SafetyDetectives spoke with Rob Black, CISSP CEO & Founder of Fractional CISO, about the role a CISO plays in a company, how they help prevent cyberattacks, emerging trends in cybersecurity, and more.
Can you tell me a bit about your background, and what motivated you to start Fractional CISO?
In 2007, I was at a crossroads. I had two good job opportunities – to be a product manager for a speech-to-text product, or a product manager of SecurID at RSA Security. Obviously, I chose security! I haven’t regretted this decision once.
I had always liked security. I knew that a security role would open up many more opportunities for the future. And boy was I right!
In the mid 2010s, I saw that the cybersecurity leadership I was providing was needed by many midsize organizations. I had been working in the enterprise space, where it is easy for them to hire a full-time cybersecurity leader. It is much harder for midsize organizations to do the same, so my idea was to use the “Fractional” model to provide this service to many companies.
What is the role of a CISO and what is the benefit of using a virtual CISO?
CISO stands for “Chief Information Security Officer.” They’re the top cybersecurity leader at any given company. They are in charge of building and managing cybersecurity programs.
The Virtual CISO (vCISO) model is one in which these top cybersecurity experts advise companies on a part-time, contractual basis. Full-time CISOs and other cybersecurity staff are difficult (expensive) to hire and retain. Using a vCISO allows organizations to access top-tier cybersecurity talent on a more affordable basis.
How do you help clients prevent cyberattacks?
Lots of ways! We have a common saying at Fractional CISO, “There is no one-size fits all solution to cybersecurity!”
Every organization has a different environment that will need a different set of cybersecurity controls to help prevent cyber attacks. We build custom, risk-optimized cybersecurity programs to specifically fit each client’s unique environment.
There are some universal controls we recommend though:
- Require the use of multi-factor authentication.
- Patch your systems regularly.
- Implement cybersecurity awareness training to all of your Internet-connected employees.
These three “universal cybersecurity controls” will do a great deal to protect every organization from the most common types of cyber attacks.
With the rise of remote work and cloud-based services, what new cybersecurity challenges have emerged, and how can organizations address them?
A lot of existing controls that were in place for protecting on-premise networks no longer apply to situations where entirely-remote employees are connecting to a remote cloud network. With employees in the office, the common strategy is to protect the company network and infrastructure from the outside. Now that employees never touch company infrastructure, the strategy is to protect at the endpoint and at each SaaS application itself.
To protect at the cloud level, it’s worth considering either a Secure Access Service Edge (SASE) or a Cloud Access Security Broker (CASB). The right controls will depend on your organization’s needs.
Can you discuss any emerging trends in cybersecurity that you find particularly interesting or concerning?
AI tools and attacks-as-a-service (like Ransomware-as-a-Service) will make it easier for less-sophisticated bad guys to make more sophisticated attacks. When it’s easier for more people to do this, the volume of serious attacks can be expected to increase.
Ransomware is particularly dangerous because its attacks are so costly. They heavily impact business operations, and are difficult to recover from. It is important to take this threat very seriously. Thankfully, our clients have not seen much ransomware – though we are very proactive in ensuring that’s the case!
Good backup practices, technical email mitigations, and strong EDR/antivirus all go a long way in preventing ransomware attacks from striking. A Security Operations Center (SOC) capable of rapid response will also limit the damage any potential ransomware attack could have.
Good employee training also goes a long way in prevention.
How can organizations ensure that they are staying compliant with industry regulations and standards when it comes to cybersecurity?
This is going to be a major, continuing challenge for organizations because the regulatory environment is so uncertain. Look at the situation with U.S. government’s Cybersecurity Maturity Model Certification (CMMC). There have been continued delays with the roll out.
We expect many more developments from different government regulators over the next decade. We see new proposed regulations emerging multiple times per year from different bodies like public education systems and state governments. It is going to be extremely difficult to comply in an uncertain environment, and generic advice is difficult to give.
We do recommend building a baseline cybersecurity program with a set of controls that are suitable for every regulation, then building to your industry’s requirements from there.
Again, what you pick will depend on your organization’s needs. CIS Controls Implementation Group 1 is a good general start, or NIST 800-171 could be a good starting point. Both standards have drawbacks. Getting a program going, however, is important regardless of what standard is selected. It turns out that most standards have a set of controls that are largely common.