Feb. 11, 2023

#31 A fireside chat with Greg Schaffer from vCISO services

#31 A fireside chat with Greg Schaffer from vCISO services

In today's episode, I am interviewing Greg Schaffer from vCISO services. Greg started his cybersecurity journey in 1989, and he offers his services to different customers across multiple verticals. Here are the main topics we discussed in this episode: - How to explain CyberSecurity to non-technical people in the C-Suite - What CISOs should be focusing on and what mindsets should they have - Cybersecurity and IT Ops relation - Advice to SMEs - Justifying the cyber bill - AI and CyberSecurity - Advice for people interested in entering the cybersecurity industry  How to connect with Greg?

Podcast: https://anchor.fm/virtual-ciso-moment

YouTube https://www.youtube.com/@vciso

Business: https://vcisoservices.com/

Transcript

  Hello and welcome to a new episode of the CT O Show with Mehmet. Today I'm doing something new for my. Listeners  so you're gonna see me. Uh, I would also put this on YouTube. I have a guest today, Greg Schaffer. He is a cybersecurity expert based out of Tennessee in the United States.

And we've met with Greg, uh, over a platform and I've seen his experience. So I thought, why not to get the experience of Greg for us here in Dubai and in the. So, Greg, can you please introduce yourself?  Thanks. I am Greg Schaffer. Uh, I'm, uh, the, uh, principal of, uh, consulting firm called Vcso Services here in the United States.

We provide, uh, virtual chief information, security officer consulting and information security, risk management consulting for, uh, small mid-size businesses. Been doing that now for about six years.  My experience, uh, just very briefly, I've been in IT and information security since, uh, the late eighties. Uh, so I've been doing this for quite some time and in various also chief information security officer roles including, uh, uh, university,  a bank, and, uh, and the city of Nashville, Tennessee.

I was their first CISO back, uh, 10, 12 years ago, something like that. But then I pivoted and became. Cybersecurity consultant, and it's really my drive to help with, uh, small and mid-size businesses. Um, I should also mention too that um, I am a host also of a podcast called the Virtual CISO moment, where we do the same thing where we talk with, uh, cybersecurity pros every week.

Um, every Tuesday we drop a new episode. So, uh, it's a lot of fun and I'm happy to be here. It's, it's nice to be on the other side of the questions for.  Good. Good. Thank you for being with us today, Greg. My first question to you, so you've been a CISO for a for a quite some time. Yeah, I'm an old guy, so yeah, 

So one of the things that I try to focus on in my podcast usually is  not talking to technical people, but also talk.  , you know, the other side of the business, the, the decision makers, the stakeholders. So the first question I want to ask you from your experience, like how, in a simple way you can,  you know, explain the term of cybersecurity or information security to someone who is, might not be very much technical. 

Well, that's, I think one of the most D. Things of being a ciso. Um, and I think a lot of people don't master it because really it's our responsibility to learn the business, learn the business language. So you can't go in there. Nobody at the board or the C-Suites, none of them are gonna care about like how many threats that you had, how many.

How many threats did your firewall block? For example, it's like if that was a thousand or a hundred thousand, what does that mean? It's like you're giving them the what, but not the so what? Tell me what this means to the business. And the only way you can do that is that you have to have a responsibility of learning the business first.

So whatever vertical you're in, whatever, whatever the business does, if it produces little widgets or if it's a service oriented business or what have you, the security officer needs to understand the business first, because then from there, Now they can speak the language of the business leaders, and that's really the key there.

So when you're talking about threats, okay. Firewall blocked 10,000 things last year. Well, okay. What does that mean to the business? Well, we've noticed an uptick in attacks actually, because our threat intel tells us that we're getting more and more, uh, intrusions from. X area of the world that we think is related to this service that we just implemented, because that now has some information that folks might wanna try to exfiltrate.

You see? See what I'm saying? It's a, it's a, it's a very simple example of tying together a technical aspect, which they don't care about the board at the C-suite with what the board and the C-suite does, uh, care about. And there's no simple way to really do that outside.  Look, that's one of the reasons why CISOs get paid a lot of money is because it's not just understanding the technical stuff, it's understanding the soft skills and the business stuff.

