Below is the transcript from Blackink IT and Trava's webinar, "vCISO vs. MSP: Decide Your Cybersecurity Fit."
Jara Rowe (Content Marketing Specialist, Trava)
Thanks for joining us for our LinkedIn Live on vCISOs and MSPs. We will get started here momentarily as soon as we go through a few intros. I'm Jara, I'm the content marketing specialist at Trava, and I will be managing the back end of this. If you listen to our podcast, you'll know that I'm not an expert, which is why we have the experts here with us! So, Jim, you want to go ahead and start with the intros, and then Doug, we'll go to you?
Jim Goldman (CEO & Co-Founder, Trava)
Absolutely, thanks, Jara. Jim Goldman, CEO and co-founder, Trava Security. Very happy to be here today with our valued partner, Doug from Blackink IT.
Doug Allgood (President & CEO, Blackink IT)
Yeah, and this is Doug Allgood from Blackink IT. I'm the President and CEO, and love the partnership we have with Trava, and hope everybody finds this content helpful.
What is a Managed Service Provider (MSP)?
Doug Allgood
So, what's the difference, you know, between an MSP [and a vCISO]. And as we kind of go through this today, I'm going to try to give you at least a little insight into how we view a managed service provider. So, we can go to that slide; that's perfect. So, you might think about a managed service provider being an outsourced IT department. So, we're trying to proactively manage resources within an organization with a team of experts. And in that in that activity, right, we'll perform a number of different functions. Most of it is the hard tech – its networks, it's cloud, it's devices that people are working with. But then making sure that those devices and networks are being done in a secure way based on the way Trava would advise that to be done. And I think the benefits for organizations – whether we manage everything at Blackink IT or whether we manage a part of those systems and that infrastructure (and we would kind of call that co-managed) – then the benefits really come down to both cost savings, and then making sure that you're getting a team of experts that are deep in each of the different respective areas. I think what's difficult for an organization that might have a single resource, or company that may only be able to rely on one person to do this work, is there's just so much to know. And I think Jim can touch on that certainly on the vCISO component as we look at what the differences between an MSP and a vCISO are. So, I'll let you take it from there Jim.
What is a Virtual Chief Information Security Officer (vCISO)?
Jim Goldman
Thank you, Doug. You know, I think the most important thing to kind of clarify right away is there really isn’t any overlap. I think that's some of the confusion on this topic. Done correctly, there's no overlap between a Virtual Chief Information Security Officer role and a managed service provider role. In fact, the two are quite complementary. I would even say, ideally, they should be integrated. It should really function as one coordinated service where the Virtual Chief Information Security Officer is providing the strategic direction. You know, at the end of the day, the bottom line for a Virtual Chief Information Security Officer is the cyber risk of the organization being managed effectively. Part of getting that cyber risk management done effectively is to assure that those IT services that secure that infrastructure are being done properly. And that's where the managed service provider comes in. In some ways, it's the strategic direction versus the hands-on execution. The benefits of having a virtual CISO for a company that can't afford, you know, a full-time Chief Information Security Officer is they get the expertise of that Chief Information Security Officer at a fraction of the cost. What we're finding nowadays, with, you know, increases in regulatory compliance and, you know, just business-driven regulatory needs, is smaller and smaller organizations need that strategic expertise, need that Chief Information Security Officer expertise, but can't afford it. Similarly, in implementing the controls that the Chief Information Security Officer specifies, many companies can't afford to, you know, bring in an entire IT services staff, including security engineers, etc., to actually do the work. And not just implement, but continuously monitor that work. And that's where the managed service provider fits perfectly.
How vCISOs and MSPs Differ
Doug Allgood
Yeah, I want to echo a couple of those thoughts, Jim. I mean, the word “managed” in the managed service provider component really is key. Because at Blackink, we work with a lot of highly regulated businesses. And so those processes, procedures, and then the evidence of the work that's being done to manage – whether it's patching, whether it is ensuring the right settings and controls are there, responding to alerts, and then providing reporting and evidence to you and to any other outside audit firm – all become important components to the processes that an MSP is going to need to follow. And for us, right, given that we're supporting so many regulated businesses, providing the evidence of that reporting is something that we do across all of our clients. Because it's just going to be required by somebody, and so we want to make sure that each step that we take in managing that can then provide, you know, the proof that we have performed a set of services in a way that meets what a vCISO would have prescribed as those set of controls.
Jim Goldman
I really like that, Doug. I think emphasis on the “managed,” emphasis on the “m,” is really what this is all about. It is so that the business owner, or the business executive, can basically sleep all night knowing that someone is keeping an eye on things.
Doug Allgood
Yeah, and I think, you know, many of us can think through examples, right, of some of those aspects. But, you know, when alerts come in or we see a trend of some sort, right, through the management of those environments, then that's what's going to alert us to be able to dig further and then to determine whether we take action. And Jim, you may even have some recent examples as we look to some of the clients that we each both support.
