Episode 15
A day in the life of a vCISO - Audio
The Role and Impact of Fractional Security Officers in Small Businesses
In this episode, cybersecurity experts William McBurrow and Christophe Foulon delve into the world of fractional Chief Security Officers (CSOs). They explore the unique challenges faced by small businesses in building security risk management programs and how fractional security executives can provide crucial strategic guidance. The discussion covers the differences between a coach and a consultant, the balance between tactical needs and strategic growth, and the pros and cons of a fractional CSO compared to traditional consulting services. Additionally, Christophe shares insights on workforce development and supporting the next generation of cybersecurity professionals.
00:00 Introduction and Background
01:11 Challenges Faced by Small Businesses
02:24 Role of a Fractional Security Executive
04:10 Strategic vs. Tactical Approaches
06:43 Client Engagement and Expectations
08:32 Aligning Security with Business Goals
22:22 External Scanning and Risk Indicators
26:02 Profile of Ideal Clients
30:25 Collaboration and Partnerships
31:43 Workforce Development and Community Support
33:57 Conclusion and Final Thoughts
Mentioned in this episode:
Transcript
Hello, I'm William McBurrow and I'm
2
:joined here with Chris Foulon.
3
:You know, I, I work as a fractional
chief security officer for, you
4
:know, quite a few small businesses.
5
:I've been in the cybersecurity space
for over 20 years and working as an
6
:engineer, working as a consultant.
7
:One of the things that we
found is that, you know, small
8
:businesses have a unique need of.
9
:Needing to build security risk
management programs, primarily because
10
:the market demands it and not having
the knowledge or resources internally
11
:to the organizations to do so.
12
:And by virtue of that, they reach out
to service providers, to consultants.
13
:To partner with them and
help build this program.
14
:So one of the things that I do as a
fractional security executive is I'm
15
:partnering with my small business clients.
16
:And, you know, and part of what
that does for me, working in the
17
:space as a security advisor over so
many years, is that it really gives
18
:us a seat at the table and look at
the implementation of security risk
19
:management from the client's perspective.
20
:Right.
21
:And that means dealing with a lot
of the challenges that you have
22
:with working with small businesses.
23
:Oftentimes we are partnering with
the CEOs, which is an acronym that I
24
:refer to as Chief Everything Officer,
and not helping them build their
25
:security programs and manage their
risk because of regulatory compliance
26
:or because the industry expects it
or because the clients require it.
27
:Thank you.
28
:So from time to time, I like to have
conversations with fellow virtual security
29
:officer, a fraction of security officers.
30
:And I'm joined today by Chris
who is well versed in this space.
31
:And I'm looking forward to an exciting
conversation about some of the
32
:challenges that we see, you know,
working with, with with small businesses.
33
:So Chris, welcome.
34
:And can you tell us a
little bit about yourself?
35
:Chris: Thank you.
36
:Happy to be here.
37
:So my name is Christophe Foulon.
38
:I've been in IT and security for over
18 years and pivoted from being an
39
:internal security consultant where I
was flexible and supported stakeholders
40
:internally, but I always used a coach
consultant type perspective to it.
41
:So when I had the opportunity to pivot,
I decided that I wanted to continue to
42
:provide that level of service, executive
cybersecurity, strategic services for
43
:small, medium sized companies, and offer
them a fractional CISO offering where
44
:I could go in and provide them with the
strategic guidance that they often Don't
45
:have because they're very focused on
the tactical day to day items of running
46
:their business or trying to secure
their technology stack, but might not
47
:think about the strategic aspect of it.
48
:William McBorrough: You know,
I, I, I can't help, but think
49
:about the differences between.
50
:You know, a coach and a consultant,
a coach is walking alongside of
51
:you, meeting you where you are
helping you get better, right?
52
:A consultant, more often than not,
is telling you the things and then
53
:you go off and struggle to sort
of, you know, do these things.
54
:So I think bringing that perspective to,
to, to the table, it can't, can't help but
55
:be you know, to, you know, the benefit of
the small businesses that you work with.
56
:And one of the things that we talked
about is your work as a virtual CSO,
57
:as a fractional security executive.
58
:Now, how would you, how would
you define that role, right?
59
:And how would you differentiate
it from what we are currently
60
:seeing on the market today?