Yeah. That's cool. And from also your experience, and because you've done it as a customer and now you're doing it as a consulting, um, perspective,  what do you think are the major challenges that CISOs nowadays are facing? Like what, what, what is the letting them stay awake at night? I would say.  Well, you know, one of the issues I think we have in an industry is that it seems like that we've learned as a CISO to  go into a job. 

Figure out one big thing to help fix it, implement that thing, and then move on. The, the average tenure of a CISO in, in a, in a position is short, I think, I don't know an exact number. There have been studies and all that, but 18 to 24 months and, and it, and it takes time to just learn the business. And I, I think that,  The big biggest challenge that a CISO has is don't, don't go in trying to fix something right out the gate.

And, and, and sometimes that's sort of, um, anti what they're being asked to do because a lot of times when a business goes out and hires a new ciso, it's because either they. Had a breach and they didn't have a CISO before or they had a breach and the previous CISO was, um, either left or was asked nicely to leave. 

So, um,  I think that the challenge there is to approach a position with longevity. If, if you, you wanna be there for some time, you wanna help make a difference and really get in because, uh,  without getting into and understanding the business, I'm kind of going back to what I was saying beforehand. You can't really be effect effective.

You cannot just buy a tool, put it in and say, this is gonna solve all of our problems. Trust me, I'm a cso.  Unfortunately,  I think that the CISO mindset isn't quite there yet for a lot of chief information security officers. I think that they're there of the mindset, I'll go in, I'll try to fix, and then I'll leave and, and, and therefore make more money as you go up the, the chain as you continue to leave.

And I don't think that that does the security industry service at all, and then doesn't help with the businesses as we're trying to solve a problem. And I don't think that that approach is the right way to solve a.  Yeah, I agree with you. And from, cause I'm talking too much about the challenges because I know it's not an easy job.

Uh, talking to also from my perspective to customers. So what are the main challenges that they need really to face and try to solve on whether daily basis or on the long run? What, what do you think are the major challenges for CISOs today?  Well, you know,  This is kind of one that's been around for a while and unfortunately I think it's still here, is uh, um, the, the  friction sometimes between information security and information technology.

Uh, if you have someone leading information technology who is a very, uh, strong-willed person that can get very defensive, they're less apt to.  Except what the CISO might be saying. And, and conversely, the CISO shouldn't be telling the c i o what you have to do. They should be working collaboratively. They should be working together to figure out, um, what the best technical controls are because, uh, information security is not just about technical controls.

I get that, but it is such a huge component.  And if a CISO walks into a position and there's that immediate friction with information technology to begin with, then.  You almost lose the battle, if you will, and you can extend that really to any part within the organization. Um,  sometimes like the C F O will look at security as a cost center.

It's like, what do you really.  adding to the business here, you're just asking for a lot of money and I don't see any results. And so  one, one way to get around that is to show value by doing quantitative risk analysis, like using a, a methodology like fair, the factor analysis of information risk. And by doing that,  You know, it all kind of ties back to people seeing that you are not just focused on the technical aspects of blocking stuff and security, but you're actually trying to promote the business growth and you're going through all the process of understanding.

It's like, so you go to the cfo, it's like, I understand that. Look, $200,000 for this tool for a year is a lot, but our cost exposure without the tool is $500,000. Yeah. Um,  It makes sense then to buy that tool, to spend that money.  That's really informative. Another question that came to my mind, and this is something I see it on daily basis sometimes as well, so when we talk about large enterprises, these guys, they have enough budgets, enough consultants to do the stuff that they do.

But sometimes, and I'm sure if you have seen it also,   when we talk about like the smaller enterprises. So sometimes we see, you know, this question comes up, why do I need this? Should I do cybersecurity? You know, countermeasures,  what's your ad? And you know, and sometimes people, they don't get really the risk behind it, so, so usually how  or what do you advise owners of small businesses or like, let's say medium size, uh, enterprises, what's their, your advice to. 

Well, I think that they should look into a virtual CISO service, uh, uh, firm or provider. And, and I don't mean to make this a commercial, but um, you know, we're one, vcso services.com is our website. But what a virtual CISO can do in that case is provide that sort of leadership and guidance and experience to, to inform them of the, what they pragmatically would need to do, because, One of the better aspects of a good virtual CISO is that they understand, look, you don't have unlimited budget, and that's good.

