Greg Schaffer: Hi, I’m Greg Schaffer and welcome to the Virtual CISO Moment. Dylan Owen joins us today. He is a cybersecurity professional with over twenty years of experience, including as a cybersecurity architect and CISO. Dylan, thank you so much for joining us today.
Dylan Owen: Thank you, Greg, for having me.
Greg: So we’d like to start, as we usually do, because I love hearing stories and I want to hear your story about how and why you got into this crazy field and and just talk about your path to where you’re at today.
Dylan: Yeah, sure. So probably to have a slightly unusual path, partly because I’m old.
Greg: And so you’re not old. Come on.
Dylan: I started my career in the early nineties. You know, cybersecurity was barely a word. It was really called info assurance or information assurance. And it didn’t have the emphasis at all that it has today. I actually started out as a webmaster as the web was first coming on and the dot-com era started in the nineties, working for a nonprofit. But I got into cybersecurity because I had moved companies. I was working for Raytheon at the time as a system administrator, and we wanted We were on a separate contract and they wanted to hook our network into the Raytheon corporate network so that we could trade email of all things. And they’re like, oh, you need to put in a firewall. And I was like, oh, what’s a firewall? And so I quickly learned what a firewall was and was able to install a firewall on an old computer that we had lying around. That was kind of my first foray into cyberspace.
Greg: Was it a, was it, was it a network firewall or was it like, like using IP change or something like that?
Dylan: It was a, it was checkpoint.
Greg: Oh, it was checkpoint and you installed it on an old computer. Okay.
Dylan: Yeah, we, so we brought in a consultant to help because again, I had never done this and we had a, I forget, a gateway. We had a, gateway computer, we bumped up the rainbow.
Greg: The cow, the cow.
Dylan: Yeah.
Greg: They were the cows.
Dylan: Yeah. And we were able to, uh, to install the checkpoint firewall software on it. Um, yeah, it was, that was an interesting experience.
Greg: Okay.
Dylan: So we did that, you know, that lasted for about a year until they got, um, some, some, uh, site to site VPN hardware that I then had to install to get a better connection. Um, And that was kind of the journey. And then from there, I moved a couple of different jobs within the company. And I was working for an intelligence community agency as an assistant administrator doing some high availability networks. That’s when I really got into it. So we had won a contract. for an agency doing cybersecurity support. And they brought me on as a network security engineer. So not, you know, not like an analyst, but more evaluating architectures and making sure that they met with the security principles of not only the agency, but the intelligence community overall. And that really began like the real journey into cyber. And I focused from then on in my career to being in the cyberspace. So I’ve been an analyst. I’ve been an engineer. I’ve run incident response and threat intelligence for Raytheon for three and a half years. So, you know, sixty five thousand people around the world were protecting I ran an MSSP that Raytheon had bought for about three and a half years and then moved into the CISO position as the cybersecurity business from Raytheon was divested and spun off into a separate company about fifteen months ago. And I was CISO for Nightwing until just recently.
Greg: So I’m curious about that transition. there’s a lot in the CISO role. You say CISO, I say CISO, it’s either.
Dylan: Yeah, no worries.
Greg: But I think that sometimes people have challenges with that transition because the CISO role is just so much more than technical. How did you address that? How did you address and overcome the learning broadly beyond the tech side of the role?
