Greg Schaffer: Hi, I’m Greg Schaffer, and welcome to the Virtual CISO Moment. Today’s guest is Becky MacDonald. She is the founder of Cyber Risk Navigator and a seasoned cybersecurity leader with decades of experience helping organizations turn confusion into clarity when it comes to cyber risk and compliance. Becky has led security programs across healthcare, higher education, financial services, and more, guiding organizations from fragmented, compliance-driven efforts into mature, risk-based cybersecurity strategies. Through her work as a fractional CISO, she helps organizations strengthen their security posture, reduce risk, and navigate complex regulatory environments, all without the overhead of a full-time CISO. Becky, thank you so much for joining us today.
Becky MacDonald: Hi, Greg. Happy to be here.
Greg: Yes, and my assistant does such a great job of making these intros for me. Thank you, ChatGPT.
Becky: I was going to say that sounded very much like what was on my LinkedIn profile.
Greg: That’s where we get it from. So if there’s anything wrong in the intro, it’s because there’s probably something wrong on the LinkedIn profile or I made an error.
Becky: No, you hit it on and you did really well.
Greg: Well, I appreciate that. And that’s obviously just a very brief, high-level overview of your past and your history and your experience. But why don’t you take us back to the beginning — how and why you got started? I understand when we were talking beforehand that we both are fellow former CNEs, that most people probably don’t know what that means for Novell. But why don’t we go back to the beginning and bring us all the way to today?
Becky: That’s funny because, you know, working with younger folks today, I actually have had people like, “Seriously, Becky, what is Novell?” And so I had to go Google it and send them the link of the history of Novell, right? Because a lot of people don’t know.
Greg: Or they say “novel.”
Becky: Yep.
So let’s see. I started my career in networking and servers. Actually really loved that. I actually started college in programming, believe it or not. Within the first year, realized that really wasn’t for me. I took a networking class, fell in love — loved the idea of connecting and communicating and doing that kind of work much better than programming.
So I started off as a systems administrator. And I’d like to say that I’ve been doing security since day one, right? When you’re a server and a network person, your whole focus is on securing access and permissions and things like that, right? Identity — making sure that all of that is at the core foundation of everything. So it was very natural for me to fall in love with security as well.
Greg: Yeah. And I like to tell people, we didn’t have red teaming, blue teaming, purple teaming, or whatever back then. We called it troubleshooting. It was part of the job. None of this color-coded stuff. It really wasn’t specialized. It was all part of what we did.
But I’m sorry, I didn’t mean to interrupt your story. I had to get that in because it’s very much true.
Becky: And so it was like the jack-of-all-trades kind of thing too, right, back in those days. I don’t want to age myself too much here. But honestly, things evolved pretty quick. They weren’t so specialized. You had a lot of opportunity.
I also spent the majority of my career in nonprofit organizations, particularly healthcare, higher education, and K-12 education. You wear a lot of hats in those kinds of roles, right? I feel like those are the roles that really shaped who I became and what kinds of opportunities were given to me and how I grew my skills. You became a jack of all trades. You weren’t so specialized and siloed as you are today or in larger organizations. So I really loved that.
At some point throughout my career, I started getting into leadership. I had the opportunity to lead a help desk, server, and network team. That grew into also supporting DBAs, business intelligence, and all of that. Basically, if it wasn’t the main application, I was supporting it.
And when I took that supervisor position, it was also right in the early days of HIPAA. And they’re like, “Oh, other duties assigned. We need HIPAA policies. We need to make sure that our technical controls are aligned with HIPAA.” So I took that on.
From there, the passion just grew. I really wanted to get more on the risk management side of it and a little bit less on the tactical side. So working through that, I’ve always stayed somewhat tactical, but also very strategic and risk-focused. And I really like the risk side of it.
You can look at frameworks and say, “You’ve got to do this, this, this, and this.” Really, it comes down to risk. You’ve got to have that risk conversation and determine what is right-sized.
So after that, I did that for many years, and then I took a CISO role. My first CISO role was with a pretty good-sized health system. I did CISO work for ten years, both in higher education and healthcare. I really got to see the forefront of a lot of great things and a lot of growth in the security realm.
When I first started in security, there weren’t a lot of real-life examples of these breaches actually happening. Then you could go back to Anthem — the first huge one in healthcare. From then on, my job got so much easier. It became real.
And I wouldn’t say it was easy-easy, but it became real for leaders, for those in healthcare. It all became very real. You take a look at Target too around that same time, and that really started to shape where I think security was going and security leadership was going across organizations. We’ve seen a lot of growth over the last ten years.