How MSPs and vCISOs Overlap and Work Together
Jim Goldman
So next, we wanted to talk a little bit about how we work together. And I alluded to this before, that, you know, these are not disparate functions. In fact, ideally, they should be integrated functions. Your vCISO should talk to your managed service provider. You know, when we offer vCISO services to many of our clients, they employ managed service providers to actually implement IT services, implement the security controls. You know, one of the required elements of a good security program is that you have quarterly security council meetings with senior management where you go over the cyber risks, as I alluded to before, review a risk register, risk mitigation roadmap. And you also say, “Well, how are we doing on our vulnerability management, etc.?” In many cases that vulnerability management is being provided by a managed service provider, such as Blackink, and so the managed service provider is participating as a team member in those quarterly security council meetings. In other words, it's the vCISO and the managed service provider working together to assure that the clients are properly protected.
Doug Allgood
No, that's perfect. And you're right, in those meetings then we can talk and dialogue about the specific actions that have been taken and will need to be taken for the ongoing management. I think about a few of those examples. You know, one of the control objectives in the cybersecurity frameworks that we leverage is going to be making sure that you have a limited number of administrators, and each administrator has their own unique login, right? That logs then are tracked and are available for all of the actions that administrative resources would take with privileged accounts. Where then the company, the management team, and their employees wouldn't necessarily have administrative access. In fact, they would just have the ability to do their work. And that prevents a number of things from taking place, but it certainly allows you to then hold accountability to the actions that are being done, and because then they're named, right, those named users – which means they're not sharing accounts – then we can have log files that we can show evidence of what actions did take place. And if an intruder were to come into the network, or somebody were to try to infiltrate, we're going to know and be able to stop that. Where if somebody that was just a normal user, an organization clicked on a link, you know, entered some data – if they don't have administrative rights, well, they're not going to be able to get to those things, right? So, I think working in tandem in those meetings, we're going to talk through these elements and then make sure that these control objectives get done based on that cybersecurity framework that we collectively are working on together.
Jim Goldman
And you know what occurred to me, Doug, as you were describing that, and you talking about evidence and so forth? I think it's important to point out that if companies are facing a need, either due to regulatory or business growth needs, to be certified – let's say in SOC 2 or ISO 27001 – they may be under the false impression that they're going to need to hire full-time people in order to support that. Full-time CISO, full-time IT services staff, full-time security engineers – that's not true. Doug and I, collectively, have many, many customers that we've successfully gotten through SOC 2 or ISO 27001 certification, as well as others. And they don't have a full-time CISO, and they don't have a full-time IT services and security team. They take advantage of virtual CISOs and managed service providers, and, you know, the auditors have no problem. It's all about evidence. Auditors don't care how the evidence got there, you know who's in charge, etc. – as long as it's rock solid.
Doug Allgood
And that the processes being followed are consistent.
Jim Goldman
Absolutely right.
Doug Allgood
So then, they're documented, and that they're being followed. And that's really hard to do for most organizations, right?
Jim Goldman
In a small team, yes, absolutely. Yeah.
Doug Allgood
But when you're doing it, you know, in a volume that we're doing it, we've automated and created a lot of efficiencies. Even the Trava security scans and the work that Trava has developed there, aid in that and being able to continually look and monitor for certain vulnerabilities. And our processes, then ensure that we're responding to those vulnerabilities in a consistent fashion.
Jim Goldman
Absolutely right.
Doug Allgood
I also appreciate, you know, what the vCISO can do is making sure that we're looking at the right architecture and design for how we're going to protect an organization from a security perspective. And that would come down to you know thinking about your networks and how that network is being implemented and laid out in a way that it prevents certain vulnerabilities based on, you know, best practices that the vCISO would lay out. Right, so as we work together, it's those kinds of things [that] become important for an organization to then know, from a checks and balances perspective, that each of the technologies being implemented are being architected in a way to provide for the best security approach that meets that company's individual set of regulatory needs or security goals.
Jim Goldman
You know, that's an excellent point. And the other kind of fallacy that that we want to dispel is that companies have to be perfect. Like, everything has to be perfect. If, as a vCISO, we uncover a lack of maturity in a given control family, you know, that has to be 100% buttoned up. Well, you know, if we use as a framework example the CIS version 8 framework, there are 18 control families and over 100 specific controls. Well, it's not realistic that your average, you know, small to medium-sized business is going to be able to afford to fix all those things all at once. So someone, in this case the vCISO, has to come in, working with the managed service provider, and say, “here's the most important things to take care of first. Everything doesn't need to be fixed.” Well how do you deal with that? Well, that's called risk management. You know, and as I always say, risk acceptance is a valid risk management technique. And so you mitigate what you can, you accept what you can't, you monitor it certainly. And then also, the final piece is in some cases, you're able to transfer that risk; cyber insurance is one transfer mechanism.
