Virtual CISOs: Balancing Security, Compliance, and Collaboration

In episode 86 of The New CISO, host Steve Moore interviews Laura Louthan, an experienced virtual CISO (vCISO) and CISO at Angel Cybersecurity. Throughout the conversation, Laura shares her valuable insights on the role of a vCISO, the challenges it presents, and the benefits it offers to businesses. She also discusses her unique career path and the advantages of being a vCISO. Let’s take a closer look at the key takeaways from this engaging conversation.

Laura’s unconventional career path

Originally from Britain, Laura moved to Los Angeles in search of new opportunities. With a diverse background that spans various industries, including a stint as a SCUBA instructor at Club Med, she eventually made her way to IT and founded her own business, Angel Cybersecurity. Laura’s unique combination of skills and experiences has made her an invaluable asset in the cybersecurity field.

Laura’s career journey is marked by on-the-job learning and tackling tasks without being spoon-fed the solutions. This self-sufficient approach has been instrumental in her growth, empowering her to independently find answers and hone her resourcefulness. Laura feels strongly that the ability to seek out answers on one’s own is a valuable skill, especially in cybersecurity.

The role of a vCISO

Many organizations — especially small-to-medium sized businesses, or SMBs — lack the resources or expertise to hire a full-time CISO, yet they still require guidance and support in managing their security posture. Enter the vCISO, a professional who offers part-time, remote security consulting services tailored to an organization’s needs. 

Laura describes the typical scenario for her virtual CISO engagements: “I think I have bread and butter work, which is the same pattern of a small organization that has a security need. Whether it’s compliance or a customer, there’s usually a third party forcing something on them. So, they have a security need and they know what they want to get to. It’s usually something like SOC 2 or PCI and ISO or something.”

To ensure a successful partnership, Laura assesses the organization’s technology stack, industry, and compliance requirements. She stresses the importance of understanding her clients’ needs and being able to assist them effectively: “Are they working in a technology I can understand? Are they working in an industry which, even if I haven’t worked with it, makes sense to me and I understand? Are they looking to do maybe a compliance framework that I am comfortable with, or is the one they want to do close enough to ones that I’ve done?”

Risk acceptance and responsibility

One of the primary responsibilities of a CISO is to identify and manage risks associated with an organization’s information security. As a vCISO, Laura is responsible for guiding the organization in risk management, but emphasizes that the ultimate responsibility lies with the senior management team.

Laura shares her approach to risk acceptance: “I do work very actively with whoever it is in the organization — and it might be the CIO, it might be the CEO, it might be the COO — typically one of those people are in my meetings. And if there’s risk that needs to be accepted or discussed, they need to be in that, and so they are very much signing off on that.”

The appeal of the vCISO role — and its challenges

The vCISO role has become increasingly popular among experienced security professionals seeking more control over their work environment and clients. Laura mentioned some of the reasons she made this shift: “I think I want to work in a little bit possibly less stressful environment, possibly less money, possibly more money, but possibly more control over who I work with and how I do the work.”

Being a vCISO has its perks. Laura can work on a contractual basis, providing her expertise to multiple organizations simultaneously. This flexible arrangement offers several advantages:

• Scalability — As a vCISO, Laura can quickly scale her services up or down, depending on the organization’s needs.
• Cost-effectiveness — Hiring a vCISO is often more budget-friendly than employing a full-time, in-house CISO.
• Fresh perspective — With experience working across various industries, vCISOs can bring new ideas and insights to their clients.

Additionally, the vCISO role presents numerous opportunities for growth and learning. By working with multiple clients, Laura has been exposed to different industries, technologies, and challenges, which have helped her continually expand her skillset and stay ahead of the cybersecurity curve.

Despite the many benefits of being a vCISO, it is not without its challenges. Building trust with clients and proving your value can be difficult, especially in the beginning. From her experience, Laura says that communication, transparency, and a strong work ethic are important in overcoming these obstacles.

Building relationships and collaboration

Laura highlights the importance for vCISOs to build relationships with clients and collaborate with various departments within the organization. She believes that the most effective way to provide value is by understanding the needs of the business and working closely with stakeholders.

Laura shares her thoughts on this approach: “So, if someone was having their first job as a vCISO, it’s challenging because you’re not there every day. You’ve got to dive in when you’re in that meeting and really show your worth because you only show your worth a few hours a week or a month versus every day. And you do that most effectively by building relationships with the people you’re working with, I think.”

Enabling the business

In addition to managing security risks and compliance requirements, vCISOs play a crucial role in enabling the business to operate effectively. This involves working closely with various departments and ensuring that security measures do not hinder the organization’s overall productivity and growth.

Laura emphasizes the need for a collaborative approach: “I think we haven’t necessarily always done a great job. We have to do better to get involved with all of the departments other than IT so that they can understand why we’re asking them to do what we’re asking them to do, and by that same token, understand what they do. Because if we just sit in a little world where we say ‘Thou must patch, end of story,’ that’s not helping us.”

Delegating tasks is important in Laura’s role as a vCISO. By being truthful about her abilities and knowing when to delegate, Laura can ensure that tasks are completed efficiently and maintain a strong professional relationship with her clients.

Conclusion

The role of a vCISO is evolving to meet the unique security and compliance challenges organizations face. By offering part-time, remote consulting services, vCISOs like Laura are able to provide valuable support and guidance to organizations that may not have the resources to hire a full-time CISO. The key to success in this role lies in understanding the client’s needs, building strong relationships with stakeholders, and maintaining a focus on enabling the business. As the demand for vCISOs continues to grow, security professionals should consider the benefits and challenges of this flexible, collaborative, and rewarding career path.