Greg Schaffer is a virtual CISO, author, and industry veteran whose career has spanned more than three decades across IT, information security leadership, and CISO advisory work for small and midsized businesses.
Schaffer began his career in 1989 and has held CISO roles across higher education, government (including as the first CISO for Nashville’s Metropolitan Government), banking, and credit unions. He is an author of Information Security for Small and Midsized Businesses and host of The Virtual CISO Moment podcast.
Today, Schaffer is Founder and President of vCISO Services, LLC, the veteran-owned firm he founded in 2017, where he leads business development and mentors virtual CISOs serving small and midsized businesses. He is also a regular speaker at security conferences.
Expert Insights spoke to Schaffer as part of our ongoing series interviewing cybersecurity professionals to bring you their unique insights into cybersecurity today, the challenges they are facing and the realities of what it takes to defend complex global environments.
To start, could you tell me a little bit about yourself and your background?
I’ve been in IT since 1989, when I started as a part-time student assistant at the University of Buffalo. I fell into the field. It wasn’t my original choice, but I enjoyed it, mainly the networking side. The first half of my career was in higher education at a couple of universities. From there it was a stint in government work, then back into the corporate world.
Around 20 or 25 years ago I shifted more toward information security and have been in it ever since. In 2017, I transitioned to virtual CISO work full-time as my own boss. I’ve been doing that for nine years now.
Back in the early days, there really wasn’t security as we know it. It was more about trying to get folks connected, and that was fascinating in its own right. I fell into the security side because firewalls were really one of the first devices that were more security-centric, and since they were networking devices, that responsibility fell to me.
How do you set your teams up for success dealing with the daily, recurring challenges of the role?
Everyone on our team has been a CISO or the highest-level information security executive at a company. They wouldn’t have gotten to that level if they didn’t already know how to keep up with threats and changing technologies. That makes my job easier; I’m hiring folks who already know their work really well.
What they may not have been is consultants, and that’s where I come in. There’s a lot you learn about being a consultant that’s distinct from the security work: how to differentiate between different clients, different needs, different risk tolerances. I mentor them to the point where they become successful consultants in their own right.
Our entire offering is trust, not products. We’re not here to punish anyone for what we find; we’re here to find what’s wrong and help fix it before it becomes an issue. That also means not being the office of no.
As a vCISO working across multiple organizations, how do you manage the balancing act of serving different clients with different risk profiles and maturity levels? Is there a common thread in what they all need?
Most clients can’t really answer that question if you ask it directly, because they don’t fully understand what you’re asking. Risk isn’t binary; it’s a sliding scale of how much you can mitigate. It can never go away entirely if you’re going to actually do business. That’s common across all clients, though some are more advanced than others.
A startup, for example, has a less-defined risk tolerance, but a higher one, because they’re very agile. They’re trying to go to market, burning through capital, under pressure. We have to work with that. We can’t build the same security program for a startup that we’d build for a bank, which is more established, has regulatory guidance, and operates very differently.
The common thread is that with all clients, we want to start by aligning them to a framework. In the States, that’s usually the NIST cybersecurity framework. For international clients, we may go with ISO 27001, which is more involved.
We don’t take on clients who just want to become compliant with some regulation; we want to build security programs. The framework is the plan, and we use it to explain why we need to do each thing. Then we map what we’ve done to whatever regulatory framework applies: HITRUST for healthcare, FFIEC for financial institutions. That way, we’re dealing with the compliance aspect as well.
When mentoring the virtual CISOs on our team, I encourage them to spend as much time as possible learning the culture of the business, not just the business processes (what do they do, where’s their information, how do we protect it). Startups and banks have very different cultures. Information security is driven from solid trust relationships. When you show you understand the business, ask questions, and tell them you’re listening and genuinely interested in what they’re doing (not just in telling them what to do), that goes a long way.
It’s human nature to want to be heard. When clients realize they’ve been heard and that you’re acting on what they’ve said, they feel you’re trying to solve their problem because you’ve taken the time to understand it first. Before you’ve even talked about a single security control, you’ve got a client for the long haul.
You’ve been CISO in both the public sector (Nashville metro government) and the private sector (FirstBank). How do the challenges differ, and did either one teach you lessons that surprised you?
