[00:00:19.010] – Jason Pufahl
So what did you say before, Steve? I’m understaffed. What do I do now?
[00:00:24.410] – Steve Maresca
Yeah, but that’s not how we want to introduce this one. I think we’re talking today about security strategic services, and why you want to pursue them organizationally, whether you’re staffed with folks on the ground for security or not.
[00:00:39.390] – Jason Pufahl
That is a good beginning. Better than I’m understaffed, what I do now. Maybe because I think it anchors a little bit, maybe, the “Why” It’s not just a matter of do you have nobody in the role providing security capabilities to your company, or do you have some folks and you’re trying to make sure that you’re getting the best you can out of everybody?
[00:00:59.800] – Steve Maresca
I think the main theme that we want to acknowledge here is that security is an evolving field. There’s a lot of black boxes, a lot of dark clouds, and nobody’s really sure at any given moment what they’re supposed to do organizationally or even in the moment for technical control. So what do you do when you’re limited by your staff’s experience, whether you have that staff or not, and pursue additional information, pursue additional assistance? That’s where we are trying to frame the conversation today.
[00:01:29.110] – Jason Pufahl
So let’s start with maybe a couple of assumptions and maybe talk about a couple of organizational configurations that we see. I think we’d all agree that you need some security capabilities at your company no matter what. Either the regulatory reason you think GDPR, perhaps would require a data privacy officer, cyber liability is always going to ask who is responsible for security within your organization. There is PCI wants to know that you’ve got security capabilities.
[00:02:01.110] – Jason Pufahl
You need to have somebody with that assignment or that designation and you’re from an organizational strategy. One of the models we see all the time is asking somebody as part of their existing role to perform some security work. Probably it’s a network person or it’s certainly traditionally. It’s been a network person who knows something about a firewall and therefore must be an expert in regulations and all these other things.
[00:02:27.660] – Matt Vasaro
And a lot of times it’s not even written into their job description.
[00:02:30.000] – Steve Maresca
Right. For sure.
[00:02:30.620] – Matt Vasaro
I just take on that role as a handshake.
[00:02:33.360] – Steve Maresca
Right. Or it’s a helpdesk function that happens to be equipped to clean up malware.
[00:02:38.750] – Jason Pufahl
[00:02:39.010] – Steve Maresca
Maybe it’s effective, maybe it’s not. But it’s not end to end security by any stretch. Other times it’s through finance, because that’s part of the organization at the CFO level that tends to deal with regulations, tends to work with external auditors from a finance standpoint. Security questions are new there and if there isn’t any other staff associated with security roles that’s where it tends to be associated.
[00:03:04.990] – Jason Pufahl
The final of the models that I don’t love is we’ve just created a committee of a group of people who are going to have a security responsibility. It might be someone from the application space, the networking space, infrastructure, with no real leadership and in my opinion, no real hope of making positive or substantive change.
[00:03:25.430] – Steve Maresca
Well, it’s maybe a little too negative. It’s just an accountability problem.
[00:03:29.550] – Jason Pufahl
Sure. But with no accountability, how are you going to move something forward?
[00:03:34.280] – Steve Maresca
So, the book end to that is the lone CSO with no staff attached to them. All of them are in some capacity under-resourced or alternatively, lacking perspective for the vast multitude of subjects that might be encountered on a security spectrum. The other aspect, the other organizational configuration, is that you do have staff, which is rare. If so, you’re very lucky. I’m confident that you’re having difficulties retaining that staff or the competition in the job market is affecting you.
[00:04:13.160] – Steve Maresca
What do you do then? Well, you still want to seek out external input organizations like Vancord. Very candidly. In full disclosure, we have a virtual information security office and all the other associated services. We see a lot of things in the field. We work with organizations large and small with similar problems to those that your organization experiences. Therefore, interacting with organizations of that sort really takes a shortcut to resolving problems and seeking out reasonable efforts, practical efforts to resolve security issues.
[00:04:47.450] – Jason Pufahl
So if I was going to summarize that, would you say one of the values of hiring a company like ours is to bring a set of perspectives that you might not have if you’re just a sole contributor for a company?
[00:04:58.760] – Steve Maresca
[00:05:00.530] – Jason Pufahl
I feel like one of the reasons that…Actually, I guess there’s probably two reasons why folks engage us on the vISO side or the vCIO side. One, certainly is to simply address the fact that they may not have a person to do that. I think that’s obvious and everybody gets that. What we see regularly but I didn’t expect to see as often was bringing us in to augment somebody who’s already got that senior leadership position. To bring in that set of perspectives, to help as an advocating role to generate more consensus.
[00:05:35.870] – Jason Pufahl
That has been a really big reason why people engage us. And I candidly didn’t see that as such a likely occurrence when we started this. I really felt it was going to be us solely working as that individual contributor to some degree. It’s not the case.
[00:05:55.980] – Steve Maresca
Security is disruptive in every organization. It runs counter to getting the rest of the business accomplished. That’s unfortunate, but it’s the function of security, you have to defend in a way that doesn’t necessarily make the act of making money easier. So if you have an internal advocate that understands the business and can adapt solutions that don’t really get in the way of business, you’re making your security investments more valuable. And I think that’s the outcome being sought from organizations of that variety.
[00:06:31.650] – Jason Pufahl
Let’s treat us as an investment, you’re a company, you want some support on the security side, you make an investment by hiring us to be your virtual information security office, virtual data privacy office, or whatever the case might be. How do you make that relationship work as effectively and productively as you can?
[00:06:51.990] – Steve Maresca
In my opinion, the key is inherently partnership, because an outside entity, whether it’s an MSP or a Vancord or any other that operates in that sphere, needs to understand the business as if it operates within the organization. And starting from that base assumption means that anything proposed and guidance provided is in line with organizational needs.