Dylan: Lots of conversations. There was a lot of stolen minutes here and there with senior leadership. Sometimes it was planned. Other times it was, hey, can I talk to you in the hallway for five minutes about something? And it wasn’t usually technical. It was more around know how are we going to interact what were we doing from uh from an overall governance perspective for the company um were we going to have a review board of some sort like a risk review board how did they want to structure things as well because I was new to the role just as this was a new company being stood up um he said there was a lot of you know hey how are we going to plan for this now the technical side is relatively easy um for the most part I mean everybody knows the bulk of the technology. Yeah, picking vendors and picking the right solution from the different vendors, that’s kind of the fun part. But overall, putting the pieces together with an EDR and a SIN, MFA, and all of that, it’s pretty well known. what you need to do, in my opinion. It’s really the softer piece. So, you know, while I had been in the business, I didn’t really know all the parts and pieces of the business. So the conversations with the business unit leaders on, you know, what uniqueness did they have that we had to deal with from a cybersecurity perspective? So one example is Nightwing has a lot of people that work in a customer facility, government customer facility. And you can’t take a phone in. You can’t take a computer in. We were originally planning on using hardware keys for MFA. Well, you can’t take a hardware key into these facilities. So we had to have multiple MFA capabilities that met customer requirements. And so that was one of those things that’s like, oh, you hadn’t really thought that a hardware key wouldn’t be allowed into a SCIF. But, you know, we had conversations with the business unit leaders and we talked to customers and like, yeah, it’s really not going to happen. These are what are approved. And so that was one of the things that, again, you know, I knew a little bit, but really diving deep into what those business unit leaders needed to support their employees, to help them do kind of not only their work for the customer, but also supporting us in terms of like, you got to do a time card and you’ve got to do your security, your mandatory training, right? How do you do that for employees that are almost never on your network and have limited resources in order to access those things? So it was things like that really came to light.
Greg: Yeah, I think that’s so important because it’s… And you definitely went the right direction there because we as CISOs, we’re not effective if we don’t understand the business. And if we don’t incorporate, there are some, I think, in the CISO field that they have earned us the reputation of the office of no, where they say, no, you can’t do that or you can’t do it this way or whatever. And you can’t be… You have to say no to saying no, I guess. You can’t do that. You have to incorporate some of the business processes that are there because otherwise they’re going to find a way to get around it. That’s how shadow IT becomes such a big problem.
Dylan: Absolutely. So when I was working in Raytheon corporate, the one thing, I learned lots of things from the CISO, but the one big one I learned was how can you make security frictionless so that users don’t want it try to find a way around it, right? If you put up all kinds of barriers, they’re going to find ways around it. So how can you reduce the amount of friction in an employee’s day-to-day interaction with your security tools?
Greg: Sure.
Dylan: Yeah, go ahead.
Greg: I was going to say one of my favorite examples of that is the seatbelt. Now, you said you’re old, but I remember a time when seatbelts weren’t mandatory. It was the early seventies, I think, when it became a law or late sixties or something like that. And then shoulder straps became like ten or twelve years later. And a lot of people complained about it and all this. And I bet that right now just about everybody listening doesn’t even think twice about putting on CPAP. You just get into your vehicle and you just put it on. Right. And that’s the frictionless part. They auto manufacturers and designers have made it so that it’s not a big deal. It’s a very simple one arm movement to do. And you just do it automatically. And to remind you, they have a not too annoying, but just a ding, ding, ding. It’s like, OK, so, oh, I forgot something. It’s not a big deal. That’s what we need to do for security.
Dylan: Right.
Greg: Yeah, absolutely. And I actually remember, I think it was in the late eighties, early nineties. Some car manufacturers had the auto seatbelt. I don’t know if you remember that automatically.
Dylan: Yeah.
Greg: Yeah. That actually was more annoying for people because it didn’t last very long and actually added. a level of friction because you had to wait for the, for the track and for the seatbelt to go all the way on the track and click in before you could, before your car would.
Dylan: I knew it was almost a little bit insulting. It’s like, you know, I think I know how to do this. It’s like, you know, this isn’t rocket science, but well, we’ve talked a little bit.
