Greg Schaffer: Hi, I’m Greg Schaffer, and welcome to the Virtual CISO Moment. Today, Alan Clinard joins us. He is the founder and principal of Athena vCISO Services.
Alan brings more than two decades of experience in information security, operational risk management, governance, and compliance across financial services, critical infrastructure, and government sectors. Over the course of his career, he has led enterprise information security risk programs for a variety of organizations. He’s also a former U.S. Army officer and holds certifications including CISSP, CRISC—which I think is pronounced “C-Risk,” but I’m not sure—CISA, and the Certified vCISO, which I’m sure we’ll talk about in just a few moments.
Alan, thank you so much for joining us today.
Alan Clinard: Thanks for having me, Greg. Really happy to be here.
Greg: Well, I’m happy you’re here as well. Two apologies if my throat is—my voice is a little bit hoarse. I just got done with a recording of the previous episode right before this as well, but that’s okay. It’s like I wasn’t yelling in the previous episode, so I don’t think I’m going to yell at you or anything.
But I want to start off the way that I always do. I know some of your story, but I’d like to hear how and why you got started in this wonderful field. Just take us through your career and to where you are today.
Alan: Sure. So when folks ask me this, honestly, I really kind of bumbled into it.
My post-Army career career, I wasn’t really sure what I wanted to do with my life. So I ended up taking a role in Washington, D.C., and it was operational risk management consulting. So we had both a services and a software platform that we used to help people measure and manage operational risk. And that started mostly with physical security, and it dovetailed really into information security over time.
One of the things that I took from my Army career that has really helped me along—my first assignment was as a tank platoon leader. So I was in a tank battalion. I had four tanks that I was leading and their tank crews, and it really helped me understand the basics of maneuver warfare.
I then transitioned to the intelligence world, and having that experience as that leader at a maneuver unit really helped me do my job as an intel officer better because I had that perspective. I really was able to take that mindset and frame of reference and then apply it in my civilian career.
So when I supported a client, I really wanted to understand what they were trying to accomplish, what outcomes they were looking for, and understand a little bit of the inside baseball of their organizations—like how things get done—and then go about saying, “Okay, based on all this, here’s what I think is the best way to support and develop your information security risk management program.”
So I started out supporting federal customers: the Air Force, Department of Homeland Security, the Navy. And after several years there, I met my now wife in the D.C. area. We decided that the D.C. area probably wasn’t a great place to raise kids and have a family.
So she was originally from Minnesota. We moved out here, and I started working at U.S. Bank. Again, supporting those front revenue-generating business lines from an information security perspective, it really helped me to have that mindset and perspective of what do I need to know about the business and how they do things to be able to support them better.
So understanding, okay, what are the business outcomes? And from an information security perspective, how do I make them better at what they do?
And what that really was is taking a lot of the information security-related tasks that a manager was responsible for in a revenue-generating business line and starting to document those and basically take them off their plate. Having things that produced consistent, repeatable results—checklists and so on and so forth—so that they don’t have to have the expertise and experience that I do. They can just rely on the instructions and procedures that I’ve put together, which help them, A, be secure and, B, demonstrate compliance in a very highly regulated environment.
So I took that experience supporting revenue-generating business lines and moved into the information security function itself. I had a number of both technical and governance-related positions there. Again, same mindset, but instead of an individual revenue-generating business unit, it was the entire bank.
So really understanding, for instance, on the insider threat team, what were my responsibilities and how do I engage and leverage the HR function and the managers to create a path of, “Hey, here’s the thing we found that this particular employee did that we’re concerned about.”
I’m not going to explain it in technical language. I’m going to tell you, “Hey, this is what they did. Here’s why it’s bad.” And we’re going to leave it up to you to deal with that employee in whatever shape, form, or fashion.
So again, having this understanding of how the business operates to be able to better support them.
My next role, I worked in the critical infrastructure world. Again, very highly regulated. I was part of a company that helped manage the electrical grid. There, again, much the same story—understanding what it was we were doing, what it was we were responsible for from a regulatory perspective, and then saying, “Okay, how do we do both good security and do it in such a way where we can then evidence the fact that we’re compliant with the regulations?”