Greg: I think that might have been fifteen years ago now — Anthem?
Becky: Yeah, I think you’re right. I think it’s been a minute, that’s for sure.
So we have CISO roles. And I’ve always wanted to really work for some large corporations because those afforded me opportunities that you don’t get in smaller nonprofit organizations — very mature GRC programs, medical device segmentation, unlimited tools, really good “sexy tools,” what I call them, that your smaller organizations can’t afford.
But my heart’s always been in that smaller midsize market. Being in healthcare and nonprofit for as long as I was, I feel like my superpower is finding a way to make things happen with limited budget and getting creative. I feel like that’s where I have the most passion — making progress despite not having a huge budget.
Greg: Well, that’s like classic risk management mindset, right? And I know you mentioned that. I pinged on that because when I was going for my CISSP, I thought that networking was going to be my strongest domain there because I’d been doing it for so long. And actually risk management was, which was like, “Oh, okay.” And that’s when I realized, no, I think I want to be a risk manager or go more towards that space.
But that’s exactly what it is because the difference between looking at a list — I think you alluded to frameworks and checking off things — as opposed to really understanding the risk of the environment is really the big difference from a business perspective, right?
Becky: Correct. A lot of folks go into this thinking you’ve got to implement check, check, check, check, check. Does that make sense for this organization? Is it the right approach for them? Could we do something a little bit different or lighter based on budget or their risk profile?
So that’s kind of my superpower — figuring out that niche and what is going to work right. Because there is no one way to do things right now.
Greg: Well, right. And that brings me — I want to talk just for a moment about the virtual CISO world. It certainly evolved over the last ten or fifteen years, and I think that sometimes it gets a little bit muddied as to what really makes a good, effective virtual CISO. We’ve kind of danced around some of the things with risk management, but from your perspective, how would you answer that? What really are the qualities that a virtual CISO needs?
Becky: Yeah, and I think it’s a breadth of things. I would say some technical acumen, even though many would argue that that’s not true.
I feel like I can be in a room with engineers and systems folks and I can see through the BS because of my technical background. “Okay, you’re telling me that this is going to cost X number of dollars and it’s going to take a year to implement. Hmm. I think there’s another approach to that and it could look something more like this.”
So it kind of cuts to the chase on some of those more tactical aspects of the role. And it helps right-size and shape our roadmap.
But I really think it’s about that risk and the willingness to understand the business and their profile and where their real threats are. I’m not going to push them to implement something that really shouldn’t be in scope for them because maybe it’s just not in their wheelhouse or a threat that is pertinent for them right now.
So really trying to understand that business. You need to understand risk and you need to understand the technical capabilities in my mind.
Greg: Well, and I think that bringing it home right there answers where I was about to go next. Because when I’ve talked about the virtual CISO field evolving — and in some cases maybe de-evolving — you’ve got some instances where folks that have very limited experience in the field, like they’re IT security managers, and they slap the vCISO moniker on their name.
And I was going to ask this question, but I think you answered it. I implore folks that when they’re looking for virtual CISOs, see what their approach is exactly. And if they go down the check-the-box route, maybe not so much. If they go down the risk management route and looking at things holistically and asking first about what the business is like, they’re the ones that are going to be more successful.
But how does one communicate that to an organization that’s looking for a virtual CISO that doesn’t really know the difference between them because they both say “vCISO”?
Becky: Right. And honestly, let’s be honest — in the space that we’re talking about here, small and midsize organizations, most of these folks are looking for “most cost effective,” right? They’re looking to check the box or they’ve had an incident.
I feel like those that have had an incident are really looking for strong leadership and they can dig through that. I think what you want to do is look at their background.
I’ve seen it too. I’ve seen it on people’s LinkedIn profiles. You went from maybe being a sales rep selling cybersecurity to all of a sudden now you’ve started your own vCISO program and you’re a vCISO.
Maybe that’s not the right approach depending on your situation. It could absolutely be the right approach if you’re just looking to have somebody guide you from a leadership standpoint and you feel like you’re strong in the technical aspects and you’ve got strong leadership there and capabilities.
Maybe that kind of CISO works for you. I think ideally you’d want to look for somebody that is well-rounded and has done a lot of those things because they bring more to the table.
Greg: Yeah, and I’ve put forth the idea over the last year or two that I think we’re starting to see a widening split in the vCISO world between those different types. I don’t know how that’s eventually going to shake out.
At one point in time I was thinking maybe it would be better if the industry had different monikers for each side. Maybe call one “fractional” and one “virtual information security officer.” I don’t know.