Greg: go ahead
Dylan: yeah that’s that but the whole idea of frictionless and and how do you get to yes you know a business wants to do whatever and you look at it you’re like that’s that seems a little risky um but how can we get to yes because at the end of the day if they can’t make money I don’t have a job you know nobody else has a job so how can we make what they’re trying to do the most secure possible and still enable those business goals. And that’s where we have to get to, right? I like to say yes, but a lot. Yes, we can do that, but we may have to do these five things. And it may be that those five things are too expensive or really not worth it. And that whatever they wanted to do just becomes like, yeah, you know what? We thought this was a great idea, but it really isn’t. Let’s try something else, which is great. And that’s what we should be there to do. But the key point is that the business is in business to make money. That’s why businesses exist. There’s no other reason for businesses to exist than to make money. And sometimes I think people, they forget that one little thing. It’s just like, well, yes, we have to have cost considerations with regards to business. Now, I’m going to kind of segue with that into the virtual CISO world because the virtual CISO exists, right? Because of that cost concern, sometimes you have the small and mid-sized businesses that they, you know, CISOs can be rather expensive. I don’t know what the current numbers are, but I’m going to say total package compensation. Of course, it always depends upon size. But if you were to take the median in the United States, it’s probably like around three hundred thousand dollars. uh per year um you know some more some less um but that’s still a lot I mean six figures of six figures is a lot of money to a small performance-sized business now I do remember and because I had this in my notes that our initial contact for talking on this podcast had to deal with the virtual siso environment about your view in the virtual siso space but I think you had some sort of comment on some sort of post I don’t remember what it was, but it was, I wish I had written it down, but it was insightful enough that I’m like, well, I wanted to talk to you about it. So maybe that’s good. Or maybe that’s bad. Maybe you’re going to surprise me, but.
Dylan: Yeah. I was actually looking forward as well to kind of remind myself what I actually said, but I think in general, you know, What’s really important for an organization that they’re going to give a virtual CISO route, whether that’s because of money or just where they are as a business and what they need it for, is to really understand what do they need? and what are they going to get? Is it just somebody in an advisory role? We have somebody who kind of does security, but they don’t know all of the parts and pieces. So can you come in and help us identify some gaps and fix those? And that could be across the board, right? Process, technology, people, interactions with senior leadership. How do you present monthly statistics or your monthly report to your senior leaders or a board if there’s a board for the I think where companies kind of get in trouble with the virtual CISO is the level of responsibility they think that person has. Yes, they work for you, but they’re a consultant. And a lot of times they’re not there full time, so they don’t truly know your environment. A good one is going to ask the right questions about your business so that they can help inform how they make decisions or make recommendations. But they’re typically not true decision makers because they’re just there in a part time role and they may go away in three or four months. So it’s really important that whoever the person in the company who is interacting with this virtual CISO, they understand what are they getting out of it. Again, is it just an advisory capacity? Is it because you needed somebody’s name in the role for regulatory compliance? What are you looking to get out of that person? And make sure that it’s scoped correctly. Because that’s where I think companies probably have a misconception on what they’re getting or what they want. And so they just hire somebody and they don’t really get that value. Because again, that person is rarely empowered because they’re not an employee, right? They’re not in the room, in the boardroom or in those senior level meetings on a consistent basis to really understand everything.
Greg: Right. And you brought up a very good point about that the virtual CISO, I think that there’s two things embedded in there. One has to deal with experience. One has to deal with a role in the organization. I’m going to start with the second one first. The virtual CISO is a consultant, is not an officer of the company. And so you talk about like the RACI matrix, responsible, accountable, consulted, informed. So the The virtual CISO cannot be accountable if they’re not given responsibility from the organization. And you can’t give a consultant responsibility for the organization if they’re not an officer of the company. And so I think that sometimes that businesses are misinformed. They think they can get someone in for whatever reason, like you said, it could be regulatory, it could be whatever. And then that person is filling the exact same roles as a full time CISO. I can’t tell you how many times in the almost decade that I’ve been doing the makes me feel old to say that almost decade. But in the almost decade that I’ve been doing the virtual CISO stuff that new clients will have the expectation that I will sign off on something. I don’t sign off on anything. I don’t put my signature on anything. I don’t have signatory authority for anything, whether it be to buy something or to approve a policy. And if there are any virtual CISOs out there right now that are doing that, you’re setting yourself up for some really crazy liability. That’s not your role. Your role as a consultant is an advisor. If it’s anything more, then you got to build it into your contract. And maybe that becomes more of an employee-employer engagement. And then you get on their insurance and all of that.
Dylan: Right.
Greg: Right. But the second part is also the experience part. It’s you don’t know what you’re going to get. Just expand on that a little bit, because you talked about a lot of things that a virtual CISO might need to do. I talked to the board, for example, which in itself is a very niche type skill. I mean, you’ve got ten minutes, if that, to talk to the board and in a year and you need to maximize that. What are a few things that like a business might want to look for in a virtual CISO?