I, I get back to the, to the other CISO challenge where it always seems like, oh, let's just BA buy this big tool and put it in and see if it works. You'll never have that with the small and mid-size businesses, and you really gotta be good about understanding their business. So,  You loo, you look for a virtual CISO that understands risk management and is not, has so much a technical virtual ciso.

Um, it's a, it's a very crowded field in some ways right now because there's a lot of folks that are providing what, um, one person on my podcast, when I ask the question, well, what's a significant threat for small and mid-sized businesses? He came back with what I think is one of the best answers he said. 

bad advice, and he's right because.  If you  contract with someone or you bring in a firm to help you build your security program and they're providing you advice that is substandard, you've not only not moved forward, but you could very well have moved backward and spent a lot of money in the process. So, um, I'm not saying that small and mid-size businesses need a virtual CISO per se, that's.

Avenue. Um, it's certainly a very cost effective avenue because you're getting the experience of folks like me who have actually done this in the r uh, full-time for many, many years. But  whatever, you do  A, do something and b research and make sure that you're not going down the wrong path, however way you need to get there.

That would be my, my.  Cool. And another point, uh, I want to ask you about, and you, you touched on it, but just to  reemphasize on it, is about,  because when we talk about it in general, we talk about total cost of ownership. R o i and sometimes in cybersecurity is not that straightforward. So what's your. 

Advice for, you know, people who really understand that yes, this is something that we need to implement, whatever the technology is, but from cost perspective, we cannot show it. Right? So it's not like we're replacing some hardware with something new. You know, we are reducing the cost. So what's your advice to, to,  you know, like  decision makers?

I would say to justify that to the, to the.  Well, I think you need to have some sort of a methodology for determining, um, the cost of a particular risk. So it can be as simple as you do your risk assessment. This is one of the basics of, um, an information security program. You do a risk assessment. , you look at your inherent risk and you can also add a cost, um, estimate to that.

You can do it as simple as like three basic levels. It's like low cost. If this risk is, is met, if this risk actually occurs, medium cost and high cost, and you can assign like some range in numbers there, and then you get a little bit of a better idea of like, okay.  Um, business email compromise for an organization that does a lot of wires, for example, and you don't have good email controls in place, you don't have two factor authentication in place for that.

Okay? That's a big risk for businesses that wire money all the time. And if they don't have two factor, which is a relatively small cost of implementation, um, you can easily see that the cost to fix that, if you will, is lot less than the cost exposure.  That's the key word here is cost exposure. Now, I mentioned fair beforehand, that's going a little bit more, um, structured, if you will.

I, I've, the, the, the bad thing about risk assessments, qualitative risk assessments is that it's basically a, a. Graphical or a spreadsheet representation of a subject matter expert's opinion. That's all it is. It's very subjective. It's, uh, it's not, it's, it's, it's not rooted in a, in a methodology. Now, if you go to something like fair, at the very least, you're, you're taking a lot of elements of a quantitative awe, a qualitative risk assessment, and you're adding some quantitative elements to it so you can then look. 

What is my, uh, cost exposure for something? I'm not gonna go through the fair, um, taxonomy at this point. I mean, it can get, you can go very deep into this. It's a lot of fun sometimes. Um,  But whether you do that or you do just a very high level qualitative risk assessment with some basic ranges of costs associated, if that risk is realized, you, you have to have some way because again, the business owners aren't.

They don't understand. They'll, they'll understand what is the cost, what is the risk if we do not implement a particular service, for example. Okay, so, so in business terms, you have the cost of implementing a service like you wanna offer, um, a new.  , um, you wanna offer penetration testing if you're a security firm, for example.

Okay? So that's a good thing. You're gonna have, like, revenue come in, but it's gonna cost money to get the tools to do penetration testing. It's gonna cost money to, to secure the assets, the personnel that have the, uh, the, the, um, Uh, skill set to do that, but so you have the costs associated, but the, but you can, you can definitely have a higher revenue stream coming in.

So that risk is like a risk of opportunity. Now, business leaders understand the risk of opportunity. Opportunity risk is like, what happens if we don't do anything? We lose the opportunity to increase our revenue. So if you speak in that language, it's like you, it's, it's all the same thing. It all comes down to cost exposure and, and, and, and. 

it makes sense to spend the company's money.  Yeah, that I agree with you. Like, uh, it's always like cost of doing nothing as I call it, versus Yes.  And the cost of doing nothing is particularly, insecurity can be huge. It's like, you know, you had people, uh, uh, uh, not too long ago who, um, didn't have firewalls up on their little small networks and the cost of doing nothing for folks that didn't have firewalls.

