March 17, 2020

Trust, but verify.

These famous words of Ronald Reagan, who, incidentally, would make a fantastic CISO, are also the simplest explanation of what it’s like to work as a virtual CISO.

If step one is building trust and relationship with clients, step two is being let in to see all the inner workings and operations to make informed and strategic decisions.

In this episode, John interviews Andrew Farkas, Virtual CISO at Pivot Point Security, about his experience as a vCISO and why the need exists for such a role.

What we talked about:

  • What is a vCISO and why you (probably) need one
  • Working with a vCISO to create a security plan
  • Real examples of what a vCISO does
  • Scope vs Risk vs Gaps

You can reach out to Andrew via the Pivot Point Security website.

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don’t use Apple Podcasts, you can find all our episodes here.

Time-Stamped Transcript

This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.

Speaker 1 (00:06):

You’re listening to the Virtual CISO Podcast. A Frank discussion providing the best information security advice and insights for security, IT and business leaders. If you’re looking for no BS answers to your biggest security questions or simply want to stay informed and proactive, welcome to the show.

John Verry (00:26):

Hey there, and welcome to another episode of the Virtual CISO Podcast. I’m your host, loquacious John Verry, and with me as always, the Dwight Schrute to my Michael Scott, Jeremy Sporn. Hey Jeremy?

Jeremy Sporn (00:37):

How’s it going? Hello everyone. It’s great to be here with the self-proclaimed world’s greatest boss.

John Verry (00:43):

So that’s probably the one I liked the most out of the pairs that you’ve done to this point. So well played. So what did you think about the conversation I had with Andrew?

Jeremy Sporn (00:52):

It’s honestly just really refreshing to hear from Andrew because he’s the guy in the trenches every day acting as a vCISO for a number of firms.

John Verry (01:01):

Yeah. You know what I liked about the discussion? Is that we really got down into the weeds with some concrete examples of what a vCISO does, which I think will help move that concept from the more esoteric to the more real for the people that are going to listen to this.

Jeremy Sporn (01:14):

Yeah. It got real, shit got real is just how I can describe it.

John Verry (01:17):

Right. Yeah, great.

Jeremy Sporn (01:19):

What I love about Andrew is he’s a Bill Belichick kind of guy and that does not mean that he got caught filming his competitors or deflating footballs, he’s a guy that trusts the process. Anyone who’s a real Football fan knows the Patriot way-

John Verry (01:34):

I am a Jen fan so I do not subscribe to this officially.

Jeremy Sporn (01:39):

Anyway, here at Pivot Point Security we have our own Pivot Point Security way. And the conversation you have with Andrew really highlights that process of how a vCISO shows up on the doorsteps of an organization and addresses that organization’s information security challenges to accomplish the agreed upon goals.

John Verry (01:58):

Agreed. And with that, let’s get to the show. Thanks Jeremy.

John Verry (02:06):

Andrew how are you?

Andrew Farkas (02:07):

Hey John, how are you? Not bad. Good to be here.

John Verry (02:10):

So this is an interesting one for me because this is the first time our guest is actually an employee. So congratulations, you were first.

Andrew Farkas (02:18):

Okay.

John Verry (02:18):

Do you feel completely honored?

Andrew Farkas (02:22):

Congratulations or your condolences?

John Verry (02:26):

I’ll tell you that after I see how good you are.

Andrew Farkas (02:28):

Yeah exactly.

John Verry (02:30):

For all we know this episode may never air. So I always to start super simple. So yeah, just tell us a little bit about who you are and a little bit about what you do here at Pivot Point.

Andrew Farkas (02:42):

Sure. So my name is Andrew Farkas and I am the virtual security team practice lead here at Pivot Point Security. I’m also a virtual CISO here at Pivot Point Security. I’m based out of Brooklyn, New York and I have been with the organization for just over four years now.

John Verry (02:59):

And time goes fast man.

Andrew Farkas (03:00):

It does.

John Verry (03:01):

That actually blows my mind, but anyway. All right, so one of the things I always to do is personalize things a little bit and get to know somebody before we get down to business. So we have this tradition where we ask people what’s your drink of choice? Now you’re in Brooklyn and I know there’s some good bourbon bars there and I know there’s some Brooklyn beer, so what’s the drink of choice? Now it could be green tea, it could be water or it might be something a little bit stronger or it might be both.

Andrew Farkas (03:22):

Well, so I am a go to bourbon and beer guy and some of the baby bourbons, the New York, the Hudson bourbons and things that are not bad. But lately I’ve been very much into Hendricks tonics with a cucumber as the garnish and a little fresh ground pepper on top. If you’ve never tried a gin and tonic that, you have homework to do later when you go home.

John Verry (03:45):

So my wife likes Hendricks and my wife and son both drink gin and tonics quite a bit.

Andrew Farkas (03:50):

There you go.

John Verry (03:51):

So you’re taking it and you’re adding a pepper to it?

Andrew Farkas (03:53):

Yeah. So Hendricks has this thing called the cult of the cucumber where basically it’s you don’t want to add citrus to Hendricks, it doesn’t balance well so you add cucumber, something more neutral. But the pepper, the fresh ground pepper gives it just a little spice on your lips and it really makes it for a more complex flavor.

John Verry (04:11):

That’s funny. Last year on New Year’s Eve, we were down in Grand Cayman and my son had a Hendricks and cucumber gin and tonic at a beautiful restaurant called Bacaro right on the water there. I wonder if it had pepper, we’ll have to go back and look. I’ll have to ask him because he said it was fantastic.