Dylan: That experience is really key, especially experience in their vertical. particularly if there are regulatory compliance frameworks that you need to comply with. Having somebody who’s done ISO or GLA or PCI stuff, that experience is going to be invaluable. You don’t want to hire somebody who’s never done that because they never had to because they were in a completely different vertical. That’s probably a recipe for disaster. yeah so you know I think that’s a big thing is that relevant experience to your industry um is is pretty key you know how long they’ve been doing it um the references I think are great hey we hired bob to go and work and he did x y and z for us and these were the results um And then obviously communication, you know, you don’t want someone who’s just going to sit at home and be given tasks. You know, a lot of times in those consulting relationships, there’s deliverables, right? And they need to be able to talk to people at the company, whether it’s the director level, even down at the lower, you know, individual contributor, you know, the one IT admin, you know, and you need to be able to talk to that person about, hey, we need to implement these controls and Be able to explain it in a way that makes sense. I think those are the big things. Most people in this space tend to keep up to date on the different threats. People ask that question, but Anybody who’s been doing this for a while is always constantly reading the news or what’s on X or whatever about the latest attacks. So I don’t think that’s quite as important because, again, it’s kind of innate to people in this field. We always have that curiosity and the need to know what’s going on. But it’s those bigger things.
Greg: But let’s land on that for a second, because I know a lot of your background has to deal with threat intel and incident response. for large organizations. You have a virtual CISO as the only security team for a small mid-sized business. They obviously can’t have the same type of threat hunting and depth of incident response and forensics and just being able to ingest all that information. Now, I know that some SMBs, they outsource this, that function as like SOC as a service to MSSPs, which is a good service, but some also still need to have like some sort of way to manage that threat environment in-house. Between larger and small businesses, what sort of expectations should an SMB have with regards to that space?
Dylan: Yeah, I mean, I think that if you’re hiring a virtual assistant, that’s something that you should get out of them. I just don’t think from an interview perspective, I don’t find many people that, if you were to ask them about, I’m trying to think of one that just came up recently. Oh, the co-pilot SharePoint vulnerability, where you could literally tell co-pilot to turn off, to not log, my use of co-pilot to access a FOD, right? That came out, I think, earlier this week or late, late last week. I think most people in this space are going to keep up to date with those things, right? So asking somebody, well, how do you keep up to date with all the emerging threats and trends? We know. I mean, honestly, I don’t, again, I think people who are in cybersecurity have that innate curiosity that they will that they take it upon themselves, right? It’s kind of like a throwaway question in an interview from my perspective. Now, I would expect, you know, if there’s something So, you know, if you hire me and I know your environment well enough, and I see something I should absolutely, you should expect me to say like, Hey guys, we just had this vulnerability was disclosed about whatever we use this piece of software or this service. Can you guys look and make sure that we don’t have, you know, the setting turned on to whatever, because that’s going to make us vulnerable. Absolutely. You should be getting that type of stuff from, from a virtual CISO, especially if they’re really the only security person. in the organization at all, right? So I would expect-
Greg: But what about detection and response? I’m thinking more about the cybersecurity aspect, the technical aspect of following up on leads from your SIM or even having a SIM in place. When you have a, when you have a twenty hour per month virtual CISO, there’s only so much that can be done and a lot is focused on governance.
Dylan: Yeah, yeah. So I think from there, you know, For small midsize companies, their best bet is to hire an NSSP, to be honest. It really is. This is not a core competency. Doing detection and response is not cheap when you start getting to scale. If you need to do a twenty four by seven operations, you’re looking at fourteen people minimum. It’s several millions of dollars in personnel costs, let alone the probably several millions of dollars in the software costs. Right. If you’re only two hundred, three hundred people, you can’t afford that. You’re better off.
Greg: Right.