Well, that was pretty bad.  , you know? Yeah.  You know, that was, that was some years ago. I, I think if, if you're a small business out there right now and you have a little network and you don't have a firewall and you're, uh, I'm sorry. Uh, get a firewall, . Yeah, yeah, yeah, yeah. Get the firewall or you will be right up to business.

What up Exactly. Yeah. Well, and I've, I've seen a lot of, um, like something that came to the Wire and where  businesses were hit by malware or so, and.  So was done came over for them. So they, they clapped. Yeah. Yeah. So I've seen many times. Mm-hmm.   before the last question, I have a question that just came to my mind, and I think you follow on the new trends of technology, and this is something that also I, I do in the podcast.

So now everyone is talking about AI and the use of AI in cybersecurity. Yeah. Personally, I've seen some articles, some of them, They were scary  , but how do you see the evolution of AI from both sides? I mean, from the offensive side of it, I mean from cyber threat actors and from the good people, the CSOs and everyone who is on, on, on the good side, I would say. 

Well, I think the first thing we have to real realize is that AI Chat, G P T and those sorts of things, that they're, they're just tools when all is said and done and, and they're good tools and, uh, just like tools, they could be used or they can be abused. Um, I think one of the risks, at least on the good side, is too much reliance on it.

I, I see folks that are using, um, chat, uh, G P T to, to like, say, write their uh, policies, write their marketing and all of that, and. There's, there's a good component to that because you can do that to give yourself a good baseline, but there's the danger of relying too much on technology and you start to lose your own abilities to do this sort of stuff, to be able to defend against folks and this and that, because ultimately, um, artificial intelligence is just that it's artificial and you don't have the, the inputs, at least today.

or the gut feeling about, sometimes it's that gut feeling about something just doesn't feel right here. You can't get that with ai. You, you just young. I don't think you ever will.  Um, for the bad guys, unfortunately, this is making things a little bit easier for them. It's, uh, but, but we've been down this road before.

If you, you know the term script kitties, right? Yes, of course. So before script kitties, um, information security, cybersecurity was a lot about folks that really knew what they were doing and they were. Weaving their way in and so forth. But then sometimes they started to package these things in in scripts, and then you could have someone who has no experience whatsoever, take a script and just run it against things.

And AI is kind of the same way there. It's like you're gonna have people that don't really have that fundamental knowledge that are gonna try to use this to run it. Are they gonna be able to do more bad stuff with it? Yeah, I think so. Yeah. But, but it has the same effect on them as well, where they're not really. 

Promoting their own skills and, you know, their skills will atrophy and, um, so it's interesting to see where AI is. I think that, I think it's overhyped right now. Um, it's a good tool, but it's a tool just like any other tool, screwdriver, a pan, what have you. . Um, it's, it's, it's, it's wonderful. It's gonna be here forever.

Just like computers. I mean, computers, you know, we didn't have computers 50 years ago, you know, in our pockets. We didn't have smartphones like 20 years ago. In our pockets most powerful computer right here, you know, uh, is more powerful than everything that NASA used to land on the moon back from the odd years ago.

And so, so, but we haven't destroyed ourselves because of technology. We won't destroy ourselves with ai.  , but, um,  it's going to be an interesting story to watch over the next couple years. I'll give you that. Yeah, I, I, I have to agree as well. And just on the point that the script kit stuff, so you know that there are some people who offer that as a service.

So for example, ransomware as a service. Exactly. Yeah. And, and, and, and, and here you can have like, almost like AI ransomware as a service. Mm-hmm.  and, and the bad guys are are after one thing. They're not after your information, they're after money. I mean, when all is said and done, it's all about money. Yeah.

Right. And if they can monetize ai, they will. Exactly. I agree with you. And the other thing, what I'm expecting is to see a little bit of AI fighting. AI maybe, but as you said, , but as you said, Because it's, they are just tools, right? So I believe still the human factor will be playing the biggest role in, in, in that.