The public sector position offered a real opportunity to make a difference. I was the Metropolitan Nashville Metro government’s first CISO. They’d had a serious breach, convened an advisory council, and one of the recommendations was to bring on a full-time CISO to build the program based on a standard. They’d already landed on ISO 27001 before I started, so I was brought in to shepherd it.
Unfortunately, the charge seemed to become more about creating a program for perception than for operationality. We spent an inordinate amount of time on policy creation: having committee meetings on top of committee meetings, wordsmithing policies to death, worrying about font and format. I can’t tell you how many times I’d come back to feedback like “maybe we should make this font a little different,” or “maybe we need to move this window over.” I’d be thinking, when are we going to actually operationalize the risk management side of the program?
With about 50 departments, boards, and agencies within the metro government, I tried hard to get the risk assessment process started across them, and we did make some progress. Part of what I enjoyed was educating departments on risk management from an information security angle, which also gave them a broader understanding of enterprise risk management, something that would serve me well later in the virtual CISO world.
My takeaway was security theater, and in the end I didn’t have the authority to successfully influence the program in a more operational direction. The program was more about perception than substance: “Hey, look at these great policies we have.” But what are you doing with them? A security program starts with policies, but that’s not the end-all. Get a policy in place, then start actually working.
Finance was the exact opposite. Banking by definition is about risk management. In the financial services industry, we track eight risks: liquidity, credit, market, interest rate, reputational, strategic, compliance, and operational. Information security falls under operational risk. So banks approach this as a risk management issue from the get-go. FirstBank in particular came at it that way, and compared with Metro, it was light years ahead.
Part of the reason is that deposits are backed by the FDIC, the OCC, or for credit unions the NCUA. Those regulators have skin in the game: if a bank goes under, the FDIC reimburses up to a quarter million dollars per account, so they have every reason to ensure the institutions they cover have solid controls.
Both experiences solidified my understanding that information security is risk management. In fact, “information security is risk management” was the tagline for our virtual CISO firm at one point.
Your book and your podcast both focus heavily on small and midsized businesses. What’s the biggest misconception SMBs have about their own cybersecurity risk?
I have to start with the one everyone says, because if I don’t, people will ask why I didn’t. Small and mid-sized businesses often think, “We’re too small, we’re not going to be noticed and therefore won’t be targeted by criminal hackers.” The exact opposite is true. They’re noticed more. They usually have fewer controls and smaller security budgets. And criminals aren’t looking for low volume, high margin; they’re looking for high volume, low margin. That’s how they get their funding.
That’s the stock answer, but this is where I expand on cybersecurity versus information security. Cybersecurity conveys technology and therefore the message that keeping information secure is purely a technology problem. There are too many times where SMBs feel that if they just get the right tool in place, they’re secure. They spend a lot of money on this, and there’s a whole industry of MSSPs encouraging that spend. But you could have every security tool in place and still get hacked if your processes, policies, and people aren’t up to snuff.
That’s why I prefer information security over cybersecurity to describe what we do. This is a hill I’ll die on: words really matter. When we say cybersecurity instead of information security in these settings, we’re conveying the wrong message. Still, the most important aspect is proper communication. So long as everyone understands how terms are defined, proper communication ensues. One of my first introductory topics on a prospect call or kickoff meeting is making sure we’re aligned on how we define the two. Information security is the umbrella; cybersecurity is part of it.
Then we can talk about the other thing I’ve been pounding on: risk management. Information security is risk management. We’ll bring it up in a virtual CISO engagement, and the client either doesn’t know what we mean, or only vaguely. We work with them on risk tolerance and qualitative risk decisions; quantitative risk is hard to do meaningfully in most situations. It’s the concept of risk management that they start to learn.
Then this is the cool part: they start realizing they can apply it to other parts of their business, just like banks have their eight risk areas. They start thinking, “Maybe we should think a little more about our reputational risk.” Yes, exactly. A security hit becomes a reputational risk hit, which impacts revenue, not just today’s revenue but future revenue too.