Becky: That’s tough because I think a lot of folks still haven’t really even caught on to what a vCISO is. A lot of clients I work with, they’re not searching for or looking for a CISO. They’re looking for cybersecurity expertise. That’s about as much as they know a lot of times.
Greg: Yeah, and a virtual CISO goes so much beyond the cyber aspect into governance, risk management, and all of that. You’ve got to have all those parts.
Here’s one of my biggest things on the governance and policy side: people just slap policy templates out there and then that’s not how the business runs and nobody’s adhering to them. You’re in violation of your policies from day one.
That drives me nuts. I’d rather you have a policy that is something that you can enact and operationalize than to just have a papered policy.
Becky: Right.
Greg: And that brings me to another question about the engagement. You already mentioned one mistake that sometimes people make — they either use templates or nowadays they’ll use ChatGPT or Copilot or something to create a policy. And if it doesn’t really reflect your environment, then that could be a real issue, particularly if you’re ever going to be audited because that’s what audits do.
But what are some of the common mistakes that you see when you first engage with clients as a virtual CISO? Mistakes that the organizations have made and are making — and maybe even expectations as well?
Becky: Yeah, so obviously the policy one is they have a lot of policies, they haven’t been updated in years, and they can’t even cite to me what their policies say. Their employees don’t know.
I do a risk assessment and I’m asking folks, “Do you have a disaster recovery plan?” Surprisingly, you’ll find the server folks and the network folks don’t even know that the plan exists. They are critical to that plan. So the plan needs to be dusted off.
Greg: I mean, you and I, when we were doing the networking stuff back in the day and the server admin work, we would have one because we wanted to keep our jobs.
Becky: Absolutely. And it was a point of pride to us, right? In our days, we wore all of those hats.
So I think that’s a challenge. The other thing I see is tool sprawl. Way too many tools with a niche and a little piece here and there, and honestly not fully utilizing each tool.
I think we’ve all seen that a lot. You buy this tool, you stand it up, you do the bare bones. You probably have good intentions of growing and putting in those next pieces of maturity with it, enabling those next features. Either you get pushback from leadership because “it might impact things,” or you just get busy onto the next project, the next project, the next project.
Becky MacDonald: The next project, the next project is generally the biggest challenge. And in higher education, we tended to see a lot more of that pushback from faculty and things like that. But often it’s just the continuous cycle of the hot project and the next initiative. You never fully implement everything.
So stepping back and looking at the ecosystem and saying, “Okay, this tool does this, this tool does this, and this tool does this.”
Greg Schaffer: I think that’s a common issue for a long time because I remember one of my earlier networking jobs — this was my first really supervisory-type position — we had a nice SNMP-based network management platform that had been purchased and installed by the vendor a year and a half earlier, but there was really nobody taking advantage of it.
The problem wasn’t because of lack of knowledge or lack of will. It was lack of time and lack of resources. And I tell you, you fast forward now — that’s been probably twenty-eight years — and the problem still exists.
So how can we do better in the security industry, particularly since we’re talking about SMBs and trying to be as efficient as possible? How can we be better with getting them to manage the tools properly or make maybe other decisions?
Becky: Right. So I think, first of all, we’ve got to stop the problem of not disclosing or making visible to the leaders the effort that really goes into fully deploying something.
A lot of times the security stuff and the IT stuff is back-end, back-office. It’s not visible to the leaders. So it becomes a thing of what’s visible to them is what we work on, and we forget about everything else because this is what’s important to the leaders.
So describing and putting on our roadmaps and our plans these tools and the full deployment of them and why they’re important and why they feed things — “It’s going to help us with availability. I’m going to know quicker that something’s down,” in your SNMP example.
We have to carve out the time to do those things. If we don’t carve those out, you’re building capabilities and business capabilities on top of a weak structure.
So having that conversation — and it’s not the easiest conversation to have because a lot of this just goes over their head. They also don’t understand why it takes so long to do or why we need so many resources to do it.
I think the conversation about tool sprawl and having too many different things is easier when you’re saving the organization money. All you’ve got to do is turn around and show that revenue gain.
Getting the time and the effort to merge and redeploy the right solution — or maybe taking the time to take that functionality out of tool two and tool three and putting it into tool one — sometimes is the tougher sell.
I’m not going to have bodies maybe to work on initiatives two and three for you from a business perspective because I’ve got to get this done.
I think it’s about balancing priorities too. There’s just too many hot priorities a lot of times.
So finding a way to put those up there enough that they get enough attention that we’re still moving along while addressing what the business needs to.