Doug Allgood
Yeah, and sometimes it's even contracts. Transferring that risk to outside other services or software companies that you know own a piece of that risk to make sure that they're performing the things they need to, and that the appropriate agreements are put in place.
Jim Goldman
That's absolutely right. So I think if there's one takeaway – I always try to lower people's anxiety when they come to these webinars. And so one of the ways we lower the anxiety is you don't have to be perfect – everything doesn't need to be 100%, you know, absolutely fixed to some standard or another. You have to show that you know where your shortcomings are, that you've addressed them in some way, and that you're monitoring what you've put in place. That's key.
Doug Allgood
Yeah, well, that could start with that, you know, risk assessment that could be done to look at the risks, and then make determinations. Like you said, these risks are low, these other risks are higher, and then you create a roadmap for how to get there.
Jim Goldman
Correct. Correct.
Doug Allgood
And then you could budget for that roadmap, and that sometimes can span multiple years.
Jim Goldman
Absolutely. And that's a really good point, because some people may, you know, be in the audience, say “I don't even have a clue where to start.” Well, you're exactly right, Doug. You start with that cyber risk assessment against some industry framework, be it the NIST cyber security framework or the one I mentioned previously, the CIS. That stands for Center for Internet Security version 8 framework – both very good ones. Very easy to use on the Trava platform. Just answer a quick survey, you know, puts out the risks, and then we go to work mitigating them.
MSP and vCISO Testimonials
Jim Goldman
So, these are just a couple of examples, real-world examples. You know, one from Trava, one from Blackink. You know, we have a fairly new customer named Champion. They're a very fascinating story in that even though they were a new software as a service company, their initial, right out of the gate, customers were international in scale – international enterprise customers. And so you might think it's unusual for a brand new company – I think they had like, two or three employees, just the three founders – and they brought us on as a vCISO right away because they knew they were going to need that legitimacy in talking to these international enterprise customers that we were able to help them land.
Doug Allgood
Yeah it's very good. And then we've got a quote here from a company called Capstone, and they're an incredible partner. And one of the things that we tried to do with organizations like Capstone is to decide what their security posture should be. And Jim, I love that CIS framework, V8, and you can go online and you could see you know what the framework has included. But there are a number of things that define just basic hygiene. So as you said Jim, as we kind of lower the complexity down a bit – what are the basic things that I could be doing as an organization? And many of these can even start with things in the employee handbook, right, in terms of how information is going to be protected and what people do and, you know, cybersecurity training, and other things that you could do to help the organization with that security posture. And that's part of what, to me, is helpful, is to work with the management team and agree on, “well what's the posture going to look like for that organization?” And then we work towards a roadmap to getting to that posture that they want to rest on.
Jim Goldman
Exactly right. You just made another great point about what's the greatest vulnerability in any information system? People.
Doug Allgood
Our people, yeah. Giving them awareness and training is, you know, added value for them for their personal life, but it's also helping your organization.
Jim Goldman
Yes, it's legitimate. I mean, it's been proven over and over again that people are the greatest vulnerability.
Doug Allgood
Yeah, very good.
Jara Rowe
All right, I know that that was a lot of information quickly, but if you would like to continue this conversation – learn more about MSP services and vCISO services from Trava or Blackink IT – you can go ahead and scan those QR codes and reach out to each company. I'm going to leave this slide up for a Q&A, so if you have any questions, please feel free to ask them, and then Jim and Doug will be able to answer them. But before I get into a few of the questions that we have, Jim or Doug, is there anything that you want to stress that you really didn't hit on during the presentation?
Security and Compliance Aren't Scary
Jim Goldman
I sort of mentioned it before, but sometimes I like to say if there's one thing you take away from a webinar, and I would just, again, stress that cybersecurity is not scary. It doesn't have to be complicated. I've found that potential customers, companies out there, would just like to avoid the whole topic as long as possible, and sometimes they avoid it until it's too late. And that's the worst thing you can do. And so, if I could offer a word of encouragement, it would be, this is really not scary stuff. Folks like Doug and myself are able to make it uncomplicated, straightforward. As Doug alluded to, we do this at scale. We've got processes and procedures defined. We've got all the templates already done, you know, and so, let's just lower the anxiety and let us help you.
Doug Allgood
Yeah, I think Jim just restating that we already have so many of these things automated, and these processes done – enables us to be cost-effective. Right?
Jim Goldman
And very quick, right? You know, somebody may say, “Oh my God, this is going to be a six-month process?” No.
Doug Allgood
Yeah, and so, you know, to me, I love this slide from, let's just start the conversation. And I think that's a great place just to visit, get to know the business, and understand, you know, what are the things that are troubling, or could be troubling to them. And then your cyber risk assessment is a great place to start.
