Beginning the CvCISO Program
Greg Schaffer
Servant - SMB Advisory CISO - vCISO - Author - Podcast Host - SME Contributor - Mentor - Entrepreneur - Owner vCISO Services, LLC and Second Chance Publishing, LLC - CISO Novelist - Veteran
Second in a series relaying my experience as a long-time CISO/vCISO evaluating the CvCISO program.
I just completed, along with 30 or so others, the first of 30 classes in the SecurityStudio CvCISO program. I have opted to devote the time to participating in the entirety of the program to evaluate how effective it is in addressing one aspect of SMB needs. More about that in my first article in this series at https://www.dhirubhai.net/pulse/evaluating-cvciso-program-greg-schaffer-cd0ye/,
FRSecure and SecurityStudio CEO Evan Francen began in a manner different from any other course I've taken, that I can recall, and it was quite refreshing and enlightening. He discussed the purpose, the "why" of the CvCISO program. While some of this he and I covered in a recent episode of The Virtual CISO Moment (check it out at https://www.youtube.com/live/6lvvNFdjigA?si=jJkp6DyGJFZiOlQO), he emphasized that two main drivers are that organizations need good leadership and those who are vCISOs want to be good vCISOs.
He projects the kind of authenticity that makes you like him almost instantly, so when he emphasizes his guiding principle of "Mission Before Money", you don't feel like you're being sold a line - you believe it. His reasoning is if you focus on the mission, you'll make money, but if you focus on the money, you won't make the mission. This is a refreshing take not just in information security but for life in general. How many times in a day are we all exposed to "me first", entitlement situations?
Another thing he constantly emphasized during the two hour initial class is the importance of community. He noted - and I agree - that there is a vast underserved need for quality virtual CISOs - businesses need the leadership. Because of that, it's not about competition, but rather collaboration. Together we are better positioned to solving the problem of SMB security. Fostering community is an important aspect of that.
领英推荐
From there he outlined the course syllabus. Having been a practicing virtual CISO for seven years and a CISO for 10 years before that, I mostly agreed with not only the topics but the order of presentation. If the course delivers on the subject material, I can see that all would be well positioned with the skills necessary to be an effective vCISO - one that helps, not hinders business.
But what of experience? The CvCISO program recognizes that a 60 hour course alone is not enough to jump in and start providing virtual CISO services for SMBs. There are levels based on prior experience and takes into account an apprenticeship arrangement of sorts. I'm not yet sold on this being an effective ramp up for those to be effective vCISOs, but that's because of my background. I have always held to the belief that one must have been a CISO prior to serving as a vCISO, because you're not selling a product - you're selling your deep experience.
I am of course keeping an open mind. If any program can take someone from the beginning to being a practicing, effective vCISO, this one is probably as well designed as can be. The next 29 sessions are going to be quite interesting, I'm sure.
Certified vCISO/IT Security & Governance
11 个月Great recap article Greg Schaffer I look forward to hearing more about your learning journey! (And Evaluation)