Evaluating the CvCISO Program
Image: OpenAI

Evaluating the CvCISO Program

I remember when the CvCISO program was announced by SecurityStudio a few years ago. I am skeptical of certifications in general, as I have experienced too many instances of people with lots of letters after their name demonstrating acquired knowledge (or at least the ability to test well), but who cannot apply that knowledge. Cert programs seem, at times, to be more focused on making money for the provider than anything else.

The notion of a "Certified Virtual Chief Information Security Officer" triggered that skepticism. I have traditionally been of the opinion that a vCISO needs to be one who has had experience as a CISO or the senior information security risk management executive, whatever it's called, because they are selling that experience to small and midsized businesses (SMBs). That's how the discipline started.

I would say my skepticism is well founded. Over the years, others have opted to call themselves vCISOs regardless of experience. One somewhat well known LinkedIn post from a few years ago even had the audacity to suggest adding vCISO to your title as a way to gain entry into cybersecurity. In other cases, they are leveraged as inside sales for MSPs/MSSPs. These offended me greatly, both personally and professionally.

I've been in IT and information security for a long time. One measurement of that time I like to use is when I started there was no twisted pair Ethernet. Another is that the President was George H.W Bush (recently elected, I might add). I've seen a lot, including too many instances of grifters whose only mission is to make money off of those who often can least afford it.

I'm also very passionate about both helping SMBs with their information security needs and defending the virtual CISO discipline. The latter has become so diluted that SMBs do not know if their vCISO is able to provide the services expected and needed. This was not a significant issue until a few years ago, as I mentioned earlier, and has had, in my opinion, serious negative repercussions to SMBs, and the situation is only getting worse. Often virtual CISO firms such as vCISO Services, LLC (my firm) have to correct poor service from a previous vCISO.

Thus, when I heard of this program, my first question was what body is certifying the course and exam. No one could answer that for me, and the web site was short on details. That, and given that this program is managed by a company selling an information security risk management product, drove me to the conclusion that this was quite possibly another money-making scam. That was the position I held, until recently.

On a LinkedIn post not long ago, I inferred that there is a "scammy" training program for virtual CISOs. That caught the eye of Meg Perron, Certified vCISO, MBA , the SecurityStudio Academy Director. Out of band, she inquired if I was referring to the CvCISO program, to which I responded yes, and explained why. Without going into details, we discussed the program and I explored its web site more in depth at her urging.

What I had seen prior was not what was present today. I read through the different levels and the syllabus, and was intrigued Still, I was not sold on the idea of being able to take someone with no experience to a fully functional vCISO after a ten week course. Note: they don't actually do this, and are transparent about the why on the site. Experience must be gained.

Then I learned more about their why. Through this process I met Evan Francen , the CEO of FRSecure and Security Studio. Again without going into details, I came to see that his why for launching this, and other initiatives in the information security space (for example, he has a free program that has prepared thousands for the CISSP exam), had little to do with self-promotion or enrichment and more about giving to the community.

Yet I was still somewhat skeptical, and I guess it showed, as Meg proposed that I take the course and evaluate it for myself. Her confidence in the program showed. While from a monetary standpoint the program would not cost me anything, the real commitment and cost to me is in time - 60 hours of instruction over 10 weeks, plus prep and study time. That to me is a far greater cost than the course fee.

I'm very protective of my schedule. I have multiple irons in the fire at any given time. Yet their passion for wanting to help the community by solving a growing issue intrigued me. Thus I agreed to join the next cohort, with the caveat that I would give honest feedback, to them and to you.

This post is the first of that feedback. I have completed the onboarding module, which I gather is a foundation for laying out the entire course. It included a 100 minute or so recording of a previous session which went through what to expect from the program.

Some of the initial onboarding has been a bit confusing. I'm not sure when the actual classes begin, and I was awarded a badge, but I'm not sure if that badge is for completing the exam successfully (there is an exam). Additionally, I struggled with the Discord server. I'm not a Discord user as I find it, well, clunky, but that's my problem. This is forcing me to learn another communications platform, and a popular one at that, which is good.

But the video laying out the course impressed me very much. Just about everything Evan said I agreed with, both in content and applicability to the vCISO life. It has actually energized me for what lies ahead.

