Greg Schaffer: Hi, I’m Greg Schaffer, and welcome to the Virtual CISO Moment. I’ve got Joseph Gunnells with me today. He is a vCISO and information security consultant with a strong background in cyber defense, organizational leadership, and business strategy. With experience spanning engineering, infrastructure, and governance, Joseph has helped organizations strengthen their security posture while aligning cybersecurity initiatives with broader business goals. Currently serving in a governance risk and compliance role, he brings a practical results-driven perspective to modern security challenges and the evolving role of the vCISO. Joseph, welcome again to the virtual CISO moment. And I say welcome again because we had started this and I realized I hadn’t hit record and that doesn’t work too well. So anyway, welcome back.
Joseph Gunnells: Thanks, Greg. I appreciate it.
Greg: So we’d love to hear your story. Start from the beginning about why you got into the field, how you got into this field, and then just bring us all the way up to today.
Joseph: Yeah, absolutely. Really, it kind of begins in college to an extent. As we’re going through that phase of our life, trying to discern what industry we want to land in, we come in with maybe these grandiose thoughts of, the job we’re going to have coming out of college. And obviously, I feel like most people I’ve talked to, there’s a little bit of a humbling moment in that. I thought I was going to be in aerospace engineering. Very quickly found out that my math acumen was nowhere near good enough to maybe push the bounds and become the astronaut I was hoping to be.
Greg: I got to stop there because that’s exactly my story back. Forty years ago, I was an engineering major and and what killed me wasn’t necessarily math, although I hated differential equations and finite elements was difficult as well, too. But but the Cold War killed me because it ended and all of a sudden you had a glut of all these aerospace engineers. So different reasons for falling in. But you’re the first aerospace engineer that that that I have been able to relate with on this podcast. Go right ahead. Continue on.
Joseph: Absolutely. So I always also had a lot of interest, obviously, in IT. My dad’s been in IT administration for decades and grew up just kind of around him, you know, having numerous workstations in the home office. He works for a university. And also, you know, when I was in high school, he helped me build my own desktop. So from there, you know, I kind of I kind of looked at my options. I pivoted a little bit in college, switched over to management information systems just because then it felt like it was a nice blend for me because up into that point, I’ve been working in restaurants. I had moved up to managing restaurants as well and then actually getting into the higher kind of the higher echelon of operations just within the restaurant industry. So I was looking at things like our profit and loss I was looking at the cost of goods sold I was in charge of labor costs as well so you know firing hiring all the staffing the training of managers in between there so I kind of quickly started to discern that while I enjoyed it I also had this element of working alongside people that I really enjoyed as well so Coming out of college, jumped right into an IT consulting firm, was doing a little application development, switched over to an infrastructure role while I was there. Really just started building out a lot of the technical skill set that you don’t necessarily get in college, right? They talk a lot about what you’ll be doing, but you don’t necessarily get some of that hands-on work until you’re really in that first role. it was good you know I kind of I kind of drifted away from application development I never had a strong acumen for writing code honestly and it’s never really um been my passion but um the nice part about working in that consultancy was that you know you’re you’re getting all of these different clients with all these different needs and and you know what they need from you looks different with every engagement and I really enjoyed that because it kind of gave that lens of back in the restaurant industry where every day was different, it presented a new problem. I got the same thing in this consultancy. And obviously too, when you’re looking at the infrastructure side of the house and working deeply within the technical stack that a customer is deploying, security is a mandatory conversation. It’s not something you can gloss over. It’s not something that you can just kind of turn a blind eye to. You can just, you know, not advisable, obviously. So I started to get deeper and deeper into, oh, okay, well, we’re talking about secure configurations. We’re talking about, you know, what sort of GPOs we need to be pushing out to client environments. So that way, you know, we’re, we’re really making sure that we’re, we’re doing the work we need for for them, but we’re also doing it in a secure manner. How do we go about that? And from there, I just kind of dove into that pool of understanding cybersecurity to a much deeper extent to the point where I was like, oh, I think this might actually be the direction I want to go. And from there, I moved to a different organization where