Andrew Farkas (04:28):

And if you want to go full on you can find places that’ll make you a nice cucumber Collins but that’s a little too sweet for me.

John Verry (04:36):

Got you. Well I’m going to tell you this right now, I’m a little bit disappointed because I was sure that you would probably say Widow Jane because Widow Jane is from Brooklyn right?

Andrew Farkas (04:43):

I have Widow Jane in my decanter right now. So that’s always on standby.

John Verry (04:48):

Wait, wait, wait.

Andrew Farkas (04:49):

Not Widow Jane but a bourbon.

John Verry (04:51):

There you go.

Andrew Farkas (04:52):

Yeah. Right.

John Verry (04:55):

It’s one of my favorites at a reasonable price point, it’s a super bourbon.

Andrew Farkas (04:58):

It really is.

John Verry (04:58):

Okay, cool. All right, so let’s get down to real business. The reason that we wanted to have you on is that one of the challenges that I think we have probably as an industry is this concept of virtual CISO I think makes sense to people sort of intellectually, but I think they have this challenge of when the rubber hits the road what does it really mean? So how would you describe what a virtual CISO is?

Andrew Farkas (05:26):

Well, I mean, just to expand your point there it’s because I feel like a lot of organizations don’t know what a CISO is or what a CISO should do. So they don’t know what the v in front of is it further confuses the point, right?

John Verry (05:38):

That’s a good point.

Andrew Farkas (05:38):

So unless you’re already operating in a regulated environment that it feels like it’s always needed some kind of security officer, then you’re not quite sure right? So it’s one of those things that I feel like for me a vCISO tries to capture exactly what a CISO would do. It’s a matter of a dynamic relationship between the breadth of the service, the depth of the service and the frequency of the service. So how much do you need to cover, how deeply do you need to cover it and how often do you need to interact in order to achieve that? But that being said, knowing what a CISO does I feel like is even harder.

Andrew Farkas (06:16):

Because people in concept I think or intellectually as you were just inferring, they know that it’s somebody who has to develop strategy.And govern a process and manage things budget and personnel and have an overall program within an organization that achieves all objectives and goals related to information security, data security, data protection, privacy, et cetera. But those things can mean different things to different organizations. So it’s a loaded question to ask what a vCISO is, also to ask what a CISO is. And I think depending on who you ask and what industry and what size and shape of an organization, you could get an interestingly different answer from sector to sector.

John Verry (06:57):

So I got an interesting question to ask you. So we had a guest on and it’s funny, these may end up coming out of sequence for people when we finally come to market. But spoke with a guy by the name of Darek Hahn and he works for a company called the VelocIT and they have a really successful virtual CIO offering. And when I was asking him about a virtual CIO, he kind of shocked me and when I asked him what were the attributes of virtual CIO and his answers were not technical in nature, they were business in nature. So I’m curious does that same parallel in your opinion hold true for a CISO? Is their first object is it a business level role or is it a highly technical information security bits and bytes role in your opinion?

Andrew Farkas (07:40):

Well and again, I hate to give you these kind of soft answers twice now, but I would say if you were in a technology company for technology’s sake like a software as a service or platform as a service company, it would be more technical in nature. It would be objective, what are your processes around building things, testing things, releasing things, maintaining things and wash, rinse, repeat. Whereas if you were say a CISO at a university it would be much more around behavioral aspects of information security, people aspects of information security and all varying different data types, not all of which would be technical. So I do think that there is a fundamental difference between business information security and technical information security. I think that could be a topic for a whole another show so I don’t want to go too much into that.

John Verry (08:30):

Oh well listen, you haven’t even done a good job yet. You gave me-

Andrew Farkas (08:33):

I can’t answer and I’m not going to do it-

John Verry (08:34):

You gave me two soft answers and you’re lobbying for another episode?

Andrew Farkas (08:37):

Yeah exactly.

John Verry (08:38):

Come on. You better step up your game if you want another episode.

Andrew Farkas (08:40):

I want a six episode contract by the end of this episode.

John Verry (08:44):

There’s no residuals-

Andrew Farkas (08:46):

All right then I don’t know why I am here in the first place.

John Verry (08:50):

I’m having conversations with Netflix to pick up the series and that’s not a guarantee at this point.

Andrew Farkas (08:58):

Again, another bad answer is that it has to be both. If you have technical components that are processing information that is worth protecting, it has to be technical. If you have people or processes that are using set information in a more administrative or conventional pen on paper or passing information around any other way, then you have to truly understand the business. So that’s where I the fact that CIOs, I’ve seen them where they’re basically CTOs. I’ve seen them where they’re basically COOs and I feel like the hardest thing for a chief information security officer to know before they get started is they have to know everything about operations, everything about technology and as much about the front office business as possible. They actually need to know more than any other individual C position in order to be able to protect all aspects that fall under all other C positions.

John Verry (09:48):

That’s pretty cool. And I actually the analogy of a CIO being either a COO or CTO. And I actually think it’s funny, I think that tends to be part of the problem at least when I’m chatting with people about a virtual CISO role. Is I think they think of a virtual CISO as being somebody who can do every information security job. Like they’re hiring one virtual CISO and they’re doing everything. Is that something that you see?

