Virtual CISO from Secure Anchor. PHOTO: Cybercrime Magazine.

Keys to Successfully Establishing a Virtual CISO in Your Organization

You can’t respond to a data breach or hack without a security leader 

Dr. Eric Cole, Virtual CISO

Reston, Va. – Apr. 12, 2019

In the mid to late ’80s, when organizations started buying computers and recognizing that computers were ‘sort of important’ to business (still not yet critical), they created an Information Officer that was buried under operations. At conception of the role, the Information Security Officer (ISO) initially followed the same path as the CIO. Organizations recognized that they needed someone to focus on cybersecurity, but did not really understand the importance or significance of such a role. This was tied to a lack of understanding of the impact a breach could have on the organization.

As the computer age progressed in the ’90s, all of the sudden (overnight) every desk had a computer on it. IT infrastructure became critical for business efficiency. So the Information Officer rose up to a Chief Information Officer that reported directly to the CEO, and was given a key metric of success, which was known as the “five nines” or “99.999%.”

That means that the CIO has to deliver 99.999% uptime availability. If they do that, they’re considered a success. If they don’t, they’ll typically lose their job or won’t get their bonuses.

What is a Chief Information Security Officer (CISO), really? What makes a good one? To find out, download your free copy of “Do You Know CISO?” today.

Security took the same path as information. During the mid to late ’90s, ‘information security’ was deemed an important part of business and more vulnerabilities were revealed as more organizations relied on computers to hold information. Once again, they created a Security Officer that was buried under IT. But then as we moved through 2000-2012, we realized that security and IT support each other and are actually parallel roles, so one shouldn’t be buried under the other.

Often when the security role reports to the CIO, the decisions that get made support uptime more than security. This has been one of the major downfalls with the current organization path of lumping IT and security together. Thankfully, more and more executives are beginning to understand this. So more separation is being created between these two roles. Upon seeing the need for both roles, they are establishing equality between the CIO and CISO. While some CIO’s initially fought the fact they were losing control, supporting both IT uptime and security creates a conflict of interest situation.

Now let’s determine what the measures of success should be for the virtual CISO. Often the metric that companies use today to determine the success is “if we don’t have a breach then security is doing their job.” This is problematic for so many reasons. However, it is evident this is the expectation because if there is a breach the CISO gets fired.

Reality — you’re going to have a breach. The idea that organizations will never have a breach is naive. As long as you have functionality, you’re going to have security exposure points and breaches are going to happen.

Key 1 — Measures of Success — How will you know the CISO is being successful?

There must be a single metric of accountability.

The first metric I propose to measure is “the number of attempted attacks.” This is a positive metric and considering most metrics are negative, I really like starting with this one. A lot of organizations look at things like vulnerability scan or vulnerability data, but that’s a negative metric. That’s like saying, “Look at what I didn’t do.” So let’s focus on what was done and start there.

Besides being a positive metric, “attempted attacks” also raises awareness. Most executives have no clue about the number of attacks against their organization. I do roundtables with CEOs of Fortune 50 and billion dollar companies, and they usually tell me, “We may have 8 or 10 attacks per week (or month).” They don’t realize that the more accurate description is “8 or 10 attacks per second of every day.”

I’ve even had a CEO say, “If there were more attacks than the 8-10 per week (or month), I’d consider that significant and my security professionals would have told me. Since they’re not telling me, I assume it’s small.”

This conversation was very eye-opening because he is right in what he is being told, even if it’s not the whole truth of what is happening. If your CEO thinks that there are only 8-10 breaches a week, a compromise occurs; the CEO believes the CISO did not do their job and that’s the reason they get fired. However, if you reset expectations and tell your CEO that you have 50,000 attempted attacks per week against your organization and in 9 months you have a breach, it is now put in proper perspective. While no CEO wants to have a breach, they are now recognizing it is a cost of doing business.

Awareness is the key to realistic communication and realistic expectations. So by reporting on the REAL ‘number of attempted attacks,’ the CISO can actually show the full scope of security they are implementing. Remember — breaches happen, but it is good to know how many were prevented, keeping this metric positive and relevant to the successful actions of the CISO.

Key 2 — Actionable Accountability — reporting and communication.

A good CISO is really a translator or what I call a “marriage counselor.” Basically the geeks (security folks) get frustrated and angry that executives don’t understand or make security a priority. The CEO and executives get upset because they don’t get the information they need at a level they understand from the security team.

Security is a boardroom discussion. I sit on a lot of boards, so I can assure you that security is a top priority. The number 1 concern is that we are not getting the information that we need from the security team to make key decisions in real time.

The security team comes in with 50 PowerPoint slides being super technical and the executive has no freaking clue what they’re saying. So both sides get upset. This is where the good CISO being a translator comes in.

What to do if your organization is not confident in your CISO—or if you don’t have one? To find out, Download your free copy of “Do You Know CISO?” today.

A good CISO can speak business. They understand dollars and cents. But they can also translate technical requirements to the executives.

Executives care about the answers to these key questions:

  • What are the top 8 risks to the organization?
  • What is the likelihood of occurring?
  • What is the cost if it occurs?
  • What is the cost to fix it?

A good CISO has to be able to read financial statements and understand the business because the question is simple… What’s an appropriate budget for an organization?

The answer: It depends on the profitability of the company.

If I’m working for a company that’s making $500,000 profit per year but I want to spend double that ($1,000,000), I’ll get kicked out of the room. On the other hand, when I worked for a company like Lockheed Martin, if I had proposed a budget of $1,000,000, I would have been laughed out of the room. Most multi-million-dollar companies will spend more like $80-90,000,000 on security. The CISO must understand that key information to gather accurate reporting.

A CISO should be expected to take ownership in communicating both the risks and the budgetary needs of an organization in a way that executives feel empowered to move forward.

Key 3 — Remember that whoever is CISO has the potential to do a lot of harm or good … so make sure you trust who you put at the controls.

For more tips on staying safe in cyberspace, keep checking out my blogs or follow me on Facebook, Twitter, or LinkedIn. For your own company’s security assessment or any other questions or concerns, reach out to me at

Virtual CISO Archives

Dr. Eric Cole is a renowned security expert with over two decades of experience in IT and network security. He is the author of several books and textbooks, including Advanced Persistent Threat, Hackers Beware, Hiding in Plain Sight, Network Security Bible 2nd Edition, and Insider Threat, and has presented at many major conferences. He served as a member of the Commission on Cyber Security for the 44th President, Barack Obama, and also sits on several executive advisory boards.

Secure Anchor provides high-touch cybersecurity services that help organizations prevent security breaches, detect network intrusions, and respond to advanced threats. Using a proven methodology developed by noted author, speaker, and trainer, Dr. Eric Cole, Secure Anchor’s recommendations are tailored to the needs of the organization, prioritized, and actionable.