I was actually working internally as a cybersecurity engineer, just so that way my focus was solely on the cybersecurity aspect, which was really great. Had a great team alongside me from an engineering perspective that I got to learn from. My direct manager was really, really great at kind of bringing me along. Honestly, putting me more into a security architect type role in that position. I really have a lot of different elements to that position where I’m looking at the endpoint protection, but I’m also writing policy. I’m also deploying security awareness training to the organization. I’m getting a lot of these different elements. And then from there, it was an unfortunate aspect to that. Greg, this is where we had our introduction. There’s a reduction in workforce. And I think of upwards of a few dozen people were let go of, and I was just kind of in that swath of individuals. So that was unfortunate. But as you’ve kind of seen through our connection and through LinkedIn and all these other areas, I have been able over the years to build a good network around me, not just security professionals, but just the greater IT community as well within the state that I reside, the communities with which I do business. And I had some individuals reach out almost immediately and say, hey, we have a position open. We like you a lot because we’ve met you. We know who you are. You’d be interested in maybe coming on and doing some information security consulting with us. And I was like, well, I don’t have a job. So, yes, I would be very interested. in discussing this position. And it turned out to be the right fit. And to your point in the intro there, now I’m working in the governance risk and compliance space as a virtual chief information security officer. And kind of like I highlighted, it’s nice because I really enjoy being able to interface every day with clients, have those conversations around security, but then also bridge that further with how the business makes money and what are some of the needs that they have that I can help add value with. And that’s kind of where we’re at today.
Greg: You had a reduction in force—a RIF, I guess they refer to it as. And you brought up something that I think bears repeating and landing on. And let me preface by saying: often—well, I shouldn’t say often—but occasionally I’ll get pings from people on LinkedIn that I’ve been connected to for years, but that I haven’t heard from in years. And it seems like they only increase their LinkedIn presence when they need something. Tell me, from your perspective, what the value is. And you were saying that when this RIF happened, you had already built out a network. And to me, that kind of speaks to: if you constantly are trying to take from something without giving, it’s going to be a lot less impactful. You need to be constantly giving so that when that time comes, you have that established. Was that a conscious decision that you made, or was that just something that naturally came from how you are?
Joseph: I’d like to say a bit of both. Not the best answer in the world, but I’ve obviously, as I’ve come to grow in my career, totally come to understand that aspect of when you give of yourself to other people—when you provide value to other people, to the community you’re in—it’s just the right thing to be doing. And if you’re doing that honestly and with integrity, it tends to give back, even to your point when you’re not asking for anything necessarily, right? Or when something adverse happens and you do need help.
Those people are more than willing to help because they know your character. They know your individual aspects that you’ve built along over time. It really just helped to—when I was young in my career, new in the cyberspace—I was going to conferences, but I wasn’t afraid to just chat with people. Whether it was someone who was just a sysadmin or a CIO of a large enterprise organization, I just engaged in those conversations.
I asked a lot of questions. I asked, “Can I connect with you on LinkedIn?” That way, if I had additional questions, I could reach out and continue the conversation. Not coming at it from a “what can you do for me” perspective, but genuinely wanting to be in this space. You have the experience I’m looking for, so I’d love to grab coffee, message you, and keep that conversation going.
That way, as I go through my career, I’m like, “Oh yeah, I spoke to somebody about this. I’ve already understood this situation, this risk, how other people have tackled it in the past,” right? And not only from that—but now, where I’m at in my job—I have this network of people that if I hit a roadblock with a client or in my own career, I have resources outside of my organization I can reach out to.
Someone like yourself, Greg, where I can just ping you and say, “Hey, I’d love your feedback on this. I’d love some of your insight from your career as to how you’d approach this situation.” And then from there, it’s just value that we’re exchanging at that point.
Greg: Yeah, and I’m certainly very receptive to that. What I’m not receptive to is this: if I connect with someone and immediately they want to schedule thirty minutes with me—I don’t even know you—and they just want to pull all sorts of advice from me. I’m like, “Wait a minute.”
