On Wednesday, October 27th, YouAttest is hosting a live webinar event titled: “The vCISO and Identity Governance.” The event will feature special guest Paul Horn, a seasoned cybersecurity executive with over twenty years of industry experience, serving as a Chief Information Security Officer for various companies before founding H2Cyber. In preparation for the event, we sat down with Paul to get his insight on the duties of a vCISO.
Who is a CISO? vCISO and Identity Governance
A Chief Information Security Officer (CISO) is a C-level executive tasked with the responsibility of maintaining an organization’s information and data security. They are highly qualified, on-demand professionals with the expertise to build and maintain cybersecurity programs in large companies.
When dealing with complex and sensitive data, companies must invest in strategies that protect this data. Just having an IT department is not enough. Paul equates IT to have more general expertise, similar to a family practitioner. On the other hand, cybersecurity professionals have more specialized training to deal with cyber threats, similar to a specialty doctor you might see for more complex health conditions.

The vCISO has become a key hire to many small and commercial businesses who realize the importance of security and compliance but need to do it on a budget. ( vCISO and Identity Governance )
However, not all organizations have a CISO. Only about 61% of companies employ these executives, increasing to 80% for large enterprises. This is mainly because small and medium businesses have to compete for cybersecurity talent, and it is hard to find someone with time and service in the field.
In addition, small and medium businesses also find it challenging to compensate these professionals appropriately. Most CISOs receive salaries between $380K and $420K per year, while Fortune 500 companies can pay over $1M. This makes it incredibly difficult for smaller companies to afford such a large price tag. CISO roles also generally have high turnover rates; an executive usually lasts anywhere from 18 to 26 months before burnout causes them to leave.
Why vCISO instead of a Regular CISO | vCISO and Identity Governance
These challenges of a traditional CISO have caused the emergence of the vCISO (or virtual CISO), a cost-effective alternative. Compared to an executive who works full-time for a company, a vCISO general is remote, part-time, and outsourced. However, their goals remain the same: align organizational framework to regulations like SEC, FINRA, HIPAA, NYDFS, and Payment Card Industry Data Security Standards.
However, the main difference is that with vCISOs the organization still owns the risk, and the burden is not placed on the shoulders of vCISO. In the role of a vCISO, the individual helps organizations balance risk management and risk appetite. Paul said: “You’re never going to reduce risk to zero.” Instead, vCISOs help organizations put the right controls in place to manage vulnerabilities.
As a vCISO, a primary concern and responsibility are completing timely access reviews at whatever frequency has been established. Access reviews ensure that employees, vendors, affiliates, and more have the right level of access. For example, if an employee quits or is fired, their access to company systems and information should be immediately revoked so that they can no longer access sensitive data and use it maliciously.
Typically, the vCISO delegates access reviews to be carried out by information security professionals. However, manual processes are an incredible hindrance to this process. Many organizations leverage Excel spreadsheets and email them to each department head for approval. This results in many errors and things that get missed. For some, it is a full-time responsibility to manually maintain data.
Many vCISOs are left wondering: how do you streamline and automate the process? “That’s where YouAttest comes in,” Paul said. With YouAttest, user roles and permissions are automated to reduce the time it takes to verify identity for access from weeks to hours. This visibility into access management saves organizations time, money, and eliminates errors.
—
YouAttest is an automated identity audit tool for your identity and access control resources. Cloud based and simple to use – YouAttest provides a quantified platform for your identity audits with quick time to value and no overhead cost. vCISO Paul Horn will join YouAttest on Oct 27th webinar titled: “The vCISO and Identity Governance”.