Lessons Learned from a Virtual CISO Matt Klein, Virtual CISO and Executive Advisor at Optiv, sits down with Steve Moore to share his insights on teamwork, getting visibility at the executive level, and the right prep for effective board conversations.   What is a Virtual CISO? Think of it as a trusted advisor, an executive advisor, talking about strategic elements of your security program, even some technical elements, at a high to medium level.  They are a trusted person to work with a company and make sure that they're headed in the right direction. Also, they are that person to bounce concepts off of and to make sure they're doing the right things as they're building their information security program.  There are times where the virtual CISO model comes into play where either the CISO has left the company, or possibly a small to medium size business that doesn't have the need for a full time CISO. Another situation is where a CISO is gone, or they're creating a CISO role, and they believe they had somebody on staff who is capable of doing the role but needs some guidance.   What is a bad CISO? Usually they're not talking the same language as the business. Everyone tries to get to that language of talking risk, but really talking about the business. What does the business do? What are the crown jewels? What are those elements of the business that are core to protect? Whether it be data in a regulated industry, most industries would love to protect their brand. They don't want their brand drug through the mud in terms of a data breach. It's those types of things.  It's really those situations where the CISO is either removed so far from the executive team or from the board of directors, that the voice of the CISO is never heard.   Is the CISO role measurably impossible? There are folks doing a fantastic job. They have what they need to get the job done and that's really the root of CISO success. It's budget, it's staffing, it's all of those core elements to a security program, but it's more than personal interaction with the business. There's an understanding of what the business does and what protection should be in place.  You can't place a blanket over everything, it's impossible, it's expensive. You never have enough staff. You really have to pick and choose what you want to get done inside of your program. In a risk-based approach that makes sense for your business. Set the base line at an executive level.   Interaction with the Board It was just getting to know who I was talking to. In this case it was the board of trustees of a private state institution. Just understanding who the players were and getting to the point where I was talking at a very rudimentary level about what a security program was.  There were no numbers for that initial meeting. It was really concepts. It was bringing some of the concepts of protecting the institution, protecting the brand. It's really a huge asset for them to consider from a protection standpoint. It was really setting a foundation of here's what we're trying to protect, here's the important things to the institution. Not so much asking for what I needed or statistics. It was very high level, get to know what the information security program is and what it does for the institution.  You would want to be at least a little bit comfortable with standing in front of a group of folks and delivering a message. When you're helping create a presentation, there's really two in one.  It's a larger presentation, that if you had all the time in the world--the set of slides that you would use, kind of walk through, and give people time to ask questions and be really open with your presentation. And then there's the scenario where you got to cut down to three minutes--that’s maximum two slides.  It's really going through those two exercises together, continuously on almost any presentation you do, the long version and the short version. And deciding how you're going to deliver both of those messa