I connected with you because I want to form a relationship. I believe in the power of community. And, you know, I’m kind of not an extrovert—actually, which would sound a little surprising doing this podcast hosting stuff.
But you mentioned conferences, and that got me thinking. What I try to do at conferences is this: when we have downtime—like lunches and things—you get people that either congregate with folks they know or sit off by themselves and eat. I try to go find a table of people I don’t know and just sit down.
Usually it’s folks that, to me, feel like that lunch table in high school—the outcasts. I was one of them. Nobody wanted to talk to them. So it’s like, “Okay, all the outcasts over here.” I sit down, start talking, and at first you can tell it’s a little uncomfortable. But then the conversation gets going because of the power of community.
So yeah, I totally agree with that. I don’t really have a question to follow up on—I just wanted to emphasize that. I thought that was important.
But I am curious now: from the RIF and your current role, you went from more of the technical engineering side to the information security risk and governance side. How was that transition? Did it flow naturally, or were there some areas that caused a bit of a speed bump?
Joseph: It was pretty natural, a progression. Like I said, when I came on to that last organization in that cybersecurity role, it was pretty hands-on—pushing secure configurations and stuff like that.
My manager at the same time, though—I think he probably evaluated what some of my strengths were at that time. He shared this with me, obviously, in our one-on-ones and our check-ins—that he was kind of thinking I was going to be a little bit more of a security architect, maybe more so than that engineering role, right?
Where it’s more of a holistic view—looking at the security stack, looking at all the different elements of the organization, our third-party risk management, and how we want to structure our layered approach, our defense in depth, around how we’re doing things today.
And while it was definitely still hands-on—still technical in nature—it definitely started to push the bounds. And honestly, it challenged me a bit, because then I’m having conversations outside of the IT department. I’m having conversations with HR about how they’re bringing in new hires, how we need to provision them.
I actually ended up getting into our new hire orientations as the security individual—to talk to them about phishing, to talk to them about password hygiene and things like that. Because I felt like they’re not going to read our acceptable use guidelines. They’re going to scroll to the bottom, hit “acknowledge,” and move on. Or they’ll wait for the timer to time out and then hit “acknowledge.”
Because sometimes we try to be crafty and say, “Oh, you’ve got to spend ten minutes on this.” Okay—well, the first ten seconds I go to the bottom, then I just leave it there, go do something else, and then, hey, okay—now I can click. Right?
Greg: Absolutely.
Joseph: So it was very impactful that way, too, because all of a sudden there’s a face to a name. They know me as the security individual. And I found that they actually felt a lot more comfortable reaching out to me personally and asking questions like, “Hey, I got this thing that seems a little strange—do you mind taking a look at it?”
I’m like, “Yeah, it’s my job—absolutely.”
But I always like to joke that it took the Darth Vader element out of it. Sometimes the security person is seen as the bad cop coming into the room—”What did you click on? Why did you do that?” You can almost hear the Dark Lord of the Sith theme as you walk in.
Greg: Right, right—exactly.
Joseph: So I wanted to remove some of that. I wanted it to be, “Oh, we know Joe—he’s our security guy. He’s actually looking out for us.”
So I put myself out there to an extent. I wasn’t just an IT individual in the back doing behind-the-scenes work—I made myself visible to the organization.
So not to be too long-winded, but when I moved into the position I’m currently in, being a vCISO, it felt very natural. Because I’d already started having those conversations—especially from a leadership perspective.
When we’re talking about security exceptions and having leadership sign off on risk, I need to be able to articulate what’s going on and why that risk is being incurred—often due to a business decision leadership wants to make.
So it kind of flowed. Obviously, there’s a learning curve to everything. I’m not saying I came in day one and I was a rock star—certainly not—but it definitely felt like a good transition.
Greg: Well, you know, you touched on what I like to say is one of the most important skills that a security leader needs to have—and that’s empathy.
And that comes first from building relationships. When you build relationships, you start to understand the other person. And if you open yourself up to that understanding, then as you move into more leadership roles, you begin to understand the business.
I mean, why are they so concerned about a certain metric or outcome? What’s driving those decisions?