61
:And there's a lot of consulting firms,
a lot of IT providers are, you know,
62
:offering these systems services.
63
:How would you sort of, you know, compare
and contrast what you provide and what
64
:you are frequently seeing being, you
know, offered by those service providers?
65
:Chris: So often with those types of
service providers, you're providing
66
:security consultants to help you with your
security program, but they're often not
67
:that strategic resource that you need.
68
:Some of them might have senior individuals
that have that strategic experience.
69
:But most of the times the statement
of work has to be so defined for
70
:these consulting companies to get the
contract that it just becomes just
71
:another consulting engagement where
you come in and you deliver X, Y, Z,
72
:and this is how you prove that you
did it versus coming in, say as a
73
:coach or as a fractional CISO where.
74
:You're coming in and you're going, these
are the things that you need to get done.
75
:Let's help you get them done.
76
:For my clients that have longer
term engagements, I'm acting as
77
:their CISO day to day within their
organization at a fractional basis.
78
:So I'm not there 40 hours a week.
79
:I might be there 15, 20 hours a week.
80
:So they don't have that full time
resource, but they have that fractional
81
:resource that is thinking of things
strategically, that is helping to plan
82
:out their budget for the next year,
that is working with their application
83
:development team and infrastructure team
to see what they're looking to achieve
84
:over the next year and how we can roadmap.
85
:With either tweaks into the infrastructure
tweaks into their offerings for their
86
:internal customers, or maybe they need to
get some additional licenses so that they
87
:can have those capabilities to be able to
deliver on those services, but they might
88
:not know how to go about researching that.
89
:So I would be the one that kind of
comes in and helps them do that.
90
:And it's more of a Partnership, just
as if I were there being there see so
91
:but I'm not so they don't have the the
liability or the overhead of having a C
92
:level person within their organization.
93
:Because I'm my.
94
:I own LLC.
95
:I operate independently.
96
:So that's some of the pros and
cons of having a fractional CSO.
97
:William McBorrough: You know, give
me, give me your thoughts on this.
98
:So oftentimes I think, and this is just
based on my, my personal experience,
99
:is that, you know, you are, you are
a fractional, you know, resource with
100
:rather full time responsibilities.
101
:And the reason that is, is that yes,
I might be dedicating 15 hours a week.
102
:I'm sorry you know, even at a
smaller scale, you know, 15,
103
:20 hours a month to help build
Guide lead the security program.
104
:But I'm the only one doing that work.
105
:Right?
106
:So although I'm managing my time
in such a way that I'm, you know,
107
:investing a fraction of the full
responsibility of building the
108
:security program is still on you.
109
:Right?
110
:So, so, you know, if there's an issue,
You're the one the client is going to
111
:turn to and say, Hey, I have this problem.
112
:Hey, why do you think, Hey, we
have this, you know, initiative.
113
:Hey, we got this, you know, email
from our vendor, et cetera, et cetera.
114
:And, and really is a
full time responsibility.
115
:And I think, you know, there's the,
the, the, the, The undervalued aspect
116
:of this is the, you know, peace
of mind that it gives the client
117
:that I have someone to turn to.
118
:Because one of the questions that I
often ask when I started Fractional,
119
:you know engagement very shortly is
how did you operate when I wasn't here?
120
:Right?
121
:The decisions that I'm helping
to make, I'm like, well, how
122
:did you handle this a month ago?
123
:Right?
124
:And oftentimes what you, what you find
is that they're just doing things.
125
:Right?
126
:And so the need is, is, is certainly,
certainly there, so I'm, I'm
127
:anxious to hear your thoughts on,
you know, the fractional you know,
128
:investment of time, but still the,
you know, full time responsibility.
129
:Chris: Yeah, it really just comes
around to right sizing the program
130
:for the client, because Oftentimes
when they're, when they might only
131
:need or can only afford a fraction of
the, so they might not need that full
132
:program that an enterprise organization
might have, they, they might not
133
:need someone doing that full time.
134
:So it's about saying, okay, so for
security awareness, what could we do?
135
:That is reasonable for this organization
for vulnerability management.
136
:What's a reasonable way that
we can help them with that for.
137
:Managing their secrets.