And so that was my last role before founding Athena vCISO Services. So it kind of brings us up to date.
Greg: Well, I love the fact that—well, first of all, you made it a little bit easy for me because I often ask folks that were prior military, “What did you bring from the military that has helped you in your career?” And you answered that.
You also do something that I think is a big gap in those offering virtual CISO services and just those who are security folks in general. That is the importance of understanding the business. If you understand the business, you can help the clients better, to use your words.
But there are a lot of folks out there that seem to miss on that. They start wanting to jump into aligning folks with frameworks and controls. They’re going more on a check-the-box thing, and they think they’re doing the right thing, but they don’t really dig into understanding the company.
What is one thing that you think could help them better understand the importance of doing it the way you’re doing it, as opposed to starting with the framework and checking the boxes?
Alan: I think there are a couple of things.
So I’m a big Stephen Covey fan, and whenever I get the opportunity, I throw out, “Begin with the end in mind.” We have to ask ourselves, what is the end?
For a small or medium-sized business, the end is being profitable and delivering a good service. I think that dovetails into the other thing, which is a little bit of humility.
Someone very early on in my career at the bank made the point of saying, “We’re not here to do security. We are here to make a profit and return money back to our shareholders and do good things for our customers.”
So having that understanding that everything that anybody in the organization does, to include information security services, supports that objective. It’s not about your expertise. It is about your ability to work as a member of the team to achieve that goal.
So having that mindset and that humility walking in, I think, is really important. Those are not technical skills.
Greg: No, not at all.
And I think that’s one of the things that makes it difficult for folks that are trying to move up. The humility angle is so powerful. When people finally realize the goal of the company is not to be secure. The goal of the company is to make money. I mean, that’s it. There is no other goal.
How do you not make money? You have a bad security program. That’s one way to not make money—to have really bad losses. That’s how it dovetails in.
But there are so many people in our field that automatically think, “No, security has to be the number one priority.” That’s why they can’t talk risk to the C-suite and the board of directors because they’re already starting off on an “I’m more important than you are” type of footing.
Alan: Yeah. You really do have to speak their language to be able to have a seat at that table.
The protect-revenue piece that you alluded to there is important, but also, how do I help you expand into a new market or offer a new product in a safe and secure manner?
Now you’re not only being that firefighter, if you will, but you are also being that proactive business leader to say, “Hey, here’s a really smart way that we can get into this new market or offer this new product to a new set of customers.”
Greg: Let’s dive down that just a little bit further.
You often talk about cyber translation, to use your words—translating technical risk into business language. We’ve just talked about the importance of that, but why do we struggle with that as security professionals?
What is it in our brains or in our background? Is it because we focus too much just on our own world? We diminish the importance of it? We don’t understand the importance of it? Maybe a combination of all that? Or maybe something else?
Alan: I think all of that.
We really like the ones and zeros. That’s what we’re passionate about.
I don’t know that we do a good job as an industry—the information security, CISO, virtual CISO industry—of teaching basic business concepts.
That’s one of the things that I had to learn about running my own business. What is a balance sheet telling me? What is my P&L telling me? What is my cash flow report telling me, and why is it important?
Those are things that I had to pick up on my own, and we just don’t teach them as part of maturing out of that very technical role into this idea of being a business leader.
It’s a whole different lexicon. It’s a whole new alphabet, if you will. Instead of threats, vulnerabilities, controls, firewalls, switches, et cetera, it’s profit, loss, revenue, expense, marketing, sales.
Greg: Yeah, and I totally agree.
Being a small business owner yourself gives you a different perspective. Particularly in the virtual CISO field, almost by definition, the clients that we’ll work with fall into the small and midsized business category because if they’re any larger, they’re going to have somebody on full-time.
That’s why I say almost by definition.
Making that jump into being an entrepreneur is a difficult jump. But I think some folks have the misconception that it’s very easy. They think, “I’m suddenly going to hang my virtual shingle, and the clients will be screaming and knocking down my virtual door.”