Let’s just say you’re first engaging with a client as a vCISO—or vCISO, however you say it. What are some of the common challenges you see when starting with a new client?
Joseph: I’ll give you the IT answer—it depends.
Greg: I thought the IT answer is, “Did you reboot it?”
Joseph: Yeah, right—absolutely.
I think what I’ve found pretty surprising is that a lot of times, when we’re brought in on an engagement, it’s the IT group bringing us in—whether it’s a leadership-level person or someone more in a middle-management role.
And like you’ve mentioned in other podcasts, especially with small and midsized businesses, a lot of times I’m working with a director of IT or someone sitting between the boots-on-the-ground staff and executive leadership.
And often when we come in, they’re saying, “We don’t know what we don’t know—that’s why we need you.” Or they’re very granular and say, “We’re doing a lot of things, our calendars are full, but we have no policy or documentation behind anything we’re doing. We need you to help spearhead that.”
And I’m like, “Got it. That sounds good.”
But other times, it’s more consultative. It’s, “Okay—what do we have going on right now? What projects are in flight? What are you trying to achieve?”
From there, I try to create a strong back-and-forth dialogue. Because what I often find is that IT teams are somewhat removed from the rest of the organization. They’re not always thinking through a business lens.
So they get frustrated—frustrated with leadership decisions, with budget constraints, with things not moving as quickly as they’d like.
And it becomes about: how do I convey value to them, while also helping them understand that the organization needs to be aligned with whatever decisions we’re making?
That’s empathy all around. Empathy for the business. Empathy for IT. Understanding both—and then trying to bring it all together.
Greg: Yeah. So I’m not going to focus on that too much—you’ve already touched on some of this. But is there anything else, from your point of view, that you think is a characteristic that makes a good vCISO?
Joseph: Well, I think—you definitely highlighted the empathy aspect, and that’s obviously important.
I think another piece is just being willing—and I know I’ve touched on this already—but being willing to put yourself out there.
When I get brought into engagements, I ask the individuals I’m working with to look at the organization holistically. And this is especially common in healthcare, where everything is moving to a SaaS model.
So I’ll ask, “Have you done any due diligence? Have you reviewed this SaaS solution for security risks or concerns?”
And they’ll say, “We’re lucky if we’re even brought into that conversation.”
Then I’ll ask, “If that SaaS solution breaks, do you get looped in?”
And they’ll say, “Yeah—we’re IT. We’re brought in to fix it.”
And I’m like, “Okay… but you don’t know anything about it.”
And they’ll say, “Correct.”
So it becomes: we need to get more comfortable putting ourselves in front of the organization—getting face time with other business units.
We can’t just be the help desk. We can’t just ingest tickets, fix problems, and disappear. We need to be part of the broader conversation.
Joseph: Well, I think you I think, yeah, you definitely highlighted the empathy aspect, and that’s obviously certainly important. I think just being willing, and you’re right, I think I have been on this a little bit already, but just kind of being willing to put yourself out there to an extent, right? When I get brought in on a lot of engagements, I asked the individuals I’m working with, let’s look at the organization holistically, right? And this is especially happening, I feel like, within more of the healthcare industry as well, where it’s moving to such a SaaS base when it comes to technology, right? Everything is software as a service. And I’m asking them, well, have you guys done any sort of due diligence? Have you reviewed this SaaS solution for security risks, concerns, anything like that? And they’re like, well, we’re lucky if we’re brought into that conversation. Okay. Yeah, absolutely. And then, and then it becomes also too, it’s like, well, if, if a SaaS solution off an HR breaks, do you guys get looped into that conversation? And they’re like, well, yeah, obviously we’re it, you know, we’re being brought in to fix things. And it’s like, but you don’t know anything about it. And they’re like, correct. And I’m like, OK, we need to get a little bit more comfortable with putting ourselves in front of the organization and getting ourselves more face to face with these other business units. Right. We’re not just the help desk. We can’t just be the people who ingest tickets and then reply to those tickets and say problems fixed. And then we never talk to anybody in the business units again.