138
:What's a reasonable way to do that
for checking their SAS configurations
139
:and ensuring that they're not
leaking their secrets to the world.
140
:What's a reasonable way to do that.
141
:So it's really kind of asking
those questions and having that
142
:conversation with them about what we
reasonably can do for their maturity,
143
:for their industry, for their.
144
:Requirements that they might have
from their own customers, because they
145
:might be small, but their customers
might have really high demands.
146
:William McBorrough: I mean, the,
the, the, the word that you use
147
:right there that really reached
out to me was you know, maturity.
148
:I've, I've, I've always believed
that maturity based security
149
:program development is the only way.
150
:And what that means is that you
are starting where they are.
151
:Chris: Yeah.
152
:William McBorrough: And, and
you're sort of moving them
153
:forward at the speed of business.
154
:Right.
155
:You know, I do a lot of work within
the defense industry and defense
156
:contractors have to meet the exact
same security requirements as.
157
:You know, regardless of size, right?
158
:So if I'm working with a 20 person
company and I'm working with a 5,
159
:000 person company, the requirements
are the same, but how to implement
160
:them, you know, differs, right?
161
:And you have to meet them where they are
and just throwing tools over the fence
162
:at them is not, not really the answer.
163
:To be someone to sit at the table with
them and help and better understand.
164
:Their business processes, right
their business goals and actual
165
:capabilities and resources to get there.
166
:And I think that's, that's,
you know very necessary.
167
:And that leads me to my next question
is really what is, what is the process
168
:that you go through when someone reached
out and said, Christophe, we need help.
169
:Can you help us?
170
:Chris: Well, it's similar
to a consulting engagement.
171
:You do have to scope ahead of
time what their expectations are,
172
:what you're looking to achieve.
173
:What's their budget?
174
:How much time expectation
are they looking to have?
175
:And then really help them set those
expectations to what's reasonable based
176
:on their budget, based on what you're
looking to achieve and just have that
177
:back and forth with them that, okay,
so you're expecting 40 hours, but you
178
:really only could pay for 10 hours.
179
:Let's prioritize what we
could do in those 10 hours to.
180
:Achieve the most bang for your buck to
help you get that next big contract so
181
:that you could pay for the next 30 hours
and kind of work with them, mature with
182
:them so that you can grow with them
and they'll stay with you and they'll
183
:refer you to other clients as well.
184
:I,
185
:William McBorrough: I, I couldn't
agree more, more with that, you know
186
:but how do you, how do you deal with,
you know, unrealistic expectations?
187
:Chris: You, you set them ahead of
time you have that conversation ahead
188
:of time, and then when they're spoke
pre, don't be afraid to call it out.
189
:You're, this is You're your own
business as a fractional CISO.
190
:You have to be running
your, your profit and loss.
191
:You have to be managing your time.
192
:And when scope creep happens, you
say, Hey, our initial conversation
193
:or our initial terms said that we
were going to do this, this, and
194
:this within these amount of hours.
195
:What you're asking will require.
196
:This amount of hours, if that's a
project that you want to take on next.
197
:We could do that after we complete this
phase of the project, and then you can
198
:set up a phase delivery approach where
if that's something that they feel
199
:is really important to do that could
be prioritized next on their list.
200
:William McBorrough: Great, great.
201
:You know, with respect to that,
what, what level of ownership
202
:do you assume of the outcome?
203
:And what I mean by that is, And very often
as consultants and you're coming in you
204
:were doing a song and dance whatever it
is You're providing a deliverable, right?
205
:And you are wishing the
client, you know, best of luck.
206
:Now, sometimes you offer to help
them address whatever that, you know,
207
:deliverable requires, but there's been so
many times over the years as a consultant,
208
:I've been brought in to do assessments.
209
:And to do audits primarily because
a business need required that right
210
:either for compliance purposes or
You know For what whatever reason but
211
:there's been so many times where you
hand that client that deliverable with
212
:specific tailored Recommendations and
you know that they're not equipped
213
:to do anything in that paper Right?
214
:Not only do they not have the
resources to really do it, more
215
:often than not, you know, they don't
even have the inclination to do it.
216
:Right?
217
:A lot of the activities we do in the
security space are activities that
218
:are driven by compliance requirements.
