Becoming a Virtual CISO: Everything You Need to Know

On this episode, we take a moment to define cyber security. It’s a term we use every day, but few of us actually stop to think about the actual definition, understanding, managing, and mitigating risk of your critical data from being disclosed, altered or denied
access to.

There are 3 components to cyber security:

  1. Risk – Understanding historical and comparative data to understand where to put your resources
  2. Critical data – If you want to be a good CISO, you have to be obsessed with where the physical data is, who has access to it, and how it is being protected.
  3. CIA – Confidentiality, Integrity, and Availability.

Resources (money & time) are finite resources. I have an exercise called “the pie chart.” In this exercise, the executive uses a pie chart to show which of these three has the highest and lowest priorities. In order to be a successful CISO, the CISO and the executive team must have their priorities in alignment with each other.

In this episode:

  • 0:03 Welcome
  • 0:31 What exactly is a V-CISO
  • 0:50 A history lesson
  • 1:29 Security and uptime are sometimes in conflict
  • 2:55 Organizations realized that they needed a strategic position
  • 3:40 Companies need a CISO, but not all of them need a full time position
  • 4:02 Which is why we have a V-CISO
  • 4:40 But I went one step further
  • 5:50 What makes a good CISO
  • 7:12 A CISO is a strategic position
  • 7:22 Question of the day: What is cyber security?
  • 8:25 The traditional “Bottom up” approach doesn’t work
  • 9:07 Analogy of the cursing father
  • 10:04 The two questions I ask
  • 10:47 Some definitions I’ve heard of cyber security
  • 11:25 A formal definition of cyber security
  • 11:58 The three components of cyber security
  • 12:30 Let’s take each of those three components and break them down
  • 13:20 What is the probability of something happening in the future?
  • 14:27 Insurance companies calculate risk
  • 15:46 Historical data is one of the best predictors of future occurrences
  • 16:10 Comparative data is also a good predictor of future risk
  • 17:53 You don’t always get it right
  • 18:50 100% security exists…with no functionality
  • 20:51 Cyber security is all about critical data
  • 21:43 Why breaches happen
  • 23:40 CIA – Confidentiality, Integrity, and Availability
  • 24:14 The problem with confidentiality
  • 25:00 Ransomware exposed the flaws with the existing system
  • 28:38 The alignment exercise for CISOs and executives
  • 31:35 Final thoughts