Greg: I was going to say—how do you think the flood, if you will, of AI is going to change the delivery of virtual CISO services?
Joseph: It’s a loaded question. You know, I’m not sure.
Because obviously, I leverage AI constantly. Every day. My clients have varying levels of AI adoption, and they’re looking to us as subject matter experts—they expect us to know what’s going on.
So part of the challenge is just staying on top of everything in that space.
But what I typically come back to with clients is this: right now, we need to focus on foundational security—the blocking and tackling.
As great as AI is, there are foundational things we still need to address first—technical debt, policy, governance—just to keep the lights on for the business.
Can AI help us do things better? Absolutely.
But right now, a lot of the conversation is around awareness training. Because not every organization can—or should—block tools like ChatGPT or Gemini.
And if you did block them, you’d be taking away a valuable business tool.
We always have to remember: security exists to enable the business.
If we start saying, “You can’t use this, you can’t use that,” what do we become?
We become the Darth Vaders. The office of no.
Greg: Exactly. That’s never good.
Joseph: Right. And sometimes you get a very gung-ho IT leader who says, “We’re just going to block everything.”
And I’m like, “Okay, sure—but is that what the business wants?”
If leadership makes that call, fine—we can execute on it.
But the bigger issue is this: IT does not own risk management.
IT should not be making risk decisions. IT should be taking direction from risk management.
Because when IT makes those calls—like “we’re blocking everything”—they’re taking ownership and responsibility for risk that isn’t theirs.
And that leads to problems.
That’s why role clarity in this whole ecosystem is hugely important.
Greg: Greg, that is the conversation I have almost every day with almost every client.
Joseph: Yeah, I hear you, brother.
Joseph: Even just when we’re doing things like risk assessments—right? Like a NIST CSF risk assessment—one of the top findings I’m always putting on the risk assessment is that we just don’t have a security exception process in place.
Greg: Yeah. Change management. Change management. There is none.
Joseph: Exactly. Exactly.
You want to bring in an outsourced developer to help push a project through? Okay, great. But wait a minute—this individual needs inappropriate, overprivileged access to your environment. What are you going to do about that?
Well, IT is going to hem and haw and say, “We shouldn’t be doing this,” but they’re not going to do anything about it, right?
So then it’s like—no—we need to formally document this security exception. We need to cascade it to development leadership and potentially to a C-level individual to sign off on that risk.
Articulate the risk. Identify it. And then assign ownership.
And I always bring that back to them. I’m like, “Guys, I’m here so that 100% of IT risk does not fall on your shoulders.”
Yes, you’re going to be brought into every IT fire—you’re the firefighter, quote-unquote—but you’re not responsible for 100% of the organization’s risk. To your point, Greg—yeah, absolutely.
Greg: Yeah, absolutely. And that’s—that’s… I am holding myself back from walking down that path because I know we’re time-limited. But maybe we’ll have that discussion a little bit further in another episode, because the whole idea about risk ownership and change management and proper processes—it’s like, I know that it seems like overkill or it seems like bureaucratic minutia to some organizations, but it’s so that… I think if I was to encapsulate one aspect that makes a good vCISO and a good CISO in general, it’s the ability to see like four or five steps beyond. It’s like, we’re not doing this to make your life harder today. Yes, it’s going to make your life harder today—we’re making this so that your life is easier five steps down the road. Is that fair to say?
Joseph: Yeah absolutely and that’s what I try to articulate too you know with that exception process in general because typically when we’re doing that there’s not like you said there’s not a governing risk management policy or standard to help them make their decisions so what I hope to do is I’m like guys we’re going to take this new security exception process we’re going to leverage it today because all of a sudden when executive leadership starts getting all of these documents that say hey you have to sign off on this risk they’re going to start asking questions and they’re going to start asking the right questions right because they own the risk they’re responsible exactly so I mean really responsible like monies and jail times and responsible so one hundred percent I try to articulate that I’m like all of a sudden when you’re asking a leader to sign off on risk eyebrows get raised questions start to get asked and then that’s where we start to piece by piece build that momentum forward into generating more of a formalized approach to risk that I’m not saying IT has to own but we can at least take some responsibility to push this forward right
Greg: Well, I think it’s fair to say that we know the right way to do it—but sometimes getting everybody on board takes time.