That’s what I thought, honestly, when I first started. I thought, “I’m just going to put it out there. I’ll do maybe one Google ad and have clients out the wazoo.”
It doesn’t work that way.
It’s kind of a scary thing to do because you’re now responsible for the entire business. You’re responsible for everything. The things you talked about—the back-office stuff, the finance stuff—but you’re also responsible for the marketing, the sales, the billing, the invoicing, and all that stuff.
It’s a crazy world to get into.
So why did you jump into it?
Alan: I think the biggest thing for me is I just wasn’t a good fit for the corporate world.
We talk about trying during an interview to help people see you as a fit in their organization. There is precious little about helping you understand, “Is the organization a fit for me?”
Through many years of following the normal track where everybody does a nine-to-five type of role, I learned that that kind of environment is not a good fit for me.
So that is the first thing.
The second thing is I really wanted to have the flexibility to be able to pick my daughters up after school at three o’clock and spend the rest of the afternoon with them.
Greg: Oh yeah. There’s a huge lifestyle component with it. No doubt.
Alan: Yep.
And I think the third thing is the challenge of adding value on every day, every interaction, every engagement that I have with my clients, and then being able to move the ball forward for them big-picture.
Stepping outside of the everyday, “Oh, we’ve got an exam coming up,” or “We need to do this policy review,” and helping them chart a course in a bigger-picture kind of way.
Helping them understand, okay, how do we break down a business goal that this organization has, and how do we communicate how the information security function helps the business reach that goal?
Along the way, as part of that challenge, it is one of the things that I love to do professionally speaking, which is teach and mentor.
I always tell my clients, “I am going to work myself out of a job. I am going to train you in such a way where, in whatever period of time—maybe it’s six months if I do a really great job, maybe it’s two years—you are no longer going to need my services because you can do this for yourself.”
We’ve built that institutional knowledge and that security culture in this organization where you’re going to say, “All right, we’re good. We’d love to keep in touch with you, but we can do this ourselves now.”
That has been a real unexpected piece of satisfaction that I’ve gotten out of that challenge piece.
Greg: Yeah, I think that’s a wonderful thing to do.
It’s such an honest approach because there are so many organizations—and I don’t like to normally badmouth organizations, but I will speak in generalities—that provide virtual CISO services and other services that are more self-serving than others, or are less experienced.
From the self-serving standpoint, particularly those that are pressured to look at the bottom line, the margins, the recurring revenue, they don’t want to do that. They’re like, “No, you’ve got to do everything you can to make sure that the client is sticky.”
Yet what you just said is completely opposite of that, but provides a better service.
I’ve always been of the opinion that if you have a heart of a servant, you’re always going to be successful. Something or another is going to be fine with it. It’s okay to lose a client in that manner because you’ve done something good.
So I applaud you for that.
Alan: Yeah.
And when I was a manager, there was always this fear and anxiety around losing a good employee or losing an employee because they decided to go somewhere else.
I just disagree with that perspective because—good for them. They’ve got a great new opportunity to go and grow. I don’t know why we wouldn’t be happy about that.
And yes, I have to replace that person, so I have somebody else that I can bring in that I can now mentor and teach and help grow.
The best part of all of that is that person B is not the same as person A.
So I now have to understand where that person is at. I have to meet them where they are. I have to ever so slightly—or maybe completely—rearrange how I manage that individual.
I think the same thing applies with losing a client.
It’s like, okay, now I have the space to bring somebody else on who’s in a different position. Maybe they have an exam coming up or an audit coming up or they’ve got an MRA that they need to deal with.
That’s great for me because now I have a whole new set of problems to help them solve, and I have a whole new cast of characters to help train and mentor and do all the things that I love to do.
Greg: That reminds me of a conversation I had on last week’s episode. n full transparency, I can say it’s last week’s episode from the airing perspective. But from my perspective of recording, it was about an hour ago, so it’s fresh in my mind.
We were talking about—and I know you work with financial institutions a lot—the challenge of institutions where they are fine with where their security program is because the auditors are fine with it or the examiners are fine with it.