219
:And, you know, sadly, there are
a lot of companies out there
220
:that are checking the boxes.
221
:Right?
222
:But when you, when you come on
board, you know as a fractional exec.
223
:Coach versus consultant now and,
and, and you're establishing goals
224
:with the organization that you're
establishing milestones, that you're
225
:sort of establishing deliverables and,
and, and, and setting expectations.
226
:How much ownership do
you take from yourself?
227
:to, you know, carry that through,
you know you know, to the end.
228
:Chris: Me personally, I, I, I,
I sometimes do get invested.
229
:I, I want them to succeed.
230
:So I, I do take some ownership into it.
231
:But I also set shared, shared, kind
of like the shared responsibility
232
:model of a cloud service provider.
233
:I could be here to provide you with the
service to even tell you what to do.
234
:But if you don't do it when I'm not
here, you're not going to get the
235
:results that you're supposed to get.
236
:So I want to help and ensure that you
gain the maturity that you need to.
237
:So that you can continue this and we can
develop tools and processes for you to
238
:continue to do this while I'm not here.
239
:And I get invested that I want
to see that repeatability.
240
:I want to see that, oh, this becomes
something that we do versus, oh, Yeah,
241
:we just did it at one time because
we had an audit and that was it.
242
:William McBorrough: Yeah.
243
:In my view, I think it's
really a partnership, right?
244
:Like you have to partner
with me to walk this road.
245
:Right.
246
:And I think that That, that really
feeds into maybe the vetting, right.
247
:All of the client, but then there's a two
way vetting that, that, that, you know,
248
:that, you know, occurs, you know, they're
vetting us to do the least that we're
249
:going to meet their needs, but we're,
you know, vetting them as well, are they
250
:the client that we want to partner with?
251
:Because taking on a fraction role,
it's different than just doing consult.
252
:And, and I think that, you know, those
of us who work in this vein I think
253
:there is a level of, you know, you
know, investment you know, in, in that
254
:you get to see what's, what's happening
under the covers where you get to see
255
:the challenges that, you know, That, you
know, they have, and they're partnering
256
:with you in good faith, you know, part
of your role is to help them overcome
257
:those, you know, those challenges, right?
258
:We are, you know, we
need to do five things.
259
:You can only afford to, we shift to
two to restart and focus on, right.
260
:And these are things that, and a lot
of times when I find is that when
261
:I start working with, with, with
clients, I have to, you know, detangle
262
:them from, what I would call, cool.
263
:Misinformation, right?
264
:From security vendors,
our own folks, right?
265
:You know, one of the things that I say
that, you know, often in my speaking
266
:engagements is that, you know, if
I'm a vendor that is selling hammers,
267
:I'm only interested in your nails.
268
:Right.
269
:I'm not asking you about your screws.
270
:I'm not.
271
:And I'm saying that, Hey, you need
this hammer to, to, to, to, you
272
:know, to hit all of those nails and
that is the most important thing.
273
:And, and that, that you need.
274
:And that's what happens, you know,
with a person with small businesses
275
:in the security industry, right?
276
:Everyone that's selling the
gadget, the tool that's supposed
277
:to be, you know, something BO and
all, and that's a small business.
278
:Peace.
279
:Right.
280
:You don't know where to go
with your limited dollars,
281
:limited time, limited resources.
282
:And I think that's why folks like
fractional security executives are so
283
:important because you are helping sort
of provide that buffer between the
284
:business goals and the tools to get there.
285
:Right.
286
:And I think that that really speaks to
where, where do you find your focus?
287
:When you start, is it really at
the strategic level or are you
288
:focused on the tactical things?
289
:One of the things that I've found
is that more oftentimes when small
290
:businesses reach out to, you know,
you know, you know, security leaders
291
:to have tactical needs, right.
292
:That are going unmet.
293
:And they're saying, I need someone
to come in and help me solve this.
294
:They're not thinking, Hey, come in and
help me create a five year roadmap.
295
:Right.
296
:So, I mean, where do you, you
know, where do you stand on that?
297
:Chris: Well, you, of course you
help them with the tactical stuff,
298
:but you also want to balance the
need for that strategic growth.