Andrew Farkas (10:15):

Yeah. So I mean, that’s a factor of size I think. Where in some organizations, I mean classically before you even talk about a CISO, you have a CTO or an IT manager where they’re like the mayor, the milkman and the judge of a small town. So when you first started getting into, oh, we need an information security resource in a company, you want them to be able to do as much as possible. With size and maturity, you see more things like okay, I need an architect who could dub also as more of a senior management level, somebody who designs the information security landscape within the organization.

Andrew Farkas (10:51):

But then I need engineers and analysts to know how to maintain all of the solutions I’ve put in place and processes I put in place. And to be investigating all of the day to day events and issues and precursors for new things you need to protect. So I do think that expands where when you first get involved with an organization who has no information security footprint, you do have to be an architect an engineer and an analyst. And be able to talk with senior management at a very governance level when it comes to head count and budget and making sure that you are providing a holistic solution for a company.

John Verry (11:26):

Got you. So let me ask a question though, do you think it’s reasonable? So let’s say you’re a software as a service company and you want to hire a vCISO now you know as a software as a service company you’ve got application security issues, secure development lifecycle issues, you’ve got network architecture issues, you’ve got incident response plans, the security monitoring what am I missing? We’ve got cloud security because we’re rolling this stuff out on Amazon EC2 and we’ve got S3 buckets and we’ve got Dockers and all kinds of fun stuff. Is it reasonable that a vCISO is going to have the expertise in all those areas and be able to do all those things?

Andrew Farkas (12:02):

Yeah. In concept, absolutely. I do think they need to understand just like you would know that you have to plug in a conventional standalone terminal to a server to operate something and those servers are talking to other computers on a network. And you’re transmitting information to and from them to exercise some kind of business process that’s hopefully making you money as an organization. You have to in concept know how everything plugs in and works together so you can understand the vectors in which things could be exploited. You don’t have to know deep configuration, you don’t have to know how to build the product necessarily.

Andrew Farkas (12:33):

But you have to know where there are, things that are insulated and things that are going to be potentially peaking out into the world or crossing over certain gaps that need to be protected. So you need to know the ingress and egress virtually or otherwise of your information. So yeah, I do think understanding how your software is built and how it’s plugged into your network and how it works in conjunction with other applications. How internal and external stakeholders and users are being able to access it. You have to know at least from a mapping standpoint how all of that stuff talks to each other, touches each other, plugs into each other, et cetera. You hire other people to know how it really works, but you need to touch the road once in a while, you know what I mean? To be the tires.

John Verry (13:23):

Okay, good. So just to make sure you and I are on the same page and I’m restating this so please tell me if I missed this because I think I agree with you. I think that if a CISO can’t understand that full life cycle of the data at a not a 100 foot level, but a 1000 foot let’s say or maybe it’s a 100 foot not one foot whatever we can agree on in terms of the analogy. Their job is to know enough to know where the issues, risks, challenges are and then engage the right people at the right time, whether they’re within that organization or external to the organization. Because you’re not going to know the specifics of configuring a Kubernetes cluster in a way which is going to be secure as a CISO. But you know enough to know that Kubernetes cluster has certain challenges or risks associated with it and that you need to get the right resource to address that.

Andrew Farkas (14:13):

Exactly right. So it’s where top down meets bottom up, there should be some overlap there where the CISO at least knows what paths are diverse to address a particular issue. And hopefully whether the CTO, the CIO, the COO has positioned other people in those areas to have the subject matter expertise. To have the day to day operational knowledge to be able to say, oh yeah, this, this and this is because why this issue occurred or why we have an issue today.

John Verry (14:41):

And I do think that’s part of the problem that I’ve seen in talking to people about is that I think they have this inherent belief that they hire one person and all those problems go away. They hire one person and all those problems become actionable but we’re going to need other support to actually solve everything right?

Andrew Farkas (14:58):

That’s just it too. And if you go look at any job description for an information security person of five years or more and they want you to do compliance, regulation, policy and they want you to be able to buy new software solutions or security solutions, be able to configure all of them, stand them up, watch them all day long. So they don’t understand that in all cases it’s a three person job, not that you need three full bodies to be able to do all of it, but you need three distinct types of role to be able to have that approach of governance, implementation and maintenance and assessment. Because you always need to be looking for new things to come into your purview.

John Verry (15:46):

Yeah. And then the other thing which I would say is a problem is once you have established something, that operationalization easy word for me to say, is another big part of that. Because it’s one thing to say we don’t have third party risk management, it’s another thing to say, let’s build a third party risk management program. But then it’s another thing to make the commitment to operate that program right? To send out the questionnaire is to receive the responses to review them, to work with the vendor relationship owners there’s a lot to it.

Andrew Farkas (16:12):

And even to add a layer on top of that, and that’s you can’t assume that any of that is going to be static for very long. So as new tech rolls in, new business processes roll in all of that stuff needs to change and adapt with the business just like any other dynamic aspect of the business.

John Verry (16:29):

You have new threat agents, et cetera. Okay, cool. So I think we’re in agreement on kind of vCISO, the idea of where that sits in an organization, what it can and can’t do, what support is going to need. So let’s say that someone’s listening to this and they’re saying, okay, well this might work for me. When you think about you acting as a vCISO, is it as simple as plan the work, work the plan? And is the goal to get to a plan? Tell me how you see this process happening.

Andrew Farkas (16:57):

It can be, so I’m a little bit goes a long way. And I’ll get philosophical for a second, the more honest introspection a company can do, the more they will be able to know to a certain degree what their plan should be. And be open to whatever recommendations a plan is based off of the initial, even a little assessment that they may have already done. So you can develop and work a plan if you’ve already done some assessments. The biggest issue that I see is the inherent fear of not knowing what you actually need to do, where you’re vulnerable, what your problems are. A lot of organizations come and they talked to us and they say, well, I know I need to do something. I know we had an issue once or we keep getting questions about this or I’m not feeling great about that. And there’s just a sense that they know they need to adopt something that threads throughout the organization.