The cohort begins in April. I'm not sure if I'll provide updates after each week, or at the end only, or some other variant. But I will report on my experience. If you're interested in the vCISO space, I invite you to stay tuned, as I continue on my CvCISO journey.

Joe Erle, MBA, CIC, CRM, TRA, CCIC

Cyber Insurance Broker l Cybersecurity Content l Podcast Host of Ransomware Rewind

12 个月

??

Meg Perron, Certified vCISO, MBA

SecurityStudio Academy Director @ SecurityStudio | CvCISO, Cybersecurity

1 年

I am super excited to have Greg join our next cohort. I have been working at SecurityStudio for almost two years now, after many years in the K12 world. Evan Francen took a chance on me as the Academy Director because I AM one of those newbies to the industry. I went through the course when I was a Security Analyst which resulted in a job offer!!!! What I love about my job is our focus on the mission to fix this broken industry. We are all very passionate about serving our community and helping this industry. I have never experienced the "money grab" mentality - in fact it is more likely that we have to tame Evan wanting to give everything away!!! The truth is I invited Greg to join our program because I believe in it and wanted him to have a different experience than what he initially uncovered. I want this to be the defacto cert for vCISOs and strive to make it better with each and every cohort! Thank you Greg for taking me up on my offer...I know your time is valuable. I look forward to this partnership as we continue to STRIVE for continuous improvement! See you in the classroom!

Nick Mullen

Information Security | IT Governance | Program Management | CISSP, PMP

1 年

Looking forward to hearing your perspective on this Greg Schaffer. I've actually been eyeballing it since Dave Tuckman - CISM, CISSP, CCISO, CvCISO, CDPSE, etc. joined the FRSecure team and told me about the program.

Meg Perron, Certified vCISO, MBA

SecurityStudio Academy Director @ SecurityStudio | CvCISO, Cybersecurity

1 年

Super excited to have you join us!!! We love learning together!!!!

GE Scott Knauss

Owner/CEO at Immauss Cybersecurity, President vCISO Catalyst, President ISC2 US Military Germany Chapter

1 年

Thanks Greg. I’m going to follow you closely on this and look forward to your final thoughts.

要查看或添加评论,请登录

Greg Schaffer的更多文章

  • Finish

    Finish

    Cold. Wet.

    1 条评论
  • Evaluating the CvCISO Program - Final Analysis

    Evaluating the CvCISO Program - Final Analysis

    In the beginning of March I wrote about evaluating the SecurityStudio CvCISO program. We have a serious problem in our…

    9 条评论
  • Good Risk, Bad Risk

    Good Risk, Bad Risk

    Recently I conducted a LinkedIn survey asking if all risk is bad. The results didn't surprise me on the surface, and…

  • Do Entry-Level Cybersecurity Jobs Exist?

    Do Entry-Level Cybersecurity Jobs Exist?

    Last week I asked the question in a LinkedIn poll "Do cybersecurity entry-level jobs exist?" My view, as I expressed in…

    14 条评论
  • Evaluating the CvCISO Program--Midway Point

    Evaluating the CvCISO Program--Midway Point

    A couple of months ago, I posted I was planning to evaluate SecurityStudio's CvCISO program. We have reached the…

    5 条评论
  • It's My Mother's Fault

    It's My Mother's Fault

    My father left my mother for another woman when I was three and a half. At 33, with only a high school education…

    9 条评论
  • Beginning the CvCISO Program

    Beginning the CvCISO Program

    Second in a series relaying my experience as a long-time CISO/vCISO evaluating the CvCISO program. I just completed…

    1 条评论
  • To Use or Not to Use a Custom Email Domain

    To Use or Not to Use a Custom Email Domain

    A few weeks ago I received an unsolicited email to help enhance my Search Engine Optimization (SEO) for one of my web…

    20 条评论
  • We Are Failing With SMB Information Security

    We Are Failing With SMB Information Security

    According to the U.S.

    8 条评论
  • I'm a Small Business Owner. Wow.

    I'm a Small Business Owner. Wow.

    Five years ago I was leading the information security program for a community institution (financial services speak for…

    10 条评论

社区洞察

其他会员也浏览了