299
:So they might have an audit, they might
have something that's important to them
300
:right then and there, but if you don't
help them with their program maturity,
301
:It's going to come back and bite them
in a year, so you help them set up the
302
:framework, you help them set up what
they need to be successful in two,
303
:three years, you just don't limit your
scope to where you are plus six months.
304
:You, you want them to be successful
in the next 24 to 48 months.
305
:I think past that there, there's
too much of a variable for change.
306
:There's too much of a variable
for, for growth pivot in what
307
:they're, they're providing.
308
:So I think that two to four year
windows, like that sweet spot of.
309
:How do I help them plan to
be successful and guide them
310
:down that best strategic path?
311
:William McBorrough: I mean, that
makes perfect sense to me, right?
312
:So what is, what is the approach that
you take to ensure that you're aligning,
313
:right, their security program with,
you know, the business goals, right?
314
:Because very often You know, a
lot of businesses see, you know,
315
:security as a call center, right?
316
:It's something that I have to do that
I have to spend precious resources on.
317
:And if I don't do it, I might get
breached or I might miss on, you
318
:know, business opportunities due
to compliance you know, et cetera.
319
:But how do you, how do you help
these clients rather start to see
320
:security as an enabler, right, to
bigger and better things than just.
321
:Oh my gosh, the government is making me do
this, the industry is making me do this.
322
:Chris: Well, say, okay the government
might be making you to do this, but
323
:as you grow, what sort of clients
are you going to want to focus on?
324
:You're going to want to focus on
bigger clients or more strategic
325
:clients or multinational clients.
326
:Okay.
327
:What sort of requirements are
those clients going to have of you
328
:in order for you to service them?
329
:And then you look at it like that.
330
:So you prep them for.
331
:What you're going to need to do to
be successful for their clients.
332
:And that could be having a more
mature security program versus
333
:having just a CR, a GRC program that
could be tackling some of their SAS
334
:misconfigurations that the first thing
this more mature vendor is going to do.
335
:is scan their environment
externally and go, Hmm, look
336
:at all these misconfigurations.
337
:This could be a sign for what
they have inside and might not
338
:want to take the risk on that.
339
:So pass on this one.
340
:So you kind of help them with, these
are the types of expectations that
341
:you're going to have from your bigger
clients in order to be successful.
342
:So these are the Types of things that
you have to do, not just because some
343
:regulations said you do it, but because
the customers that you want, that's
344
:going to pay you are requiring it.
345
:William McBorrough: Yeah.
346
:Chris: Business enabler.
347
:Yes, exactly.
348
:William McBorrough: You know
what, what you mentioned about,
349
:you know, external scanning.
350
:Right.
351
:And, and I've, my, my views on
external scanning has really been that.
352
:You know, it is a scan of your, you know,
internet accessible assets, and it's not
353
:necessarily giving you a fuller security
or risk posture of the organization,
354
:although, although the vendors that are
marketing this can present it as if You
355
:know, instead of the be all and end all.
356
:And, and I've, I've always been, you
know, had, you know, had a jaded eye
357
:at, at, you know, at those types of
services, understanding what it takes
358
:to really assess an organization.
359
:However, What I haven't done is thought
about it from the perspective that you
360
:just shared that, you know, sometimes
that it, it, it doesn't show a full risk
361
:picture of the organization, but it can be
an indicator of the approach to security.
362
:Yes, that in itself is a key data point.
363
:Right.
364
:And, and, and I think
that that is very true.
365
:And that's, that's something that I had
sort of thought about you know, the fact
366
:that here, if you are not addressing the
clear vulnerabilities in your external
367
:footprint low hanging fruit there what
else are you not doing internally?
368
:Right.
369
:From a risk management perspective
and actually infrastructure management
370
:perspective, employee training
and management, you know you know,
371
:perspective and that as an indicator of
an organization's approach to security
372
:is, is something that I think that
I've never seen in that night before.
373
:Chris: I look at it like you're buying
a house or you're going to rent a house.
374
:The first thing you do is
you look at the curb appeal.
375
:If, if, yeah, curb
376
:William McBorrough: view that I like.
377
:.
Chris: If you're in in a bad neighborhood and you're the
378
:best looking house, okay, great.
379
:That that sets you apart.
380
:So yeah, compared to your
competitors, the fact that you
381
:look better, that's a good sign.