Andrew Farkas (17:54):

They don’t know where to start, they don’t know where their worst aspects or the things that need to be addressed most prominently are. And that’s where you have to sometimes start with listen, you need to get to know us, we need to get to know you so we can actually tell you what your objectives are if you don’t already know. A lot of times it starts with a sneaking suspicion that things aren’t really great under the hood here and we need somebody to come in and let us know what the plan should be, what the objectives should be. All we know right now is that they need to be something we’ve been doing little to nothing for too long and getting away with it and we don’t want that track record to be sullied by something that affects our business.

John Verry (18:34):

Got you. So let me restate that and see if we’re on the same page. So generally speaking, I think people call us up and I’m one of the people that talks to people a lot on the phone when they do call up. And I think we get two types of people that call up above vCISO I think there’s the ones that have like you said, sneaking suspicion or just a discomfort level, but they don’t know exactly what they need to do. And then I think we have some people that call us up that say just got through a audit from one of my key customers, I’ve got 56 non-conformities and I’m about to lose them as a client, can you help me? So I think in the first case, they don’t have a plan. Second case, they kind of have a plan so I think in that latter case, you might agree that starting with that plan is probably the best first most actionable important thing and then adjusting as we go along?

Andrew Farkas (19:19):

Yeah. I mean as long as that plan based on that circumstance with that client in your example is indicative of the overall operations of the organization. So if you have several different departments and this happens to just be related to one arm of a much larger organization then if you’re going to go in and actually try and do some vCISO work for the entire company, you want to make sure that that assessment is reflective of the other business arms. And that you’re not going to then do things four and five times for each business arm just because of critical client A causing action plan B.

John Verry (19:54):

Okay. And there also could be the situation where that risk while might be notable, there may be another risk you don’t know about that’s even more notable right?

Andrew Farkas (20:01):

Yeah. And it’s obvious to see when if they’ve assessed for let’s say those 50 non-conformities that there is some major general information security domains that weren’t included in that. It’s easy to then supplement that to give a more broad and effective plan.

John Verry (20:16):

Yeah, good point. Okay. So let’s say that we were we’re not working with a client that has that plan and you bring your own plan. There’s a client that needs a plan, what’s the process to get to a plan? So if they engage with us and you show up on day one what are we actually doing to get to the point where they’ve got an actionable plan that we’re executing together?

Andrew Farkas (20:35):

Well, it goes back to understanding all of the operations, really getting to know the organization as much as possible. I make the joke that I’ll literally talk to anyone that you let me talk to, because the more perspectives on the business that you get not only do you learn more about the the nuts and bolts and day to day of what that business actually does. But you also get a sense of all the inconsistencies, all the different perceptions of what the business actually does in this aspect of that aspect and who’s responsible for what. So all of these inherent risks and gaps aligned to best practice or whatever that organization might be trying to align to naturally occur just through conversation. So really it’s great to once you can get somebody to be comfortable let them know that we’re not auditing you, we’re not going to slap you with fines, we’re not going to call the regulators and tell them that you’re noncompliant.

Andrew Farkas (21:26):

We’re here to prevent all of that, we’re on your side. We want to really operate with you as a partner, as a part of your business and they open up you learn so much about the organization to take away with you. What it is that they do, where their problems are, what needs to be addressed first. So really just through a few days of talking to everybody, hopefully taking some good notes, wrapping that up and pointing it back at everyone to have that again, that introspection, that reflection on what you’ve discovered and everyone agrees on it. Then all of a sudden it may be daunting, it may be time consuming, it may be a long roadmap, but it’s something that everybody can say okay, at least now I know what I need to do. And then you can compartmentalize it, you can break it down, you can prioritize it and you can turn it into more digestible chunks.

John Verry (22:12):

Got you. So I think you stated that at a 10,000 foot level, which is great for the audience that sounds analogous to what we would conventionally call scoping risk assessment, gap assessment, control maturity assessment in ISO or SOC 2 or CMMC or something of that nature. Is that an accurate statement?

Andrew Farkas (22:33):

Yeah, absolutely. I mean, I feel like the scope and merging risk and gap into one, I can’t presume that even even if two organizations are in the exact same industry, doing what is sense to be direct competition with each other, they’re using different people with different expertise, different technology stacks, different locations. There’s enough differentiation even in the same industries with the same services where if you don’t go there and put in the time to really understand as much as you can about the organization, you are doing that organization a disservice. And you’re not getting the benefit of their unique circumstances, their unique risks or unique gaps. Really I feel like you could go in there with some cookie cutter stuff and just say, “Oh yeah, I’ve dealt with 100 different organizations like you. And you have these risks, you have these gaps, I’m sure of it here take all this stuff and we can validate something that’s a bit squishy.”

John Verry (23:23):

Got you.

Andrew Farkas (23:23):

Rather than going in there and really sharpening your perspective on the organization.

John Verry (23:28):

Got you. So it sounds the old prescription without diagnosis is malpractice.

Andrew Farkas (23:33):

Yeah sure. And honestly the more diagnosis you can do, the better off everyone’s going to be.