Us sitting in the position as virtual CISOs for those types of organizations—and it doesn’t just have to be financial services, but financial services is so heavily regulated—you don’t really have examiners in any other field for the most part. It becomes a little bit of a frustration where we’re like, “You can do better with your security program. We have a way to get you there.”
But they only seem interested in staying at this level, which is not a bad thing. Don’t get me wrong. You have to be compliant with FFIEC guidelines and this and that, but that should be the minimum. You should strive above that.
Yet sometimes getting clients to understand that being above where the auditors like it or the examiners are okay with it is a good thing can be difficult.
How do you approach that?
Well, I guess there’s two questions there. How do you approach it with the client? And then how do you approach the frustration? Because I know I feel this way. You already talked about having a heart of a mentor and an educator and trying to work yourself out of a job. How do you get there?
Alan: I think that, going back to this idea of having a little bit of humility, every client is different.
I look for the small wins and think long-term and strategically about how do I pile up those small wins with this client so that they are markedly different today—or in six months—than they are right now.
When I lived in D.C., I actually learned how to play polo.
Greg: Polo? Awesome.
Alan: Yeah, it was a ton of fun.
Everybody thinks about polo and imagines people galloping down the field taking these huge swings to hit the ball. What I learned is that polo is really all about the short game.
I have that perspective in my head of, okay, let’s just assume small wins. How do we stack those up strategically so we’ve radically changed how this organization does asset management or radically changed how this organization does business continuity?
I think the second thing is identifying someone who can carry water for you.
Having an idea and planting that idea in that person’s head where it’s their win, not my win. They look good in front of their bosses.
Greg: Oh yeah. And we want to help promote that too.
Alan: Yeah.
I think being a consultant means you’re naturally on the periphery of the organization. Having someone who is part of the organization and part of the culture moving and shifting them and nudging them ultimately helps deal with some of that frustration.
Honestly, it’s more satisfying to me because it’s like this plan that I have in my head and I’m executing on this plan little bit by little bit.
When I see and I’m able to measure how things have changed over the course of time, that is very personally satisfying to me.
Greg: You mentioned being a consultant, which I think there’s a misconception in the security field that it’s very easy.
We kind of talked a little bit about it from the business perspective, but also just from how you work with clients. It’s not easy to jump from being an employed minion at an organization doing your job and then making this shift as a consultant because there are certain other things involved with that.
It’s actually a good segue into what I wanted to talk about—the Certified vCISO program—because that’s where you and I first met.
Which is kind of a stupid way to say it. We first met. No, we met there. It wasn’t like, “Hey, I’m meeting you again for the first time.”
But anyway, I digress. My voice is going because I’m talking stupid right now.
One of the things that I came away with from doing the Certified vCISO program—and I’ve talked about it on the podcast before—is that prior to that, I was more of the opinion that if you’re going to be a virtual CISO, you had to have had the experience of being a CISO or the highest-level information security executive somewhere because you had to have learned that risk management experience.
The Certified vCISO program actually does a very good job, in my opinion, of doing two things beyond the security knowledge. It does a good job of talking about risk management, and it also does a good job of teaching, at least on a basic level, how to be a consultant.
I have openly said that after being skeptical about it before going through it, I think it’s a very positive thing for our industry.
Now, having said that, it’s been a couple of years since you and I both went through it. I think we did it in 2024, something like that?
Alan: Twenty twenty-four.
Greg: Was it 2024? Okay. Time seems to go by so fast sometimes.
What was your takeaway from it? Did you find positivity from it?
Alan: Absolutely.
I think one of the big things that that course helped me with was extinguishing a lot of the fear I had around imposter syndrome.
Before I took that class, I thought, “Nobody’s going to pay me to do this.”
Greg: Yeah.
Alan: I’ve got all of this experience, but nobody’s going to listen to me. I don’t have any authority. Whatever.
But going through the class, it was honestly like I knew everything.
There were some bits and pieces that I didn’t have, and I was grateful for the perspective that Evan and his team shared.
But I realized, “Oh, I’ve been doing this for such a long time, and these other people have made a career out of doing this.”