382
:Now, if you're worse than your
competitors, that's also a sign.
383
:And then you look at it like, okay,
well, yeah, they have some things and
384
:some things bad, but the things that
were bad, like They don't really impact
385
:the overall security posture, but it
could be something that could clean up.
386
:So then you look at that
as another data point.
387
:So these are the types of things
you have to take into consideration.
388
:And that's how I always look at it.
389
:Like it's, it's a data point, no matter
how you look at it, it's a data point.
390
:And it's a tool, like anything
else, like those that want to use.
391
:generative AI and, and use those
types of tools on their web presence.
392
:They don't lock it down to, Hey, this chat
bot that you now have on your webpage,
393
:not lock down that knowledge base to only
the things that it's supposed to say.
394
:And you let it say a whole
bunch of other things that
395
:opens up yourself to liability.
396
:So maybe you didn't think this process
through when you rolled out this new
397
:feature, so it kind of, you think
like a threat actor in this situation
398
:and you're like, well, if they did
this here, they probably have done
399
:this similarly in other places.
400
:So yeah, that's something to consider.
401
:William McBorrough: Current appeal.
402
:I'm stealing that.
403
:Be on notice.
404
:Hahahahaha!
405
:So, so lastly, so what, what would
you see as sort of the profile of a
406
:business that could benefit from, you
know, a fractional, you know, security
407
:advisor or a fractional security you
know, executive such as yourself.
408
:Chris: Oftentimes they'll,
they'll have a technical team,
409
:and they'll have a technical team.
410
:To help implement the day to day things,
but their leadership has been primarily
411
:focused on infrastructure, technology,
availability, and they've kind of
412
:locked their growth because they can't.
413
:develop that security profile that
their clients are looking for.
414
:So they feel like it's now a
business blocker, not to have that
415
:strategic vision, not to be able
to tackle the types of requirements
416
:that their clients are looking for.
417
:So now they've gone to the market,
like, okay, I have someone doing some
418
:of the things to, to get me by day
to day, but we, we can't get the,
419
:the, The other blocking and tackling
down, we, we, we can't develop a more
420
:security focus program to make our
vendors feel comfortable using us as
421
:a supplier, using us as one of their
own, whether we're coming in and we're
422
:offering augmented services, if we
can't show them that we have our own
423
:house, house in order, how can we help
them get their own house in order?
424
:William McBorrough: Yeah, yeah.
425
:I mean, I think, I think, you know,
governance, risk, and compliance.
426
:You know, really covers what I think is
lacking with a lot of small businesses.
427
:You know, because that's,
that's a role that sits above I.
428
:T.
429
:That's a role that sits above operations.
430
:You know, that's a role that
sits above, you know, H.
431
:R.
432
:And, and, and what, what I think is,
is unfortunate is that, you know, a
433
:lot of businesses see security as an I.
434
:T.
435
:function.
436
:So it's really just, you know, other
duties as a sign to whatever IT
437
:resource they have available, right?
438
:A mature enough organization might have
an IT manager or IT director and, and,
439
:and, or even if you go to less mature
organizations, they could have a part time
440
:IT person or, and, and, and, you know, or,
you know, local MSP you know, but these
441
:are folks that are paying you in terms of.
442
:Business risk, right?
443
:And I think that you rightly point
out that, you know, the market
444
:now demands that you, you manage
your risk in a verifiable way.
445
:A lot of the clients that we've
worked with on the consultant side
446
:of MCProtect, you know, come to
us with, you know, questionnaires
447
:from their large customer, right?
448
:You know, wanting to know
their security posture.
449
:And very often, my initial response
is, you are not doing anything on here.
450
:Right.
451
:So the question is, how do we
get you from here to there, so
452
:that you can respond favorably.
453
:And, and, you know, market
forces, you know, do work.
454
:I, you know, do work the work
that we do in the defense space.
455
:We're seeing that form in
smaller subcontractors.
456
:Why?
457
:Because the larger prime customers,
it's flowing down those requirements.
458
:And they're saying that we need you to get
compliance so that we can get compliant.
459
:So now they're starting to build
and improve their security.
460
:Again, market forces at work.
461
:So how, how, how do folks
that are interested in.
462
:Maybe having a conversation with
you about your services and you
463
:coming to help them and how, how
can folks get in touch with you?