John Verry (23:38):

Got you. And the one thing that you didn’t bring up and I’ll just bring up because I think you’d agree with me on this, is that arguably the most important thing is to understand information equals risk in most organizations. So understanding which information is it that they’re processing, what the expectations are around that from their client contracts, regulators, third parties, laws and regulations. So if you’ve got personal information or you’ve got medical information or you’ve got high business impact data from Microsoft, or you’ve got whatever data you have, I think that really shapes what the net result is of that plan. Correct?

Andrew Farkas (24:08):

Yeah, absolutely. I mean, if you don’t know what it is you’re trying to protect in the first place, that’s the best place to start. Some organizations have trouble even understanding what an asset worth protecting is. And unless there’s a regulation or a client or some other external factor telling them that they need to protect something, sometimes you have to just start from the start and say hey, you know what? This is information your clients care about. This is information that has a particular price tag attached to it. This is something that operationally or security related is going to impact you through the conventional confidentiality, integrity and availability but also from productivity, operational integrity, monetarily, et cetera. To basically say yeah, this is where we have to actually think about all the bits and pieces and corks of your organization and put value or not so much value on them to determine what we need to focus on.

John Verry (25:00):

Cool. So scope is what we’re protecting, risk is what we’re protecting it against I’m over simplifying. Gap is what we’ve identified needs to get done. At that point do we have that action plan that you’re going to execute with them?

Andrew Farkas (25:14):

Yes, as long as there’s an agreement on what we’re trying to achieve. So the gap part, the gap part is really the most important part because the client needs to take recommendations from us but also understand what it is that they want after that. So we can basically put together where we want to be in a certain period of time. We could just go bits and pieces from now until the end of time, but if you have milestones, if you have an end goal to start a another process that’s always nice too. So sometimes the regulations help.

John Verry (25:45):

Yup. Okay, cool. So we have a plan, so that took us a few months let’s say, to get to that plan. What happens then? I mean I’m your customer, am I executing the plan alone? Are you supporting the plan? Do I call you when I need you? How does the relationship with the vCISO work? Kind of explain that.

Andrew Farkas (26:05):

So yeah, I mean, the goal is to be able to work the plan once you have a plan. A plan that’s developed that cannot then be worked is not a great plan. But there is flexibility in the interaction of the vCISO at that point so I will say that there is a broader concept here around the virtual security team where more often than not, I am employed by clients to at that point have touchpoints on the progress and the actual constitution if you will of that plan. Is that plan still relevant? Is that plan moving in the direction that it needs to? Have we delegated all of the information or all of the tasks rather to the appropriate parties to be able to get all of these things done? Are we not considering everything? Because just a risk on a risk assessment that risk could change tomorrow. There could be internal, external factors that just changed the entire composition of that risk. And then you have to reassess and pivot, if you will-

John Verry (27:02):

No pun intended.

Andrew Farkas (27:03):

Yes. To address it. So yeah that being said, they like to be able to either talk to you about everything just to get your opinion across the board or just talk to you about the overarching aspects of the plan. Knowing that we’ve potentially coupled them with internal subject matter experts to help them with the specific agenda items, the specific tasks. And that those virtual security team members, whether it be for third party risk management, for vulnerability assessments, penetration testing, security awareness, education, et cetera. That they’re working with those internal delegates to make sure that those things are meeting the pavement, getting to the masses and having not only an operational but cultural impact on the organization.

John Verry (27:46):

Got you. So let me make sure, kind of roll it back for a second make sure we’re on the same page. So let’s say that we identify the fact that an incident response plan, their incident response they don’t have a plan or their plan needs to rework. So two things can happen there, right? One is that they’ve got somebody on their team that you would help ensure gets that done or it might be that you would engage one of the virtual security team members at Pivot Point who’s got an expertise in instant response plan to work directly as part of our team with the client right?

Andrew Farkas (28:17):

Mm-hmm (affirmative).

John Verry (28:18):

Cool.

Andrew Farkas (28:19):

Yes.

John Verry (28:19):

Okay, cool. Good. So and again, just to be clear to people it can be their resource, it can be our resource or it could be a third party resource. We have some clients that they already have that relationship with external security consultants beyond us and you’re helping them, right?

Andrew Farkas (28:34):

Absolutely. Oh yeah. I mean, we’ve even been in a position where we’ve going back to those roles that I was talking about before, we’ve helped organizations hire information security analysts and engineers to try and supplement what it is we’ve already told them that they need to build out. Leaving that advisory strategic governance layer in place for us to help them from a vCISO perspective.

John Verry (28:55):

Got you. And typically who is a client interacting with on our team and how often are they interacting with them?

Andrew Farkas (29:02):

That’s variable. So typically with the vCISO it’s usually weekly, biweekly or monthly meetings depending on the milestones related to the objectives and the goals or just any other external timeframes or pressures that may be coming down on the client where they need to meet at a certain frequency. But let’s say if there was somebody who was on our team from an implementation consulting perspective who was trying to get them ISO certified or get them a clean SOC 2 Type II report, they might meet with them regularly, weekly. And then have touch points with particular tasks or items daily, every other day getting verification or review on outstanding items. But at the governance perspective it’s usually a little less frequent, a little bit more strategic and a little bit more high level.

John Verry (29:48):

Got you. And who usually runs the project plan?

Andrew Farkas (29:52):

So we do have the luxury of having a program management arm because I have a background in business analysis and running projects from a software perspective. Not all information security professionals and subject matter experts have that inherent like, you know yeah, I’ll be the first one to-

John Verry (30:17):

Your not looking at me. I mean I kind of feel like-

Andrew Farkas (30:19):

No I am not. So I’m a control freak.