Jim Goldman
Yup, what keeps you up at night? And let us help you sleep.
What does working with an MSP and/or vCISO look like?
Jara Rowe
Definitely, all right. So first question: “If I were a CEO, a CTO, and I wanted to engage with a vCISO and MSP, I may not fully understand what the engagement looks like. So can you give a brief description of what that relationship would look like?”
Jim Goldman
I'll start with the vCISO. So, a vCISO is a member of your leadership team. So there's virtually no difference. It's almost like the fact that the “v” is lowercase and the “CISO” is uppercase is somewhat significant in that it sort of doesn't matter that we're virtual – you can think of us as your full-time Chief Information Security Officer and all that implies. So we are literally a part of your leadership team, helping you with strategy, etc.
Doug Allgood
Yeah, and I think for the managed service component, if you've had those discussions with Jim and there are elements that need to get addressed, Blackink would be a great place to go to begin to create a roadmap. A lot of the ways we start a relationship with an organization is understanding, you know, what they're not getting in terms of their current level of productivity with the technology they've invested in, and they want to get they want to get more out of that investment. And so, we'll take a look at what they've done, and then how we can help create a path to getting from where they are today to that future state.
Jim Goldman
Yeah, Blackink IT closes the gaps, that's how I describe it.
Specializations of MSPs and vCISOs
Jara Rowe
Awesome, so between the two – vCISO and MSP – is there a different level of expertise or specialization? I feel like we touched on this a little bit, but just to bring more clarity, that'd be great.
Doug Allgood
Jim always says they have more fun.
Jim Goldman
Well, I'm not staying up 24/7 keeping an eye on things like you guys, so yes, I have the time to have more fun. It's really a, I think the easiest breakdown is planning versus implementation. So it's not to say that an MSP doesn't do planning, I don't mean to say that, but it's a nice separation of duties. So on the one hand, you need a good strategy, but then someone has to implement that strategy, and I think that's really the key differentiation.
Doug Allgood
Yeah the only thing I would add to that – that's great point – is for many business leaders, IT isn't something they know a lot of, right? I mean, they're using it, they're using it on their phone, they're using a lot of technology – but if they're managing somebody, how do they know what they're telling them really makes sense, or that they really are up to speed on some of the most current risks that exist, right? And so I think getting help from individuals that can show that level of expertise, and the team approach is kind of what we end up having to do – so, if you're wanting to move things to the cloud, it takes a special set of skills and resources to do it, and when you're doing hundreds of those, it's a big difference than if you're doing something ,you know, every three years inside of an organization. So I think seeking help in these areas can really make sense, and save an organization a lot of money. And then mitigate risks that your vCISO would uncover.
How do MSPs and vCISOs help achieve compliance?
Jara Rowe
Great. All right, one more question. You both mentioned a lot about regulations and things like that, so in terms of compliance and regulatory requirements, what unique contributions does a vCISO bring compared to the services offered by an MSP?
Jim Goldman
That's actually a great question. So, almost any certification that would be required – let's use SOC2 and ISO 27001 as an example – it starts with policies. And those policies then break down into processes and procedures. And so that's really almost the handoff right there, in that the vCISO would be responsible for making sure all the correct policies are in place, all the processes are properly defined, the required controls are identified. But that's when the handoff happens, because then the managed service provider then takes those required controls and says, “I'm going to use this technology to implement everything that's required in this control, and I'm going to gather the evidence on whatever the required schedule is –whether it's daily or monthly or quarterly – and I'm going to gather that evidence, and I'm going to put it in a governance risk management and compliance framework, or something like that that. That would be my viewpoint, but Doug I think you should reply as well.
Doug Allgood
No, I would just complement it by, that the MSP has to be doing many of the same things, right, to ensure that that regulatory compliance is achievable, and the evidence is there. So our team and the way we perform the work has to be in lock step with the required regulatory requirements. And so, as we work with companies that, for a number of different FDA type regulatory needs – whether it's food or drug or biosciences. Or whether it's energy producing power generation facilities, right, with NERC and FERC. Or whether it's financial services and many of their federal guidelines – we have to make sure that our processes internally, in support of that organization, follow all of those guidelines. And then we have to then give the evidence to ensure that that's actually, happening, so.
Read to start the conversation?
Jara Rowe
Great, super helpful. Well, as we wrap up, Trava does have a webinar coming up next month that we will dive more into, vCISO partner selection and what makes the most sense for your organization, so we would love for you to attend. But if there are no more questions, everyone can get back to their day, and we hope that you gained knowledge – and please reach out to Trava for vCISO help and Blackink IT for MSP help.
Doug Allgood
All right, it's been fun today. Thanks Jara!
Jara Rowe
Thanks, Jim and Doug.
Jim Goldman
Thank you, Jara. Thanks everybody!