The same expansion applies beyond tools. Information security encompasses IT security (or cybersecurity, depending on what you call it), GRC, and physical security; they overlap like a Venn diagram. A business with all the technical tools in place might have a strong cybersecurity program but a poor information security program if, for example, they’ve neglected the physical side. All three misconceptions come from the same place: thinking increasing security is about technology tools, rather than about understanding and managing risk.
What impact do you see AI having on the vCISO model specifically? Does it make the fractional approach more viable, or does it create new challenges?
Everyone needs to understand that AI is just a tool. We’ve been down this road before with social media, with moving to the cloud, and with any number of technology shifts before that. It’s different technology that helps us do our jobs better. We have to begin with that mindset.
That said, AI is both a helper and a hindrance. I love it; not a day goes by that I don’t have several chats with ChatGPT. But with any tool, you need to understand its limitations and what you can and cannot use it for.
The two biggest risks are pretty standard. First, understanding how (or whether) your data is protected. Free versions of your favorite chatbot will use what you give them to learn, and that could pop up down the road in another query. You get what you pay for; if you’re not paying for the service, you’re paying with your information.
Second, hallucinations. What does that mean for us? Trust but verify. And how is that really different from anything we’ve learned over the last few decades with internet access? You do a search, you get a result, you verify it.
But the tool is genuinely useful for taking away the work that distracts you from actually thinking about risk. I’ll give an example. I’m writing a book called So You Want to Be an Information Security Consultant. I used AI to structure my existing online content into a wireframe for the book, then expanded and wrote the content from there. I then thought it would make a good presentation at security conferences, so I then asked it to build a PowerPoint presentation, because I’m terrible at PowerPoint, based on the manuscript’s content. What came back was better than anything I could have produced on my own. I made changes (trust but verify, and make sure the words are still yours), but it helped me put those thoughts together far faster than I could have alone. That frees me up to spend hours on actual risk management tasks, or just on living life.
None of this is really new. Our field has always been about new tech and new threats; we just have to understand them and use them wisely. Trust but verify is what it boils down to.
I don’t subscribe to the idea that we’re going to have a Terminator/Skynet scenario. We’ve been scared of technology before. Back in 1981, MTV launched with “Video Killed the Radio Star.” Do you still listen to the radio? Probably. Technology doesn’t always kill the thing before it; often it just enhances how we use it.
I’d also push back on the idea that AI has fundamentally changed the attacker side. Yes, AI lowers the technical barrier to launching attacks, but that’s not really new. We’ve had the term script kiddies around for 20 years; someone downloads something from the internet and runs it. Most attackers really don’t have much technical knowledge. Maybe now they can do it faster, and we can respond faster too. It’s a war of escalation, a balance of power. You live long enough and you see patterns. These patterns repeat, and we’re just in a cycle.
What advice would you give to fellow CISOs and industry practitioners?
I’m going to reiterate something I’ve said a few times: know the business, no matter what your industry, your role, or the size of the company. We can’t protect what we don’t understand, and we can’t protect it if we don’t understand the why behind it.
When I was working on my master’s, I had a professor who told me, “Greg, you’re giving me the what, but not the so what.” In other words, you’re telling me stuff, but you’re not telling me why it’s important. There are a lot of CISOs out there who know the what but really don’t focus on the so what.
I’d also add that a lot of CISOs (and virtual CISOs, but more so CISOs) are just not good at communication. Some of the most important certifications I’ve earned during my career had nothing to do with information security. They were from Toastmasters: the Competent Communicator and the Competent Leader. The reason isn’t just the public speaking aspect, although that certainly helps. Toastmasters does an excellent job of teaching you to listen better, to think on your feet, and to communicate a concept quickly. They call that the elevator speech.
Notice that a lot of the advice I’m giving has nothing to do with technology. It has to do with people skills and communication skills.
Finally, one of the most important tools in the CISO’s toolbox is empathy. We need it to understand the other person’s point of view. I don’t mean just, “Oh, why is she in a bad mood today?” I mean: what are her business needs? Why is she pushing back so forcefully against a particular control? Maybe it’s because she’s afraid it’s going to impact how the business operates, and therefore how she does her job. She wants to be excellent, like most people do.
There are some who just want to do the bare minimum of flair, to quote Office Space. But most people want to do better. They want to make a difference. Try to understand that. That’s my advice.