Greg: And part of this that’s so important is being able to communicate properly. And now this comes around full circle to what we were talking about in the beginning about what makes a good virtual CISO — and I’ll say what makes a good CISO.
Remember, first of all, the way this whole virtual CISO industry started is that it was prior CISOs that were then offering their services fractionally because they came to realize SMBs don’t have that sort of capability.
But then you get the people who put the moniker, the title, on their LinkedIn and all that, but they don’t have the experience of being able to talk and communicate with the C-suite and board members because they were never at that position anywhere in their organization.
And that’s one of the reasons why I historically used to be very hardline about this. I’d say, “You cannot be a virtual CISO if you were never a CISO before,” because you don’t understand.
I’ve backed off a little bit from that because I’ve met people that are practitioners in the field that are excellent with risk management. They get it. They’ve learned that skill some other way along the way.
But you can’t be a virtual CISO — or a CISO — without having that skill set.
Becky: I mean, nobody has been a CISO forever either, so you have to start somewhere.
Greg: Right.
Becky: And what I find is there are different types of CISOs in my mind.
So your small organizations — if I were starting out in the field right now today, I’d be looking for those small organizations where my leadership and the business leadership are going to be more tactical and business-focused.
I wouldn’t be going after the large organization that has a board — a very significant, high-end banking board and things like that. I’d be looking for those smaller niche-type organizations to cut my teeth as a CISO because they’re going to be more forgiving and they’re going to help you learn that skill — that whole idea of talking to them in business terms.
I’ve reported to CFOs, and they probably were some of the best leaders I had to prepare for. Talking money. Talking risk. CFOs understand risk and money more than a lot of CEOs do, to be honest with you.
Greg: No, absolutely. If the organization doesn’t have a CRO — a chief risk officer — then the CFO is the best one to report to.
Becky: Absolutely. Even better than IT.
I find with IT — and I’ve reported to a lot of CIOs, and there’s not necessarily a problem with that — but that leader has the same challenge of talking to the business and getting time with the business and being seen as an innovator and supporter and not just a back-office function.
Through a lot of my career, the whole IT department has been seen as back office. You’re not enablers and not business savvy. You don’t know about IT unless something breaks.
Greg: Unless something breaks and they don’t factor it in.
Becky: Right. And that has really shifted over the years. But I think in smaller organizations, you have that ability to have those conversations directly with the presidents and the CEOs and the CFOs because you’re generally a one-person shop trying to do all of those things and you’re reporting directly to them. It helps build that.
So if that were me — but I’m kind of with you on this whole “vCISO without being in the field” kind of thing. I have mixed feelings about it.
I also am tired of hearing that we have a shortage — a talent shortage. No, we don’t.
Greg: No.
Becky: We have a unicorn shortage. Everybody wants the unicorn. And I’m sorry, but not everybody can be a unicorn.
Greg: No. You can be a CISO for thirty years and still have shortcomings in some areas.
Becky: Absolutely. So be willing to work with somebody in those short areas.
Like, “Okay, this whole boxed-in thing where you can’t get into finance unless you’ve been in finance” — that drives me nuts.
I understand they’re more regulated, but in some ways that makes my job a whole lot easier. So why can I not get into the banking industry?
Greg: Yeah. I tell folks all the time: security is security is security. Sometimes the acronyms change.
You do the same thing across every sort of industry. You’re going to get like ninety percent there right off the bat. Then it’s just a matter of maybe learning some specifics around regulations or reporting requirements.
We all had to learn HIPAA too. We figured it out.
Becky: Right. We didn’t have regulations when we were doing security.
Greg: No, we didn’t.
Becky: And so we’ve been subjected all these years through all of that.
You know, I saw one the other day. It was for a fractional vCISO, and they specifically wanted you to have startup experience. Well, in a startup company, okay, I understand the reason why — things move fast, they’re a little chaotic, they want to make sure that you’re going to be able to work in that kind of environment.
Well, just because I haven’t done that before doesn’t mean that I can’t work in that kind of environment. I’ve seen that a lot with lots of other established businesses. You have change in business. You have things go on. Things get chaotic. And a lot of businesses are chaotic, and many of us work just fine in that.
Greg: Every mile starts with the first step.
Becky: Yeah, every mile starts with the first step. It doesn’t mean I don’t know how to walk. I can figure it out. I can navigate through.
Greg: And I’m going to use that as a segue, as I look at your background there, because you talked briefly about starting Cyber Risk Navigator. I love talking with folks that go down the entrepreneurial path.
What was one of the more difficult things that you found by going down that path that maybe you didn’t anticipate?