Dylan: You’re better off fighting a really good MSSP or MDR provider who can handle that for you. Now, you do need somebody to handle, you know, hey, we found X. need you to either go look for a little bit more information to confirm or here’s the remediation step can you go fix it and there you know a virtual cso can certainly help right coordinate and provide a little more guidance in that space but you still need that it guy or gal you know to do whatever re you know reimage the computer or know deploy a new registry entry because that’s going to fix this thing that you know makes your entire organization vulnerable whatever it is um but yeah msp mssps um are are really valuable uh I think for that small and mid-sized space um just uh especially as they’re growing and especially if they have regulatory compliance on top of it, right? You need that belly button, but I would look at a really good partner to help you out in that space.
Greg: Right. Because if you’re not proficient in that space, you tend to triage everything at the highest priority and then nothing gets done. At the very least, the MSSP, that’s why they’re there. And the really good ones in particular, they’ll take that off. And I guess part of the reason why I was going down this questioning is that I wanted folks to understand that there’s more for a small or a mid-sized organization from a security standpoint to consider beyond just like having a virtual CISO as their like, you know, ten, twenty, thirty hours a month. There’s more that needs to be done. You can’t get it all in one shot. So.
Dylan: Absolutely. You know, it’s a stressful environment, whether you’re in a large organization or you’re in a small organization and you pile too much of that stress on someone, then they they will they will not work well. But just in any of our jobs, certainly this is one of the more stressful industries. And I always encourage folks that the need to decompress, to do something. that some hobby before you and I started recording, I was mentioning about mountain biking that I’ve started to get into more so this past year. I haven’t broken any bones yet, knock on wood. What’s one of the things you do, Dylan, to help decompress from the stress of our field?
Dylan: There’s probably three things that I do pretty regularly. One is disconnect. When I leave the office, I try not to to be doing work. Even though I’m doing work, I try not to do you know, really meaningful things that are going to tax my brain. I read, but that’s a little bit different in my mind, but I won’t turn on my work computer at home unless there’s an absolute emergency. So I think that disconnecting is really useful and really important. Now, I actually learned this because I used to work in classified environments. I couldn’t take anything home with me. So it was like, when I left, it was like, I am done. can’t connect back in there’s no remote access I can’t take documents out cut off and it was awesome it was great and I’ve kind of tried to keep that going as I’ve moved into different phases of my career you can’t do it all the time but try it’s really I think it’s really useful I work out I try to work out three four times a week um when I can even if it means going in at you know nine o’clock at night I’ve done that the gym I go to has twenty four hour access. So it’s on my on my way to and from work. So if I feel like, you know what, I need a I need a quick hour to go and get my endorphins up. I hit the gym and I’m a huge soccer fanatic. So I play my kids play. I watch all the time. So that’s kind of the easiest way for me to disconnect and do and do something fun is there’s always a soccer game on somewhere in the world. um on a streaming service and I have most of them so of course of course the the proper name is football but we have but we we already had that name taken so it’s exactly you know uh I can watch a game you know almost daily there’s something on at night on the tv uh that’s one of my favorite ways to kind of relax and disconnect
Greg: excellent well what tell me about your future plans what you got coming down the road
Dylan: Well, you know, I’m, as my LinkedIn profile says, I’m open to work right now. You know, whether it’s another CISO position, deputy CISO position, some kind of senior leadership in the cybersecurity space is kind of what I’m looking to do. I have lots of experience, primarily in the defense sector. But, you know, I’ve also worked with, you know, when I ran an MSSP for Raytheon, we had customers across the board, health care, financial services, commercial and entertainment sectors. So I’ve got some insight into how those organizations work and need to secure themselves. But I’m just looking for my next right opportunity to help an organization be more secure and protect their intellectual property and their employees. This increasingly kind of worrisome digital environment that we have, the rates of attacks and ransomware and all that stuff. I like helping organizations, you know, kind of up their game in the cyber field.
Greg: Awesome. Well, if anybody out there has a lead for Dylan, just contact him and find him on LinkedIn. It’s pretty easy. I found him, so you should be able to find him. Dylan, thank you so much for joining me this morning. It’s been a great conversation, great insight, and I appreciate you taking the time out to chat a little bit.
Dylan: No, thank you, Greg, for having me. This was lots of fun.
Greg: And everybody, stay secure.