John Verry (30:23):

You would have been [crosstalk 00:30:23]

Andrew Farkas (30:23):

Yes. I’m a control freak and I blamed my ITBA experience in the past of being able to trying to herd cats and keep everybody on task and the classic on time and under budget. So we have the program manager aspect where you basically get a project manager on your VSC and vCISO projects. Because there are many moving parts, there are people who are very busy and it’s hard to be the one who’s running the call, taking the minutes, scheduling the agenda, delegating all the information, updating the project plan and still having that really dedicated focus on the information security, data protection and governance items. So having that aspect of program management allows you to do your job a lot better from a security perspective.

John Verry (31:07):

So one thing that’s just also interesting to me is I feel like and in the interest of full disclosure, I act as a virtual CISO on our team for a few of our clients as well. So part of this is my experience, but I find like these two customers, even when I chat with them a little bit, I think it helps them when I ask this question. Is when you think about a virtual CISO, do you think about that person as being a name in a box on your org chart or just somebody who is an asset to the CTO or CIO or COO to make sure that we don’t make a wrong turn? And I think part of that difference real quick and then I’ll let you answer.

Andrew Farkas (31:43):

Sure.

John Verry (31:43):

Part that difference might be how they perceive our interaction within the organization to the CXO suite and how they see our interaction externally to regulators and how they might see our interaction externally to their vendors and suppliers. Thoughts?

Andrew Farkas (31:58):

Yeah, absolutely. And I think it’s a lot of it has to do with again, establishing that relationship, that partnership, because you can most certainly start as a checkbox on an org chart and then graduate to the Wizard of Oz. The man behind the curtain that nobody actually wants to know about, but wants to make sure that all the levers are being pulled and all of the advice is being whispered. And I do think that as that relationship proves to bear fruit or proves to be valuable, that’s when you start coming out of the shadows more or less. And you can become you’re invited to be on board member meetings, your being the voice of or being invited to all of the calls with external clients.

Andrew Farkas (32:42):

So sometimes before anybody actually knows that you need to be more than just a checkbox item or some place a figure head if you will within an organization, once you start doing the work, then they realize how much they actually need the expertise, the work done. They want more and more information from you, they want to rely on you more often. They trust you more over as you prove yourself and you can kind of go from one to the other.

John Verry (33:10):

Yeah. So it’s funny, I think you said it differently than you meant. So I look at it as that we evolved from the man behind the curtain not the all knowing man behind the curtain. So the way I look at as like you ever watched out, I loved watching Mark Zuckerberg at the congressional hearing or Senate hearing whatever you call that. And Mark Zuckerberg a Senator asks like a really tough question and he looks like a deer in the headlights, and he looks behind him and the lawyer leans in and says [inaudible 00:33:34] and he turns around and he goes [crosstalk 00:33:36] right? So I almost feel with some of our clients where we’re the lawyer sitting behind them and-

Andrew Farkas (33:41):

We’re the alderman yes. We whisper in the politicians ear so he doesn’t say something foolish.

John Verry (33:46):

Is that the official term?

Andrew Farkas (33:48):

That’s the alderman. You bet.

John Verry (33:49):

You are the only person in the world that who doesn’t work in politics that would know the term alderman.

Andrew Farkas (33:54):

There’s a reason I know that there’s a reason I do this John.

John Verry (33:59):

I don’t want to know about it. All right.

Andrew Farkas (34:01):

Really just to say that I like doing that. Sometimes people want the limelight, sometimes people just want to have the right answer. I think I to have the right answer more than wanting the spotlight.

John Verry (34:13):

Right. And then I think over time somebody like you said, you might migrate into being truly a member of the organization. I know with some clients you don’t hear from them that often whether they are just in the weekly calls and maybe an occasional proactive call or email. And then we’ve got other clients that you’re answering six, eight emails a day, you’re CC’d on everything-

Andrew Farkas (34:32):

On everything.

John Verry (34:32):

Yeah. I mean literally you are integral to information security.

Andrew Farkas (34:37):

Clients who try to keep us under wraps realized relatively quickly that’s just a waste of time. They then position themselves as the middleman and if people have legitimate questions it makes sense to just shoot them right to us. They’ll get faster responses, it will be more connected to different areas of the organization and overall just more helpful.

John Verry (34:55):

Yeah. Cool. So I think we’ve done a pretty good job at talking about virtual CISO and hopefully painting a better picture for people. Any real world examples that might in your mind help people understand this?

Andrew Farkas (35:09):

Well yeah, so I mean I think we’ve talked a lot about organizations that don’t have a CISO or that don’t have more of a mature distinct information security model within the organization. Some organizations do, some organizations have CISOs and they still want a virtual CISO. There’s just too much going on within an organization for them to be able to say me as one person with limited staff as the either breadth of knowledge or the amount of hours on the clock in a day to get all of this stuff done. So we have had some great success with large organizations that have multiple departments that have one centralized information security arm that just isn’t long enough. And that needs some support and potentially has internal regulations of their own parent company implications. A global footprint where really there is no distributed information security arm so you’re working not only with an organization, you’re working with several businesses within a business and it feels more seven clients than it does one client.

John Verry (36:15):

Right. it’s interesting you say that because you see the stats I mean, depending on who you believe but I just got, someone emailed me an article there, they claim the average tenure of a Seesaw was 26 months I’ve heard as short as 18. But 50% of CISOs right now are diagnosed with mental health issues that’s which is crazy right?