Becky: I think I anticipated it, but it’s worse than I thought it would be: sales and marketing.
Greg: Ah, four-letter words, both of them.
Becky: I have a dislike for sales and marketing. And I completely underestimated the amount of effort and time it was going to take out of me to do those things.
I want to be doing cyber stuff. I want to be leading organizations and making an impact over there. So that’s the toughest part for me, I think.
And I’m really focused on trying to keep my business light — more of a boutique, solopreneur kind of thing. I don’t have huge growth aspirations where I want to hire a bunch of staff. I want to keep my costs low, and I want to focus on the organizations that value somebody like me who is going to give them one hundred percent, even if I am fractional.
I’m going to be ingrained in their organization and work with them to build their cybersecurity maturity.
Greg: Yeah, and that is the selling point right there.
Because I have found — and I’m not saying this just because that’s where I was too — but I have found that the best service comes from the very small organizations.
I like to say sometimes, “You’re a big fish in a small pond.” But conversely, you have to ensure that they have the experience behind them and that they’re not using you, the organization, as a training field.
I think that’s the most important thing because later we have come upon organizations that have had what I call “vCISOs in name only.” And they’ve done more harm to the overall security program than good.
Becky: I’ve seen it myself. I followed a couple of those, particularly when I worked in the consulting space.
So your MSPs trying to become MSSPs, right, and just throwing that vCISO out there to add onto their consulting business. That can be a challenge.
I think it’s a little bit of a conflict of interest. It can be done well if your CISO services are at the right level of the organization, meaning they can strongly influence to make sure that those things are getting delivered to the client in a timely manner.
Greg: I always have to chuckle because I’ve got to pull myself back. Otherwise, I’m going to go down another twenty-minute rabbit hole.
But suffice to say, conflict of interest with MSSPs is huge. It can be managed. One way to definitively manage it — and this is sort of draconian — is that if you’re an MSSP that has a virtual CISO, the virtual CISO cannot recommend services that your MSSP provides.
But that’ll never happen because the main reason for having the virtual CISO is as an inside salesperson.
So, okay, don’t make it a requirement that they have to purchase your services. Be transparent about it and say, “We can offer this to you, but you can do it elsewhere.”
Becky: Here’s other options, right?
And I will tell you, that did get me in trouble because I was always the one looking for the right-sized solution for the client.
“Okay, yes, we have this and it’s great, and it might cost you this and it includes these things. That’s not a go for you. Here’s some other options to look at.”
And I would go to the next level and help them look at those, even though it maybe wasn’t in the best interest of the overall MSP, which is why I wanted to be independent. I wanted to make sure that I would have full autonomy to do what’s right for the client.
Greg: Right. But this can all be stressful. It can be stressful being an entrepreneur. It can be stressful being in our field.
I encourage folks that they need to do something healthy — or at least do something that is not unhealthy — to decompress from the stresses.
What do you do to decompress from the stress, not only of information security, but also of being an entrepreneur?
Becky: For me, it’s anything in nature.
So if it’s piddling in my flower beds — I love flowers. I have pretty extensive flower beds here. Sometimes it feels like another job, but I enjoy them.
I also live on a lake, so spending time out on the lake and decompressing. We also love to camp.
Basically anything that is non-connected, in nature, quiet, less chaos — gives me time to refuel and just kind of chill.
Greg: Yeah, I just had this random thought. I’ve done almost two hundred and fifty of these discussions, and I would love to correlate the responses to that question over time and do analysis on it.
At first I’m thinking, “Well, I can go through every one,” but I don’t even have transcripts for all these. I started doing that about a year ago.
But I think what I’m going to do is wait just a little bit longer, and once I get to the point where I can point them to a share where I have all the videos, I’ll say, “Look at all these videos and do it for me.”
That would be cool. Then do highlights of what all CISOs do and see if there are any patterns. We can’t do it yet, but I’m guessing two years from now it’ll be powerful enough that I can do that.
Finally, future plans. What do you have on the horizon, either for yourself or for Cyber Risk Navigator or both?
Becky: Really, I’m looking to build the right-sized program for that smaller, cloud-connected organization.
I think that’s underserved — and over-served in some cases. If they have requirements from a regulatory standpoint to do X, Y, and Z, they’re probably overpaying for those services.
For me, I want to find that right niche and that right-sized approach for them that keeps them nimble and light. So that’s kind of where I’m focusing.
Greg: Awesome. Well, hey Becky, it’s been a great conversation. Really appreciate you taking the time out to be with us today.
Becky: Great. Thanks, Greg. I enjoyed it.
Greg: Everybody stay secure.