[00:07:16.650] – Steve Maresca
Merely seeking out miscellaneous hours with some third party that you can tap as a demand arrives isn’t effective. There’s no learning process that really brings that other organization into the fold, there’s no trust or rapport established and those components make or break security guidance and executive guidance.
[00:07:37.360] – Matt Vasaro
That’s something that I really appreciate that Steve and Jason put together with the services that we provide with our virtual ISO, where we front load a lot of that work. We spend a lot of time upfront getting to know exactly what you’re doing, what the goals are, what the capabilities are. It’s really hard to have someone roll into your organization and say you’re going to do X, Y, and Z and have no ability to execute. That’s just wasted time. You’re not going to get anywhere.
[00:08:06.700] – Jason Pufahl
Yeah. We can’t roll in and ever say you’re going to do X, Y and Z you haven’t established that trust. They don’t even know if they like you yet. That’s important. You’re going to be spending a fair amount of time together. There has to be some amount of likability there. The relationship has to exist.
[00:08:28.170] – Steve Maresca
And as a complement to that, history matters. Past assessments, past audits, they’re all in place.
[00:08:35.210] – Jason Pufahl
Yeah. Don’t throw that out.
[00:08:38.130] – Steve Maresca
There is something I encounter sometimes is sheepishness with our customers. They recognize they haven’t completed something that they aimed to complete
[00:08:45.130] – Jason Pufahl
And they feel bad about it.
[00:08:47.350] – Steve Maresca
[00:08:47.540] – Steve Maresca
They do. I’ve been jokingly introduced as a security therapist at times, and it’s not wrong. That relationship, the foundations of that relationship actually help that along. Part of the role is actually anxiety reduction and just having the ability to reach out for a sounding board. But that’s only possible where everyone feels comfortable about sharing the skeletons in the closet, identifying flaws that are systemic and whether they’re addressed or not, using them as the basis for movement.
[00:09:21.230] – Jason Pufahl
So what’s interesting about that, and I wasn’t thinking about this earlier. It is a two way street. So it’s great if they’re sharing the skeletons in their closet, or maybe they feel a little sheepish about not having done something. I think it actually works really well when they come back to us and say, part of your service would be better if you were able to deliver this more consistently. We’ve had feedback around, where’s your time spent? Can you give me a better report? And that collaborative nature, I think both parties can always improve. We see that all the time. Those conversations are our best ones.
[00:09:56.160] – Steve Maresca
Flexibility is the name of the game in these types of services because a conversation that starts in a firewall upgrade may actually turn into, we have some request from an insurer or a third party to make this improvement, and pivoting on that is quite a challenge. The roles and the expertise required to pivot is pretty important. Being able to flexibly, bring in appropriate domain experts and make it a more productive conversation is rather a critical thing.
[00:10:29.910] – Steve Maresca
Our competitors that have a single person assigned to customers for strategic guidance are those that really should be avoided because they don’t foster relationships with staff at different levels. They don’t necessarily have a bench of folks at different tiers that they can offer beyond the executive level. That’s the flexibility that we think makes a difference in some of the services that we provide, but we’re not advertising ourselves. This is what you should seek in any entity that provides services of this variety.
[00:11:01.540] – Jason Pufahl
I would say if you’re going to engage in, we have to think of a better term, because I want to keep saying V style or virtual style service, they should be strategic. These are not tactical services. So I think you want to be careful not to put yourself in a position where you’re saying, I’ve hired my vISO, so I’m going to have them help me develop my security program and implement MFA because I think they’re two very different things.
[00:11:27.190] – Jason Pufahl
And you want to develop your security roadmap. You want to have your plan of action established. These are things probably a vISO would do, policy work and some other things, board presentations, et cetera. When you have specific projects, treat them like a statement of work, figure out a fixed fee, ideally. Figure out your starting end and execute against a dedicated project. I think your outcomes are going to be better.
[00:11:51.450] – Steve Maresca
And recognize where strategic guidance consulting services can pick up some of the slack that other things that may have been purchased failed to deliver. One really good example is the use of an EDR XDR type platform. They bill themselves as end to end protection that can defend against some unknown threat. That might be true, but the alerts are only as good as the data they have relative to business systems and their implications. And some of the interpretive efforts to determine whether an alert is ignorable or an emergency really come from that supplemental situational awareness you get from really understanding an environment.
[00:12:32.800] – Jason Pufahl
Yeah, totally reasonable. That’s the partnership piece. I think both sides need to have a relationship and I think we need to be in a position to support and collaboratively support the organization that we’re working with. Anything in closing? I feel like this is a pretty good primer on potentially how to use a strategic service like a vISO or VDPO?
[00:12:58.890] – Steve Maresca
Partnership and mutual growth are inherent in success of these services. Seek out those elements as well as expertise and success is almost a guaranteed outcome.
[00:13:10.770] – Jason Pufahl
Yeah. And I think I’d say flexibility is probably important just because you’ve spent some time developing a plan. If you’re working in that partnership model when there’s an organizational emergency don’t be afraid to call on your virtual CSO to help you work through that. And that might require a shifting of priorities and I think that that’s okay.
[00:13:36.390] – Jason Pufahl
Well, generally the view I think that summarizes this, there’s options out there if you need to augment. Either fully augment and have as an outsourced your information security program or existing staff need somebody to lean on. That’s what these services are for. If you’ve got experience with using these and you have comments on how you might want to better deploy them than what we’re talking about, feel free to reach out to us. You can search us at LinkedIn at Vancordt or Vancord security on Twitter. We’re happy to continue the conversation. And as always, we hope you got some value out of today’s podcast and have a good day. Thanks.
[00:14:19.950] – Speaker 1
Stay vigilant, stay resilient. This has been Cybersound.