Andrew Farkas (36:34):

It’s a catch 22 though, I think you need mental health issues to get into the field in the first place.

John Verry (36:39):

Or to be willing to take the title CISO.

Andrew Farkas (36:42):

Right and if you want to leave under the grounds of mental health issues it just doesn’t work.

John Verry (36:49):

But that being said, I mean I think that’s another interesting idea. And when I saw that right away I said, you know what? That idea of that deputy vCISO a deputy CISO that supports that person and make sure that you don’t have that. Or look, I mean, the reality is you could be get caught in a lot of trouble if you turn over a CISO and you don’t have someone prepped because it takes… So Deidre Diamond from CyberSN who’s one of the leading recruiters in the world for high level positions said these kinds of things take months. There’s not enough people, you’ve got to find a person who knows your industry, knows your business if you’re going to be really successful. So yeah, I mean I think even having that person there not only reduces the likelihood that they’re going to leave but if they did leave, it reduces the damage. In fact, if I’m not mistaken, go ahead I know where you are going.

Andrew Farkas (37:34):

Right. So I’m just going to do some quick math for you. I mentioned earlier in the episode that I’ve been here for a little over four years, that particular company, I’ve been within the organization working with the organization in an information security capacity longer than the previous and current CISO. So it goes to show that those transitions are regular, they don’t take long sometimes to happen and the ramp up for a new CISO takes a significant amount of time. And without somebody who is not only just kind of being a shadow to the CISO, but working with other stakeholders within the organization actually… Again I like to double down on the knowing the business aspect and being able to have all of those ways to help people other than the conventional IT and information security areas of the business. Means that when somebody from IT or information security who is critical to the business leaves, that organization isn’t in a complete lurch because they have somebody who is there to provide that resiliency and to provide that strategy and governance and help bridge that gap and be part of that bridge.

John Verry (38:40):

Right. I’ll give one example as well I mean with a client that I’ve worked with and you and I have talked about this particular situation. I think we inherently think what’s a CISO going to do for me? This is an example of what sometimes what you don’t do is as important as what you do do. So we’ve talked about this, we had the client with a critical client facing portal lots of critical sensitive data and they had started this project before we got there. It was a one year, one and a half year project and they were ready to roll it out and we put up our hand and said has that vendor been vendor risk assessed? And then when we vendor risk assessed them it was like I’m not getting a warm fuzzy here they weren’t either.

John Verry (39:23):

So it was like, okay do we have security testing built in to? Are we certifying the application to be ready for use? And the answer was yes, we’re doing an application security test and we dug in a little bit and they were running a Nessus scan, they were running just a network test. And so we said, no, this needs to be fully tested. We fully tested the application and it was not good. So the challenge was is that and I have to applaud management because they they had made commitments to roll this out in a certain timeframe, we are now six months past the timeframe that they had committed to having it out and it’s still not out. But we do know when it gets out, it’s going to be secure and I think we saved them from a breach that could have been pretty significant.

Andrew Farkas (40:10):

And endless. And if you don’t know that security is the enemy of time to market by now, then you just haven’t been paying attention.

John Verry (40:17):

You were not supposed to say that-

Andrew Farkas (40:19):

I know.

John Verry (40:19):

I told you specifically. Jeremy we’re going to cut that. What time is this right now in this right now in [inaudible 00:40:24]? Jeremy, I think it’s 51:20 to 51:30. Yeah, please cut that out of there. I mean, we can’t be the enemy.

Andrew Farkas (40:32):

Transparent is the golden rule of [crosstalk 00:40:35] relationships.

John Verry (40:36):

Unfortunately tell the truth, is one of our core values all right Jeremy, you can leave it in. All right. So we’re getting close to wrapping up here, so I had a question for you. let me ask you any other critical examples you want to give before we wrap up?

Andrew Farkas (40:52):

No, I really just wanted to give a two quick ones just to show again reiterate how-

John Verry (40:59):

You’ve said no and then you said, but I do want to show up two quick ones so is it yes or no?

Andrew Farkas (41:03):

It’s yes. I say Yeah.

John Verry (41:05):

What happened to that tell the truth, that transparency thing?

Andrew Farkas (41:09):

It’s Friday after two John, I’m surprised my brain’s even working at this point.

John Verry (41:13):

Is that Widow Jane bottle half empty?

Andrew Farkas (41:15):

That’s yeah. Right. No but the Hendricks is so really we work with one large nationwide non-for-profit that really does mirror what I was talking about before where you live in this world between what the CIO does and what the COO does and what the CTO does. And it’s a very dynamic information that changes the way the wind blows in terms of the political climate. And we’re able to help them with everything from framework alignment to critical vendor reviews of vulnerability assessment and management across all of their satellites for the country. They’re even trying to expand into red team and blue team exercises and really their menu of what they need changes regularly and it’s very exciting.

Andrew Farkas (42:02):

On the other side of that coin, sometimes we get the organizations that are smaller in nature, very dependent on certain longterm customers who maybe bigger fish than they are in their industry. And essentially those bigger fish are required to make some pretty dynamic changes and they have to try to keep up. So they bring us in for shorter term engagements to basically say this is all the new stuff that just came from my biggest client. Without my biggest client, we may not be able to keep the lights on after the end of the year. So we do have more specific, very acute services that we perform for some other of our clients that are really dependent on having somebody who can be there, who can spring to action, who can understand what they do, what they need, get it done in a very quick period of time so they can keep doing what they do.