So,  so it's add ai into like drones and droids. You're gonna have like, you know, almost this sci-fi issue of like having. Dr. Uh, droids, like, you know, like those robotic dogs that you see people are developing, you're gonna have dogs fighting each other and, and then drones with AI coming in and fighting and this and that.

And it's, uh, I don't know that, that sounds a little scary. Maybe, maybe I've watched too much sci-fi. I don't know. Uh, for me, as long as like AI doesn't have, , like the, it's not conscious, I would say. That's, I, I'm fine because actually one of the episodes I discussed that for the time being, you can take some guidelines from chat G P T, for example, if you want to do a pen testing.

Mm-hmm. , but actually it'll not help you doing the pen testing because, It lives in the past. It's up to 2021, as we know. So it's not aware about the new vulnerabilities, it's not aware of what's happening, you know, around it cannot actually go and do a D N S check, for example, right. So, mm-hmm. , I'm going a little bit technical, but

That's fine. , that's okay. Yeah. But I, yeah, I agree with you. Now  the last thing.  I want to ask, you have every report, every, you know, trans article I read, I see that there's shortage in cybersecurity skills and  people  hesitate sometimes. Should we go and study cybersecurity? Should we go to this? And for someone who's very experienced like you, like, what's your advice that you can give for someone who is really interested in cyber security?

Um, and your all overview on, on the shortage in in the market today.  . Well, I think part of this can be applied to just about any industry. I think the first thing that you need to ask yourself, and this at any stage in your career too, is why do I wanna do this? Um, what, what am I, what's driving me towards cybersecurity?

Um, is it, is it the, the money? Is it.  Glory, if you will. Is it the, um, challenge of trying to, um,  show that there are vulnerabilities? Is it the challenge of trying to protect against vulnerabilities? Um, I think that there, there's so much out there in cyber right now that people get really lost and, and they tend to be all over the place.

Because if you figure out your why, then you can start to figure out.  The the actual discipline within cyber that you want to do, because cybersecurity has become like the medical field. You have your general practitioners who know a lot of stuff, but not very deep. And then you have all your specialists along the way.

I mean, I don't want a dentist working on my heart. I don't want to call cardiologist pulling my wisdom teeth. You know what I mean? Yeah. But I mean, do you want to. Um, be a surgeon and actually work on a heart. Do you want to pull people's teeth? Do you want to do mental health? Those are disciplines within the medical field that you have to figure out your why and what's interested to you.

And I think that people don't understand that fully within cyber yet. They're like,  okay, there's, there's just, um, um, there. It's such a broad field that.  I just wanna be in cyber. So figure out your why, then figure out your discipline, and then talk to people. Talk to people who have gone down that path again, like the podcast you're doing, the podcast I'm doing.

Part of the reason why I do my podcast to share stories with people who've gone down those paths and made those decisions. Some of them become more technical. Some of them become CISOs. Some of them are in grc and, and, and. But just talk to.  And, and, but don't follow my path because cybersecurity didn't exist, uh, back in the dark ages.

I mean, you know, I, again, I started in 1989 and, uh, we didn't even have twisted pair ethernet at the time. So, yeah, um, that would be my advice.  That's great. And actually it's very logical. I would say. It's not only for choosing a career, it's quite for everything in life. We need to start with why I'm a huge believer in this as per, uh, Simon Sinek. 

Um, really Greg, I appreciated the chat today. Uh, I highly advise my audience to tune in. Can you remind us about your podcast name and where they can find more about, uh, yourself and yourself? Mrss.  So the podcast, um, you can go to any podcast platform. It's called the virtual CISO moment, and I'll put the link. 

I appreciate that. Uh, we're also on YouTube, um, YouTube slash  v cso, and our, um, company page where you can learn more about us is v cso services.com. Vci sso services.com. We'd love to have you and if you, any questions that I can answer, you know, contact me through there. You can also contact me on LinkedIn.

I'm very easy to.  Great. I'll add you first. Also,   . Okay. That was a very like interactive, very, I would say, informative session with you. Greg, I highly appreciate your time today. For my audience, I hope that you like this format. It's my first time I'm having guests. I promise you that I'm bringing some cool guests that I hope that we found this episode very informative.

Stay tuned with another. Guests in the very soon, and I will see you again in the next episode of the CT O Show with mammon. Bye-bye.