That really helped me put to rest many of the fears I had about going in and doing this on my own.
Greg: Well, I can relate with a lot of that as well because it’s sort of touching on some of the stuff from the beginning, but also just generally in our field.
This can be a very stressful life.
Security in general—the risk management aspect of it, the governance aspect, trying to build programs for clients that are at various stages—it can be a good challenge, but it can also be frustrating and stressful.
Then you layer on top of it the entrepreneurial side of things, and that can double the stress.
I’m so much of an evangelist on this podcast about emphasizing to folks that you need to decompress. You need to let go of stress in a positive manner. I’ve learned that the hard way over my career.
I think it’s important to remind people of it. Part of how I remind people is asking guests, what’s one of the things that you do to decompress?
Alan: My big thing right now is learning how to cook and make things from scratch.
I’m making butter, bread, just very basic things. I’m trying a new recipe at least once a week.
For me, it’s very Zen because it takes your mind completely off of everything else that’s going on. You have to focus right then and there.
That helps me put everything else down.
It’s also a really great opportunity to laugh at myself for really screwing it up and then thinking through, okay, what did I do wrong there?
I made some really awful chocolate chip cookies because I mixed up—no pun intended—the ratio of baking powder and baking soda.
Greg: Oh, I’ve done that before. That’s not a good thing.
Alan: So that, and I’m looking forward to picking up cabinet tree building.
I have a couple of rental properties that I manage. They’re older homes. They’ve been beat to heck.
There are some built-ins that I want to repair, and there are things I want to add in terms of cabinetry.
So I am going to YouTube University and learning how to build cabinets.
Greg: Oh, that’s awesome. That’s awesome.
Well, that’s part of your future plans, but I definitely want to touch on other future plans you might have for Athena vCISO Services.
I know you focus on financial institutions, but you’re not limited to financial institutions, right?
Alan: No, not limited to financial institutions.
The great thing about working with non-regulated companies is you kind of get to set aside some of the administrivia associated with the regulatory piece, and we really get to focus on the business.
I have one client, and they are anxiously champing at the bit to adopt AI. What I am doing there is identifying, hey, let’s understand what we are implementing AI for and what outcomes do we want from the use of that AI?
Then how do we consolidate that into something that we can apply our change management to, that we can apply our asset management to, our access management, all of our normal information security functions applying to this newfangled thing called AI?
That, I think, is where I am most anxious to take Athena. It’s helping organizations do that good governance around AI and the implementation of AI.
It holds great promise, and I should say it needs to be managed better.
I liken this to what businesses went through when the internet first started to appear and businesses first started to use it. I think AI is going to be as much of a fundamental transformation as that was.
We didn’t manage it one hundred percent right, because the evidence of that is all of these security-related things and all of the downsides of the internet.
I want to hope that we have learned from that and that we can channel our energy and enthusiasm for AI in a much more deliberate, constructive way.
That is, I think, the biggest thing that I’m looking forward to for Athena, being able to have a hand in that.
Greg: So if folks want to get ahold of you, what’s the best way to do it?
Alan: My website, athenavcisoservices.com.
You can also find me on LinkedIn. You can reach out to me personally, or you can go to the Athena vCISO Services page on LinkedIn.
Greg: Awesome.
Alan, it’s been an absolute pleasure. I appreciate having you on.
Alan: Thanks for having me.
Greg: As I always tell my guests before starting, we kind of say fifteen to twenty-five minutes. I don’t like to go above thirty.
As I look at the clock, we’re hitting close to forty right now, but that’s okay. I’m going to have to actually change my write-up for it because I never like to stifle good conversations.
This is an excellent conversation.
I really appreciate you coming on and sharing your wisdom with folks out there. Again, anybody looking for virtual CISO services, check Alan out. He gets it. He’s one of the folks out there who understands and has the experience to back it up.
The why for what he does is, I think, really aligned with the right way to do things.
So again, thank you for joining us, Alan.
Alan: Yeah. Take it easy, Greg. Thank you.
Greg: And everybody, stay secure.