CISO Series Podcast
Our CISO Might Be Virtual, But the Lack of Respect Is Genuine

It seems like you can't throw a stone on LinkedIn without hitting a vCISO. But for all of the vCISOs out there, are organizations using them right? These roles are supposed to drive strategy and security alignment. So why are so many organizations using them as program managers?

This week’s episode is hosted by me, David Spark, producer of CISO Series and Andy Ellis, partner, YL Ventures. Joining us is Mike Wilkes, former CISO of Major League Soccer and lecturer at Columbia University.

Are we misusing vCISOs?

The term vCISO has become overly broad, often referring to roles that focus on compliance and risk management rather than true security leadership. While some organizations use vCISOs effectively as short-term advisors to build security programs or mentor future CISOs, many rely on them for operational tasks that don’t require executive expertise, pointed out Wil Klusovsky, field CISO, Appalachia Technologies. The overuse of the CISO title further complicates the landscape, with many claiming the role without the necessary experience. As the profession matures, efforts to standardize CISO qualifications and career development are emerging, aiming to bring more clarity and credibility to the role. Regardless of how the CISO title itself changes, organizations must define clear expectations for vCISOs so they can provide strategic value.

Cybersecurity is out to sea

Maritime cybersecurity has become a growing concern as air-gapped systems are no longer sufficient in a world where over 42,000 ships are connected to satellite services. The 2017 NotPetya attack on Maersk first highlighted the industry's cyber vulnerabilities, and in 2023, maritime cybersecurity incidents hit a record high, prompting 61% of organizations to increase their OT security budgets, as seen in a recent ASIS International survey. However, current regulations are outdated and lack detail, making it difficult for organizations to determine what even qualifies as a reportable cyber incident. The complexity of maritime governance further complicates security efforts, as ships operate under multiple jurisdictions, including U.S. agencies like DHS, FEMA, and the Coast Guard, as well as foreign governments based on flag registration. This fragmented oversight creates inconsistencies in compliance and enforcement. Proposed rule changes aim to introduce pen testing, risk assessments, and tabletop exercises for large facilities, but without better harmonization across regulatory bodies, maritime cybersecurity will remain an evolving challenge.

Planning for your exit

Succession planning for CISOs is often overlooked, yet it is critical for ensuring continuity with security programs. Some experts argue that succession planning should be discussed as early as the interview process, with new CISOs expected to develop a transition plan within their first six months, according to Glenn de Gruy with executive search firm Kingsley Gate. Many experienced CISOs take this reality to heart, beginning their offboarding plans alongside their onboarding, ensuring that permissions, responsibilities, and leadership transitions are clearly documented. Strong security leadership isn't just about running a program—it’s about building the next generation of leaders who can step in when needed. Some CISOs view this mindset as a key career strategy, emphasizing that if you make yourself irreplaceable, you limit your own upward mobility. Those who invest in their teams create opportunities to move into broader executive roles, such as CTO or CIO. 

Building up your quantum reflexes 

Quantum computing and AI advancements are rapidly reshaping cybersecurity, with predictions that 15% of daily work decisions will be made by AI systems by 2028 and that conventional cryptography may be obsolete by 2029. While AI decision-making is already creeping into everyday tasks, such as sorting emails or prioritizing security alerts, the real disruption may come from quantum computing’s ability to break asymmetric encryption, argued analyst Gene Alvarez. The biggest concern is that attackers engaging in “store now, decrypt later” strategies could retroactively expose encrypted data once quantum systems become powerful enough. Efforts to adopt post-quantum cryptography (PQC) are already underway, but even algorithms selected by NIST for quantum resilience have been broken by classical computers. As cryptographic standards shift, it will be critical for organizations to move quickly. Without this quantum agility, businesses may struggle to secure their data in a post-quantum world. 

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to Neil Saltman, AHEAD for contributing this week’s “What’s Worse?!” scenario.

Huge thanks to our sponsor, Tines.

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Ten second security tip…

"Add the RSS app to Slack. And then create an InfoSec news channel open to everyone in the company, and then subscribe to 20 or so newsfeeds to build a constant stream of news stories to help everyone tap into and build a curiosity around cyber security. Hint, it also helps to surface interesting developments for us InfoSec professionals." - Mike Wilkes, former CISO of Major League Soccer and lecturer at Columbia University.

Listen to the full episode of “Our CISO Might Be Virtual, But the Lack of Respect Is Genuine”

Is There an Increasing Consolidation of Vendors in the SOC?

"I got a lot of hate from the big guys, obviously, because as you know, and I think everyone knows in the industry, there’s a whole push towards platformization and big platforms and vendor consolidation. However, based off my research, I found that that’s actually not what’s really happening within enterprises." - Francis Odum, founder, Software Analyst Cybersecurity Research.

Listen to the full episode of “Is There an Increasing Consolidation of Vendors in the SOC?”

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Nick Espinosa, Host, The Deep Dive Radio Show.

Thanks to our Cyber Security Headlines sponsor, Vanta

Super Cyber Fridays!
Transforming Governance, Risk, and Compliance into a Business Edge

Does GRC have to be just a checkbox? I recently spoke with Markindey Sineus, GRC subject matter expert at Vanta about how it can be strategically designed to provide a competitive edge in the marketplace.

Organizations must leverage GRC to differentiate their business, attract significant contracts, and demonstrate top-notch security and compliance. This strategy isn’t just for startups, any organization can benefit by aiming to generate sustainable revenue through robust GRC practices.

Join us this Friday, March 14, 2025, for “Hacking Competitive GRC: An hour of critical thinking about how to get ahead of your competition with a well-structured program,” at 1pm ET/10am PT for Super Cyber Friday. Joining David and Markindey for this conversation will be Quincy Castro, CISO, Redis. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thanks to our Super Cyber Friday sponsor, Vanta

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.