And while we’re trying to do that, we’re also fighting off threats. It’s a very stressful environment.
And I encourage folks—we can only do our best work when we take care of ourselves.
That means managing the stress that we deal with every day. Cybersecurity isn’t unique in being stressful—but that doesn’t change the fact that we have a responsibility to ourselves, our families, and our careers to decompress in a positive way.
So what’s one of the things that you do to decompress? it I mean information and cybersecurity is not unique to this obviously there are jobs that are more stressful but it doesn’t change the fact that we have a responsibility to ourselves to our families and to our jobs and to our careers to be able to decompress in a positive manner what’s one of the things that you do to decompress
Joseph: One of the things I’ve gotten into over the last few years is jiu-jitsu.
Greg: Oh—hitting things.
Joseph: Yeah—or not just hitting things—grappling. It’s incredibly intense. It’s actually kind of the opposite of what you’d expect—it’s stressful on the body, but it clears your mind.
You take all that pent-up energy, release it, and your brain just empties out. You feel better afterward—as long as you’re not twisted into a pretzel and injured.
But beyond that, I also try to get outside every day. Get some sunshine. Eat a relatively clean diet—something that’s not wreaking havoc on my body.
I try to fuel myself properly so I feel good.
Greg: I’m glad you brought up diet. I don’t talk about it much on the podcast, but it’s incredibly important.
As I’ve gotten older, I’ve realized how much consistency and intentionality in what you eat impacts how you feel.
I know I sound like an old guy—but it matters.
When you fuel your body correctly, it enables everything else—jiu-jitsu, getting outside, just feeling good.
I might actually start talking about this more. I track my macros every day.
Joseph: And to add to that—the stress of the job is not an excuse to eat poorly.
We’ve learned that in our house. We’re stressed, we have young kids, demanding jobs—but that’s not an excuse to fall into bad habits.
Because it becomes a spiral. You feel worse, and it compounds.
People don’t always realize they’re in that cycle.
Joseph: And to add to that the stress of the job is not an excuse to just pile whatever we want into our mouths amen this is a huge takeaway for my wife and I it’s like we are stressed we have young kids I have a demanding job that does not mean it’s not an excuse we’re not getting pizza we’re not getting beer we’re not doing all the silly stuff in between that’s just going to bloat us and make us feel miserable we’re going to intentionally and it’s a spiral because if you start doing that then you start feeling miserable more and people who are in that spiral just don’t see it so
Greg: So what future plans—outside of the fact that you’re probably not having pizza and beer tonight?
Joseph: No—Friday night, we’re grilling steak and spending time with our kids.
But professionally, I’m really enjoying this phase of my career. I learn something new every day.
There’s always something evolving—whether it’s CMMC, potential HIPAA changes, or broader regulatory shifts.
And even without AI in the conversation, there’s plenty to stay on top of.
I just want to keep adding value—helping clients improve their security posture and governance.
Long-term, I’d love to grow into more leadership opportunities—but right now, it’s about patience. Continuing to deliver, continuing to build relationships.
Because those opportunities tend to come organically when you do that.
Greg: So you’re thinking a CISO role eventually?
Joseph: I like that idea. But I’m also happy where I am today. If the opportunity comes, I’ll explore it.
Greg: I want to end on this—because something struck me during this conversation.
For a long time, vCISOs were former CISOs doing part-time work. There wasn’t really a defined path.
Then we saw people adopting the title without truly understanding risk management.
But that’s changed. And people like you—who have grown into the role organically—represent the future.
We need that. Because SMBs need this level of guidance, and there simply aren’t enough traditional CISOs to meet that demand.
So I just want to say—thank you. Not just for being here, but for what you’re doing for the industry.
Joseph: Thank you, Greg. I really appreciate that. And I appreciate the opportunity to be here.
Greg: Likewise. And everybody—stay secure.