Evaluating the CvCISO Program
Greg Schaffer
Servant - SMB Advisory CISO - vCISO - Author - Podcast Host - SME Contributor - Mentor - Entrepreneur - Owner vCISO Services, LLC and Second Chance Publishing, LLC - CISO Novelist - Veteran
I remember when the CvCISO program was announced by SecurityStudio a few years ago. I am skeptical of certifications in general, as I have experienced too many instances of people with lots of letters after their name demonstrating acquired knowledge (or at least the ability to test well), but who cannot apply that knowledge. Cert programs seem, at times, to be more focused on making money for the provider than anything else.
The notion of a "Certified Virtual Chief Information Security Officer" triggered that skepticism. I have traditionally been of the opinion that a vCISO needs to be one who has had experience as a CISO or the senior information security risk management executive, whatever it's called, because they are selling that experience to small and midsized businesses (SMBs). That's how the discipline started.
I would say my skepticism is well founded. Over the years, others have opted to call themselves vCISOs regardless of experience. One somewhat well known LinkedIn post from a few years ago even had the audacity to suggest adding vCISO to your title as a way to gain entry into cybersecurity. In other cases, they are leveraged as inside sales for MSPs/MSSPs. These offended me greatly, both personally and professionally.
I've been in IT and information security for a long time. One measurement of that time I like to use is when I started there was no twisted pair Ethernet. Another is that the President was George H.W Bush (recently elected, I might add). I've seen a lot, including too many instances of grifters whose only mission is to make money off of those who often can least afford it.
I'm also very passionate about both helping SMBs with their information security needs and defending the virtual CISO discipline. The latter has become so diluted that SMBs do not know if their vCISO is able to provide the services expected and needed. This was not a significant issue until a few years ago, as I mentioned earlier, and has had, in my opinion, serious negative repercussions to SMBs, and the situation is only getting worse. Often virtual CISO firms such as vCISO Services, LLC (my firm) have to correct poor service from a previous vCISO.
Thus, when I heard of this program, my first question was what body is certifying the course and exam. No one could answer that for me, and the web site was short on details. That, and given that this program is managed by a company selling an information security risk management product, drove me to the conclusion that this was quite possibly another money-making scam. That was the position I held, until recently.
On a LinkedIn post not long ago, I inferred that there is a "scammy" training program for virtual CISOs. That caught the eye of Meg Perron, Certified vCISO, MBA , the SecurityStudio Academy Director. Out of band, she inquired if I was referring to the CvCISO program, to which I responded yes, and explained why. Without going into details, we discussed the program and I explored its web site more in depth at her urging.
What I had seen prior was not what was present today. I read through the different levels and the syllabus, and was intrigued Still, I was not sold on the idea of being able to take someone with no experience to a fully functional vCISO after a ten week course. Note: they don't actually do this, and are transparent about the why on the site. Experience must be gained.
领英推荐
Then I learned more about their why. Through this process I met Evan Francen , the CEO of FRSecure and Security Studio. Again without going into details, I came to see that his why for launching this, and other initiatives in the information security space (for example, he has a free program that has prepared thousands for the CISSP exam), had little to do with self-promotion or enrichment and more about giving to the community.
Yet I was still somewhat skeptical, and I guess it showed, as Meg proposed that I take the course and evaluate it for myself. Her confidence in the program showed. While from a monetary standpoint the program would not cost me anything, the real commitment and cost to me is in time - 60 hours of instruction over 10 weeks, plus prep and study time. That to me is a far greater cost than the course fee.
I'm very protective of my schedule. I have multiple irons in the fire at any given time. Yet their passion for wanting to help the community by solving a growing issue intrigued me. Thus I agreed to join the next cohort, with the caveat that I would give honest feedback, to them and to you.
This post is the first of that feedback. I have completed the onboarding module, which I gather is a foundation for laying out the entire course. It included a 100 minute or so recording of a previous session which went through what to expect from the program.
Some of the initial onboarding has been a bit confusing. I'm not sure when the actual classes begin, and I was awarded a badge, but I'm not sure if that badge is for completing the exam successfully (there is an exam). Additionally, I struggled with the Discord server. I'm not a Discord user as I find it, well, clunky, but that's my problem. This is forcing me to learn another communications platform, and a popular one at that, which is good.
But the video laying out the course impressed me very much. Just about everything Evan said I agreed with, both in content and applicability to the vCISO life. It has actually energized me for what lies ahead.
The cohort begins in April. I'm not sure if I'll provide updates after each week, or at the end only, or some other variant. But I will report on my experience. If you're interested in the vCISO space, I invite you to stay tuned, as I continue on my CvCISO journey.
Cyber Insurance Broker l Cybersecurity Content l Podcast Host of Ransomware Rewind
1 年??
SecurityStudio Academy Director @ SecurityStudio | CvCISO, Cybersecurity
1 年I am super excited to have Greg join our next cohort. I have been working at SecurityStudio for almost two years now, after many years in the K12 world. Evan Francen took a chance on me as the Academy Director because I AM one of those newbies to the industry. I went through the course when I was a Security Analyst which resulted in a job offer!!!! What I love about my job is our focus on the mission to fix this broken industry. We are all very passionate about serving our community and helping this industry. I have never experienced the "money grab" mentality - in fact it is more likely that we have to tame Evan wanting to give everything away!!! The truth is I invited Greg to join our program because I believe in it and wanted him to have a different experience than what he initially uncovered. I want this to be the defacto cert for vCISOs and strive to make it better with each and every cohort! Thank you Greg for taking me up on my offer...I know your time is valuable. I look forward to this partnership as we continue to STRIVE for continuous improvement! See you in the classroom!
Information Security | IT Governance | Program Management | CISSP, PMP
1 年Looking forward to hearing your perspective on this Greg Schaffer. I've actually been eyeballing it since Dave Tuckman - CISM, CISSP, CCISO, CvCISO, CDPSE, etc. joined the FRSecure team and told me about the program.
SecurityStudio Academy Director @ SecurityStudio | CvCISO, Cybersecurity
1 年Super excited to have you join us!!! We love learning together!!!!
Owner/CEO at Immauss Cybersecurity, President vCISO Catalyst, President ISC2 US Military Germany Chapter
1 年Thanks Greg. I’m going to follow you closely on this and look forward to your final thoughts.