversations about this, and I've talked with a lot of people about it since we talked at RSA this year. And what I continue to see is that the CISO position is really about 25 years old, right? We talk about Steve Katz was the first CISO at Citibank. 

Rick Howard: Yeah, in 1995. I looked it up before the interview started - 1995. 

Todd Inskeep: Yeah, so 27 years. And, you know, I joined one of the big banks in 1998, just three years later. They brought in a CISO from a major defense contractor. We're building out a huge new program at the bank. And what I saw then was that we were still figuring out what that meant. And, you know, we talked a little bit about the differences between big and small companies early. If you talk to one of those top five banks today, they could have 2,000, 3,000 people or more between contractors and full-time employees working in the security organization. I know there's a lot of smaller companies that would love to have a thousand people in the cybersecurity program. 

Rick Howard: I'd like to have one. I'd like to have one guy that can... 

(LAUGHTER) 

Todd Inskeep: And so the - you know, if you think about this and put it in context with the other executive leaders, right? We started tracking shipments of wheat 2,000 years before we started, you know, what we call the common era here. People were tracking that in clay tablets and counting wheat for disposition and export and so forth. Our financial accounting roles have been pretty solidly defined since at least the beginning of double-entry bookkeeping. 

Rick Howard: Yep. 

Todd Inskeep: That's a few hundred years. By contrast, 27 years of CISOs - we've barely scratched the surface on what that means. And we see that in - a new CFO coming on board doesn't go back in and change the bookkeeping, but a new CISO might completely change the priorities of a security program. 

Rick Howard: Wow. I never thought of it like that. That's very true. My only point about this - and you and I have been talking about this now since RSA - like I said, it's not what I thought it was going to be. The title CISO sounds so lofty. 

Todd Inskeep: (Laughter). 

Rick Howard: But here's the thing. It applied so many things. Like, that that person that's sitting in the seat would be part of the organization's leadership team, and that the leadership team thought that security was as important as all the other functions like finance, sales and IT, and except for a small handful of exceptions, that just isn't true. And the CISO's typically buried in an organization's hierarchy. And if they're lucky, they report directly to the CEO or some member of the leadership team, but most are not. And if they're lucky, they get to report to the board on a regular basis, but, again, most don't. And even the title, chief information security officer, it's not the same as CFO, CTO or any of the other C things. The chief in the CSO title doesn't really mean anything. So at best, the CSO is a VP in charge of security, but most are simply directors. Am I off base? 

Todd Inskeep: I think there's a continuing growth in what that CISO title means. But I think you're very correct in that, by and large, it's still a VP-level position as head of information security for an organization largely focused on IT. If you go talk to some CISOs, go look at some of the cutting-edge places where new things are happening, and you find that there's a huge responsibility around security and software development. You might be talking about a product security role, not only in some of those instances, but even in some traditional spaces like automotive manufacturing or industrial manufacturing. That operational technology role starts to become important or a product security role starts to become important. 

Rick Howard: Yeah, the product security role has just kind of emerged in the last year or so. In fact, one of our regulars here at the CyberWire hash table, Helen Patton - she was the Ohio State University CISO - went to work as an evangelist for Cisco, but now has just recently taken a job to be one of their product CISOs. This is a new thing, which is great - more job opportunities for the infosec crowd. I really love that. 

Rick Howard: What's interesting, though, is that we still get fired. CISOs still get fired when things don't go well, right? I mean, just some famous examples would be Alex Stamos at Facebook. We got Mudge at Twitter, Joe Sullivan at Uber. I mean, you know, so, I don't know, what - so we have all that responsibility. But the - I guess my complaint is that the job hasn't risen to the level I thought it was going to be. And now with virtual CISOs, we're kind of like gunslingers, right? We come in out - sort out a specific problem, and then we walk away. I'm not saying anything that, like, that's bad or anything. It's just not where I thought the position was going when I first started this many, many years ago. 

Todd Inskeep: I don't know that I've thought about it as much, and certainly not in the same way. I was interviewing some CISOs recently at a University of North Carolina cyber symposium here in Charlotte. And I asked, you know, did you always know you wanted to be a CISO? And, of course, to the 27-year discussion we're just having, most of them said, no, I didn't even know it was an option when I was going to college. I didn't think about it. And I think we're all still figuring out, what should a CISO be? What does it look like? And I'm kind of coming to the opinion that maybe it's not that similar a job from company to company to company. There was some work done a couple years ago that talked about four tribes of CISOs, ranging from compliance to business enablement, technology leadership and so forth. 