John Verry (42:46):

Yeah. So I think what you’re referring to is that you had a virtual CISO client that needed a virtual CISO at that strategic level but only needed it for a very short period of time.

Andrew Farkas (42:54):

That’s right. And you know what, I have an interesting feeling that the same time next year, they’ll need a [crosstalk 00:43:00]

John Verry (43:00):

Yes because we know who’s coming in. All right, so let’s have a little fun. So you’re a CISO, right? So what fictional character, real person, whoever you want to name, do you think would make an amazing or horrible CISO and why?

Andrew Farkas (43:15):

So for me this was, I had a hard time thinking so I’m going to give more bad answers.

John Verry (43:21):

And you don’t use alderman, I’m telling you now do not use-

Andrew Farkas (43:23):

No, it’s not an alderman. But it is interesting because I was trying to think of what’s the personality type? What’s the psychological profile of somebody who makes a good CISO? And the thing that popped into my head was someone who’s skeptical. First and foremost, someone who is skeptical and I’ve thought about the great philosophical skeptics like Plato and Aristotle and Pyrrho. And I thought that these are the guys who no matter what the climate was of the day challenged everything. There was no such thing as a good answer because there was always a better one. And I do think that that type of Socratic method that going back and forth, that if you were a Greek philosopher listening to some of the things that people are trying to build today, some of the business processes that people are trying to float as secure, you would sit there with your robes on and you would be like, I don’t think so over and over and over again.

Andrew Farkas (44:11):

And you would always be challenging them to do it better, do it in a more secure way, do it in as efficient way as they possibly can and do it in a way that obviously makes your business money. So at the end of the day, I do think that a Greek philosopher’s skepticism to me is something that I go into every conversation that I have with anybody. When anybody tells me that they have a great process in place, this is really secure, we don’t really worry about this that much. I have to put my skeptics hat on and I have to ask a bunch of probing questions, kick over rocks and really get to the bottom of whether or not I agree with it.

John Verry (44:45):

So that seems so if I use that same logic, that sounds Ronald Reagan would do a good job because that sounds trust but verify right?

Andrew Farkas (44:53):

It is trust but verify. I mean-

John Verry (44:55):

I know, which you kind of feel like that’s the first thing I thought of when you said it, I was like, that’s a stranger answer. Then I’m like, oh my God no. That’s trust but verify which is a brilliant security strategy.

Andrew Farkas (45:03):

Yeah. And I would go at it light on the trust heavy on the verify. That’s my only inflection there.

John Verry (45:11):

Yeah. That’s good. All right. So last question. So you do this everyday all day, you’re immersed in this. So anything like future episodes you think that the podcast should cover that people are constantly asking you about?

Andrew Farkas (45:23):

Well really and I think I’ve echoed it through this conversation is that organizations typically already have all the answers that they need. They need somebody to get them to talk to each other, to get that information across borders and disseminate it all around. So really what I would love to see and maybe this is a little farfetched but a information security series for business people and a business operation series for information security people. Because the thing that I see more often than not that is the ultimate obstacle for the success of information security within an organization is that’s ITs job, that’s the businesses job. People might need to start realizing that you can’t do business without IT, you can’t do business or IT without information security. Just as one’s ingrained in the other, and it has been for many decades now and it’s finally getting to the point where nobody even thinks of them as being separate. Soon that cultural kind of osmo… Not osmosis, that cultural kind of-

John Verry (46:26):

Urging, blending-

Andrew Farkas (46:27):

Urging, blending sure, will be just as effective for information security. And I don’t think that happens unless you have the different aspects of the business talking to each other, training each other on what they do and why it’s important.

John Verry (46:40):

Yeah and I’ll end with a bad ending because again, we’re transparent but it gets even uglier when you think about it. We didn’t really talk about privacy, but privacy is part of that equation as well. So I mean that used to be another leg over here, legal and compliance, but now with GDPR and CCPA then this privacy framework now all three legs got to come together, right? That legal client is collapsing into information security.

Andrew Farkas (47:05):

That’s good for InfoSec people because unfortunately the privacy stuff has been like anything else that seems kind of InfoSec has been punted to IT and IT organizations within companies are finally saying yeah, this is a bridge too far. We’re going to kick this back to legal and compliance and you need somebody who really can speak both languages.

John Verry (47:27):

Yeah. Because at the end of the day there is no privacy without security.

Andrew Farkas (47:30):

That’s right.

John Verry (47:31):

Cool. So this was awesome. Thank you. I genuinely appreciate you jumping on.

Andrew Farkas (47:34):

Oh you’re welcome.

John Verry (47:35):

So final question before we say farewell is if somebody wanted to reach out to you directly what’s the best way to get in touch with you?

Andrew Farkas (47:42):

Oh, they can either go to the website. They can call the Pivot Point Security or they can reach me at [email protected]

John Verry (47:50):

Okay, so now here’s the good news. It’s now 2:30 on a Friday afternoon and I think that means that there’s a Hendricks waiting for you somewhere.

Andrew Farkas (47:59):

U.S laws do not apply.

John Verry (48:05):

All right Andrew, have a good day.

Andrew Farkas (48:05):

Thank you very much John. Bye. Bye.

Speaker 1 (48:07):

You’ve been listening to the Virtual CISO Podcast. As you probably figured out, we really enjoy information security. So if there’s a question we haven’t yet answered or you need some help, you can reach us @infoatpivotpointsecurity.com. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.