Evaluating the CvCISO Program - Final Analysis

In the beginning of March I wrote about evaluating the SecurityStudio CvCISO program. We have a serious problem in our industry, with under-experienced cybersecurity pros touting themselves as vCISOs when they do not have nearly enough skills or background. A poor vCISO can be worse for a small or midsized business (SMB) security posture than no vCISO. That's not gatekeeping (a word I dislike because of how it is overused and misused); its a fact.

I'm not a big fan of certifications in general, because they often overpromise and under deliver, all while fleecing the cyber hopefuls of thousands of dollars. When I first heard of this CvCISO thing, I was very skeptical, and limited research did not dispel my thoughts. I saw it as another endeavor primarily to both generate revenue and to provide a path to selling the company's security platform, an inside sales tactic which I despise (for example, those who follow me regularly know my view on vCISOs as inside sales, usually undeclared, for MSSPs).

Two years later, I made an offhanded comment about a scammy vCISO certification as a reply to a post. What followed then was an incredible journey, born from misunderstanding.

I have posted two additional articles about my journey, both at the beginning and at the midway point. This is my summary article. If you don't want to read the rest of the post, this is the takeaway: I was wrong, very, VERY wrong.

The Problem

There is an immense need for qualified virtual CISOs, yet not enough supply. Historically, a qualified virtual CISO was one who had years of experience as a full-time CISO or similar information security risk management experience. When I started vCISO Services, LLC in 2017, the majority (by far) of practicing virtual CISOs, like myself, fell into this category.

With the growing need to secure SMBs--after all, they make up 99.9% of all U.S. businesses and are responsible for over 45% of employees, according to the Small Business Administration--there are simply not enough current or former CISOs/information security risk management executives to meet the need. Additionally, the hard truth is that some CISOs just wouldn't make good vCISOs. The virtual CISO is a unique discipline of its own, a blend of security executive, business partner, and consultant, and requires what I call an SMB mindset. Not all CISOs could cut it as a vCISO.

SecurityStudio recognized that "a vCISO who's poorly equipped to perform the role will likely cause more damage to the organization than had the organization not employed a vCISO in the first place" and wanted to develop a solution. The result? "SecurityStudio built the Certified virtual Chief Information Security Officer (CvCISO?) Program to establish the industry standard for vCISO quality and qualifications, ultimately to best serve the community’s need for more vCISOs in the best manner possible."

But could a course really meet the need?

The Course

Before proceeding, I need to emphasize I have no relationship with SecurityStudio, nor did I know any of their staff until shortly before beginning this process. While I was allowed to the course tuition-free to evaluate, to me the time was the much greater cost.

This course is long and very involved. It's 60 hours of class time over ten weeks, plus quizzes and homework. I won't detail the curriculum here, as you can find that by clicking on the next upcoming CvCISO-1 cohort at https://academy.securitystudio.com/pages/all-courses.

The first half is mainly about acquiring information, and the second half includes applying knowledge. For example, we were required to complete a baseline risk assessment for a fictional organization. While we are given the opportunity to use SecurityStudio's tool to perform this, it is not required. However, I recommend using it, as I did, if only for exposure to another tool.

This is not an easy course, and don't think you know it all just because you've been in the industry for awhile. I started my career in 1989 and learned a few things. As for the rest, I was fine viewing it as a refresher course. Except encryption; I hate that.

My Conclusion

This is one of those rare times in life that my expectations were exceeded. The content is excellent and relevant, and is not limited to information security. There is focus on what a vCISO is and strategies for success as a vCISO. As I said before, not all CISOs could be effective vCISOs, and this course covers where those discrepancies may lie.

There is significant focus on risk management, because (as I have said many times), at its core information security is risk management. On that note, I was glad to see the distinction between information security and cybersecurity. There is a significant difference, and words matter.

So does this work to satisfy the requirement of enhancing the qualified vCISO supply? Absolutely. The certification is staged; in no way is someone able to go out and practice as a vCISO after completing this course with no practical experience, and the certification recognizes that. Hence the different levels. While there is no independent certifying body (yet), in my eyes that doesn't matter from a practical standpoint. I've lived the experience, and I see the value.

I know a CvCISO L1 may not have any practical CISO or vCISO experience, but I do know what they have been taught. I can provide them the experience to reach the next level (levelling up is based on experience). In fact, in our latest query for a vCISO, we required the CvCISO. Why? Because I want us to do our part to help provide the newly minted CvCISO with experience to support the program. Saying I believe in something is one thing, showing is another.

Well, done, SecurityStudio. Glad to be in the fight with you.

And why a puppy dog for the cover photo? Why not!