Rick Howard: Todd's referring here to an infographic that the staff at Synopsys put together in their 2018 CISO report. It says that CISOs generally fall into one of four tribes. Tribe one - the security enabler, about 20% of all CISOs. These folks tend to evolve from compliance to commitment. Tribe two - the security stack, about 32% of all CISOs. They focus on the technical aspects of security, and they like getting into the weeds of issues rather than delegating their resolution. Tribe three - the compliance maintainer, 28% of all CISOs. They are not so much worried about the security posture as they are about passing audits. And finally, tribe four - security as a cost center, the remaining 20% of all CISOs. They are usually overwhelmed and under-resourced. 

Todd Inskeep: I think we're still - I think there's a lot more kinds of CISOs and nuances to the role that we're still trying to figure out and - as we said, 27 years in. Couple of years ago, we started having field CISOs who are, you know, helping companies connect to the buyers and the people that are influential in making purchase decisions. 

Rick Howard: I was involved in one of those. In fact, in my last gig, I thought I was going to be a more traditional CISO, but I worked for a security vendor and immediately got parceled out to go talk to customers and speak at conferences when the senior leadership team couldn't do all those things. And by the time I left, we had 15 former CISOs as field CISOs going in and talking to other CISOs about how to think about cybersecurity. So that's a recent development too. So I think you're right. What - our view of the CISO is changing. It's definitely not static. 

Todd Inskeep: No. 

Rick Howard: Right. We're going to see a bunch of new things as we go forward, right? 

Todd Inskeep: A friend of mine used to be the CSO at BlackBerry in, I'll say, the glory days of building phones. And 10, 12 years ago, they were spending a lot of time as the CISO talking to BlackBerry's clients and customers about the security in - built into the services as well as the devices that BlackBerry was building. The other side of that is that we continue to see different kinds of CISOs, and you've probably talked to quite a few people who have been the CISO for a few years. 

Rick Howard: Yeah. 

Todd Inskeep: We know CISOs move around kind of frequently. And there's a number of people I've talked to who've said, I'd like to go back into security. Like, I've been a CISO before. I don't want to go back to being a CISO. It's too much pressure, you know, not enough work-life balance. I want to be, like, the deputy CISO or the chief architect to a CISO. I don't want to be the CISO again. And I think some of those pressures are also changing the nature of the role. 

(SOUNDBITE OF SONG, "SAN FRANCISCO") 

The Mamas & The Papas: (Singing) For those who come to San Francisco, summer time. 

Rick Howard: If you have never attended the RSA Security Conference, I highly recommend it. Besides being a fantastic cybersecurity nerd opportunity, it's also a tremendous networking event. If you want to meet somebody or catch up, there's a good chance that they'll be in San Francisco during that week. The even better part is that I always learn something new when I go - case in point, this fractional CISO thing. On the one hand, it's fantastic. It provides new opportunities for old, veteran CISOs like myself to continue doing security work at the highest levels without being the name on the dotted line when everything goes south. In other words, you get to work on the fun parts without the stress and worry of the not-so-fun parts. 

Rick Howard: On the other hand, though, the CISO position, for the most part, has not been elevated to the senior leadership team. There was a time just a few years ago that I thought that was inevitable, but with the fractional CISO idea catching on and CEOs finding it cheaper and more efficient to bring on some part-time help and not hire CISOs, it feels to me that the CISO community is going in the opposite direction. That said, Todd's point about the CISO position only being 20 years old compared to the CFO going on 40 years now is well made. New CFOs don't come into a new organization and throw out the entire financial system. Those programs are too well-established. That isn't true in the CISO world. All I can say is that the CISO job in its current state is a work in progress, and this relatively new fractional CISO job is a really interesting development. 

Rick Howard: And that's a wrap. I'd like to thank Todd Inskeep, the founder and senior managing director at Incovate Solutions, for helping us learn about this new evolution in the CISO role. And as always, if you agree or disagree with anything I have said, hit me up on LinkedIn, and we can continue the conversation there. Or if you prefer email, drop a line to csop@thecyberwire.com That's csop@thecyberwire.com. And if you have any questions you would like us to answer here at "CSO Perspectives," send a note to the same email address, and we will try to address them in the show. Next week, I will be interviewing Andy Greenberg, the author of the Cybersecurity Canon Hall of Fame book "Sandworm," about his newly published book, "Tracers in the Dark." And, folks, I just finished reading it. It's the best cybercrime book in the last decade. So you don't want to miss that. 

Rick Howard: The CyberWire's "CSO Perspectives" is edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, remixed by the insanely talented Elliott Peltzman, who also does the shows mixing, sound design and original score. And I'm Rick Howard. Thanks for listening.