Cybersecurity Q&A with Fractional CISO’s Founder & CEO Rob Black
Rob Black, CISSP, founder and CEO of Fractional CISO, LLC, believes that every company, regardless of its size, needs to pay attention to cybersecurity. We recently sat down with him to chat about his cybersecurity career, the trends he’s seeing, and his thoughts on how organizations can improve their cybersecurity.
Read the highlights of our interview below, and check out his webinar, “How AI Can Help or Hinder Your Organization's Cybersecurity Plan,” to hear his insights about cybersecurity and the rapidly growing trend of generative artificial intelligence (AI).
Q: How did you get your start in cybersecurity/tech?
RB: I got into tech in 1984 when I was just 10 years old! That’s when my family got our first computer, an Apple IIc, and I quickly became the head of IT for the Black family household. I graduated from college in 1996 with degrees in computer science and systems science and engineering.
I reached a crossroads in 2007 when I had two good job opportunities: to be a product manager for a speech-to-text product or a product manager of SecurID at RSA Security. Obviously, I chose security. I haven’t regretted this decision once. I had always liked security, and I knew that a security role would open up many more opportunities for the future. And I was right!
RB: In the mid-2010s, I saw that the cybersecurity leadership I was providing was needed by many midsize organizations. I had been working in the enterprise space, where it is easy for companies to hire a full-time cybersecurity leader. It is much harder for midsize organizations to do the same. I realized that everybody needs this and decided to use the “fractional” model to provide the service to many companies. This “aha!” moment is what led to me starting Fractional CISO.
RB: “Are we secure enough?” If you’re asking, the answer is probably: “No!”
There are many things every organization should do to build a complete picture of its security posture and risk profile. Cloud service providers such as AWS and Azure have Security Hub and Security Center, respectively, that provide a good overview of your cloud security configuration. You should conduct external vulnerability scanning of your product and network infrastructure. You should have a real penetration test conducted on your app. You should have a quantitative risk assessment done to put numbers—dollars and probabilities—to the cybersecurity risks your organization faces.
Your goal is to mitigate (through cyber controls), transfer (through cyber insurance), or avoid (by decommissioning at-risk assets) cybersecurity risks until your organization can comfortably accept what remains. That’s when you are secure enough.
Q: What is the most alarming statistic you have seen that should make people care more about the future of cybersecurity?
RB: We had our team review 116 of the leading technology services for cybersecurity incidents from early 2021 to early 2023. We found that over 56% of the cybersecurity incidents they reported in that period involved the supply chain, whether the reporting company was attacked via a vendor compromise or the company was attacked to get to one of its clients.
This statistic illustrates how important vendor management is to a great cybersecurity program. Even if your organization has strong internal cybersecurity practices, it can be brought down by a vendor that does not.
Q: How are you contributing to "demystifying" tech tools in your field?
RB: Every month, I publish two humorous one-minute videos on LinkedIn about some of the zany things going on in cybersecurity and tech. I love to spoof the silly hangups of certain security compliance standards, old or outdated cybersecurity practices, and the overzealous claims of some security vendors. This seems to have worked well, as I have a growing following on the platform. I always make sure to include some sort of educational lesson or tip within the videos so people can learn something new that they can apply to their own businesses.
Q: Have you seen any big shifts this year that show people are taking cybersecurity much more seriously?
RB: Unfortunately, no. From where I’m sitting, most organizations don’t seem to understand the true risk they face. Cyber threats are generally a bunch of low-probability, high-impact events, so most businesses feel like they are fine—until disaster strikes.
When organizations do decide to do something about their security, it’s often for business development purposes—their sales team is getting bogged down with cybersecurity questionnaires, they have clients asking for them to get a SOC 2 certification, and so on. In other words, it’s a compliance requirement or obligation.
A business’s decision to improve its cybersecurity posture rarely comes from an understanding of cyber risk and the desire to become more secure. When more businesses start building cybersecurity programs because they understand the existential threat cyberattacks pose, we will know they are taking cybersecurity more seriously.
Q: What inspires you most about working at your company today?
RB: Our clients and employees. I enjoy meeting with them. We’re part of a great team, helping to solve real problems that enable business success and help protect infrastructure. Our mission statement is, “Helping companies protect themselves for a safer world.” A secure company is not just protecting itself from data loss, it is protecting people—customers, employees, and other stakeholders.
I believe that secure companies contribute to the overall safety of our society, and I’m proud to be part of it.
Want to hear more of Rob’s insights? Check out his on-demand webinar, “How AI Can Help or Hinder Your Organization's Cybersecurity Plan.”
Sign up to receive news and updates about Dashlane