464
:Chris: Well, they can
find me at cpf coaching.
465
:com or they can email me.
466
:Chris at cpf coaching.
467
:com, and I can help
answer their questions.
468
:I, I also work with a
great group on Alignable.
469
:There's a technology group there that
meets every week and we collaborate
470
:together on ways that we can help
small businesses enable their growth
471
:through partnerships and collaborators.
472
:As you mentioned, A fractional
CISO is just that one person
473
:there for a fraction of the time.
474
:So as you'll naturally have to
collaborate with others, that could be
475
:the MSSP, that could be a SAS provider,
that could be their local MSP that's
476
:helping them with their technology.
477
:So as a fractional executive, you
have to be able to collaborate
478
:with all of the vendors.
479
:In their space to help them together
achieve the growth that they're looking
480
:to do, not just your primary client.
481
:They might be your primary client, but
you have many clients that work with
482
:them that you also have to satisfy.
483
:And oftentimes if, if you don't
agree with one of those sub
484
:clients that the relationship
might not work out, especially if.
485
:They're one of the favorite
vendors of that client.
486
:So it really does become working as a
team to help that small business succeed.
487
:And I've found that working together
with great collaborators like yourself
488
:and, and others in this alignable,
alignable group that I've been
489
:able to find some great partners.
490
:William McBorrough: Excellent.
491
:Excellent plug there
for the alignment group.
492
:You know, lastly, as, as someone who's
been an educator for over 15 years, you
493
:know, I, I, I, I can't believe it all,
you know, commenting instead of pulling
494
:the work that you've been doing in.
495
:You know workforce development and
really creating a path into the space
496
:that we know and love for so many years.
497
:So, you know, can you can you
share a little bit about that work?
498
:And, and, and, you know, how folks
can learn more and sort of, you
499
:know, follow that work as well.
500
:Chris: I wasn't prepared for this,
but this is one of the books that I've
501
:written the cyber security interview.
502
:They actually we just completed our second
edition of it where we added even more
503
:work roles that people can consider as
they're transitioning into the field.
504
:You're right.
505
:Being a coach, being an educator is
just part of your overall persona.
506
:So I teach at a university.
507
:I write books.
508
:I've been doing a podcast called
Breaking into Cybersecurity.
509
:There's a theme there.
510
:I love to grow and develop stakeholders.
511
:And that's what I do at my businesses as
well, is I go in there and I figure out
512
:what's the best way to grow and develop.
513
:The business leader that I'm working with,
they're stakeholders because it's all,
514
:it's all part of the holistic process.
515
:So yeah, those are some of
the other things that I do to
516
:give back to the community.
517
:There's a nonprofit that I support
called the whole cyber human
518
:initiative where we, we find open
source training for individuals that
519
:are transitioning into the field.
520
:Many of them are veterans
coming out of the military.
521
:We help provide them with that, that
guided path for them to find their way.
522
:To see if security really
is the field for them.
523
:Sometimes it is, sometimes it isn't.
524
:They look at the skills and competencies
that they've gained in other fields
525
:and see how they could translate
it into this field and if this is
526
:something that they want to do.
527
:So that's another passion project
that I do to give back and
528
:help the ecosystem as a whole.
529
:William McBorrough: I'm all
about pursuing our passions.
530
:And I think we are, you know, we are,
we are all lucky that your passion
531
:lies within not just cybersecurity,
but supporting, you know, the next
532
:generation of cybersecurity professionals,
as well as helping businesses,
533
:small businesses manage their risk.
534
:I think that is, I think
we need more of you.
535
:And I greatly encourage.
536
:Folks to follow up with you if you're
interested in getting in the cyber
537
:security space, or if they have a business
that is looking to grow and scale, and
538
:they're trying to figure out how can I
look at cyber security in a way that is
539
:going to help drive my business, right?
540
:You know, to do that, you need leaders
who are able to help you at that
541
:strategic level, align your investment
of time and money and security with
542
:where you're trying to get business.
543
:And, and, and, you know, I'm
not shy to say Chris is one
544
:of the best of them out there.
545
:So thanks again.
546
:Chris: I appreciate it.
547
:Thank you so much.
548
:And thank you for having me on.