The Journey and Insights of a Successful Fractional CISO | Interview with Terry Ziemniak
Welcome to Secure and Simple podcast. In this podcast, we demystify cybersecurity governance compliance with various standards and regulations and other topics that are of interest for consultants, CISOs and other cybersecurity professionals. Hello. I'm Dejan Kosutic the CEO at Advisera and the host of Secure and Simple podcast. Today, my guest is a a very interesting person.
Dejan Kosutic:His name is Terry Ziemniak, and he's the a fractional CISO at various company companies and is the partner at TechCXO company in North Carolina, United States. Now what makes him very interesting is that he's actually working as a fractional CISO for more than a decade, So he has a vast experience in this area. So in today's podcast, you'll learn what it really takes to become a successful, not only CISO, but a fractional CISO. So welcome to the show, Terry.
Terry Ziemniak:Thank you, Dejan. Appreciate it.
Dejan Kosutic:So what did you actually how did you actually get into this fractional CISO business?
Terry Ziemniak:Yeah, Dejan. So my my journey takes me I didn't go directly into fractional. I went up the cybersecurity path in big companies that they had transitioned. So my background kinda has three phases. First off was the more traditional cybersecurity.
Terry Ziemniak:So twenty years ago, twenty five years ago out of college, very hands on, bites and bits sorts of stuff. I was doing penetration testing, security architecture, you know, building big security solutions, doing assessments for big organizations, including the US military. So a lot of lot of neat things back then. Again, very hands on sort of work that I was doing, and I was working at a consulting company at the time. And one of the sales ladies came up and said, hey, security guys, because just a handful of us guys in in the security pool.
Terry Ziemniak:One of our clients is asking about HIPAA. And that's a US regulation around health care and cybersecurity privacy, some other stuff. But she was asking about compliance, and we were all just a bunch of techy guys, and no one had any idea what she was talking about or or the customer. So I kinda sheepishly raised my hand. I'm like, I don't know.
Terry Ziemniak:I'll go figure it out. So I went and printed out the HIPAA regulations, like, man, to open my eyes to much more broadly what cybersecurity really entails. So I grew up thinking it's a bits and bytes sort of thing. It's a technology issue, which it certainly is. But there's the regulatory, there's the compliance, there's the risk component to it.
Terry Ziemniak:So that that led me to the second part of my career, Dan, which is as a chief information security officer of big organizations across The US, so, you know, multibillion dollar organizations where where I was their VP of cybersecurity. And that's really where I became more of a business guy that knows cyber as opposed to a tech guy that knows cyber. And I think that that that was a big part of what makes me a good fractional. I can speak speak both languages at this point, techie and business. So the second part of my career working big organizations, and then I left my last full time position at a large healthcare organization here in The United States.
Terry Ziemniak:I said, You know what? I'm gonna go build a business around cybersecurity. Cybersecurity is cool. I'm gonna build a business. So I went out there's a lot of entrepreneurial programs and support groups in The US to kind of help you build your business.
Terry Ziemniak:So I did all the business development, customer discovery, all this planning. Then I started going door to door with my business solution. I'm like, Hey, I got a great business solution. The customer prospect would listen. And they said kind of universally, I don't like your idea, but I like you.
Terry Ziemniak:I don't like your offering, I like you. And it just kind of occurred to me, the value isn't my business, it's me. So I just kind of stumbled into the fractional space. So I've got the experience with big companies. I I know how to run cyber programs.
Terry Ziemniak:I know the the the technology as well. So that I just kind of pivoted to realizing where the market was that, again, I'm the value. So that's why I started doing fractional stuff, and that's what I've been doing for the past eight years. A big part of that, Dan, is as an independent, so maybe seven years as an independent guy. You know, going out, getting my own business, doing the work and whatnot.
Terry Ziemniak:And then about a year and a half ago, I joined a larger company, Tech CXO, where I'm a partner, and it's just a partner of other fractional executives. A whole lot of fractional CFOs, financial guys and gals. There's executive branch, there's operations, there's human resources, and there's some technology. So what that gives me is it gives me peer, so I'm not so much an independent person doing the work. It gives me part of a community and business to work with.
Dejan Kosutic:Great. This is a very interesting career. Now, why you actually, why did you make this transition from more, let's say, a technical and hands on CISO towards this business CISO? So, why do you think it's better for our clients?
Terry Ziemniak:Well, I think there's two things I'm hearing there. One is why did I do it? And B, why is it better for the client? So, I did it frankly because I just love learning new things. And back when I made that pivot, the technology was moving very quickly.
Terry Ziemniak:So when I started in cybersecurity, you could be good at a lot of things. And I was good at cybersecurity because I not great in anything, but I was good at a whole lot of things. Databases, writing codes, servers, networking. I was good at a lot of things. Not great necessarily.
Terry Ziemniak:But more recently, there's so much specialization. Are you a developer security person? Are you a network security person? Are you a compliance security? There's a lot of specialization going on as this just grew so quickly back in the early 2000s.
Terry Ziemniak:And it was just kind of a challenge, I was looking and trying to decide what I want do with my career. And that and that's where the compliance part came up, and and it just it gave me an opportunity that that was interesting as a whole new space for me. So that's why I personally made the pivot. Now the value to the businesses as a fractional, from your business owner's perspective, there's a lot of people selling technical solutions. A lot of people sell firewalls.
Terry Ziemniak:A lot of people sell backup systems, antivirus, whatever the technical solution's in there. But really, I think the business owner, what they're missing is what's the right level of security? Do I need a million dollar firewall or can I get a thousand dollar firewall? Do I need to build my own in house penetration department or do I outsource penetration testing? So thinking through in the risk component of cybersecurity is really, I think, the value that we can add because, again, a lot of people can sell widgets and bits and bytes and technology and shiny tools.
Terry Ziemniak:But helping businesses understand and manage cyber risk, just like you manage finance and you manage your competitive risks. There's all sorts of business risks. Cyber is a business risk. I think that's a unique value that we can offer.
Dejan Kosutic:This is great because, I mean, I'm also on this kind of, let's say, angle where cybersecurity should actually help business goals. And when we are on this topic, how do you actually make sure that a security program really helps the business in the first first place? So can you describe or can you give some some, let's say, examples on how do you normally do it?
Terry Ziemniak:Well, I I maybe I'll tell you some counter examples. If your cybersecurity plan doesn't account for business plans, you're doing it wrong. If you don't have visibility into the IT roadmap, you're doing it wrong. If you're not aware of potential mergers business goals, and if you don't have relationships with HR and with the finance department, you're doing it wrong. Cyber is a business function.
Terry Ziemniak:Cyber is a business. So you have to go out and make those relationships and incorporate that into your roadmap and strategy because it has to cyber doesn't exist for itself. Cyber exists to support the business. You have to understand the business. And you also have those the relationships, Dan.
Terry Ziemniak:If you don't have relationships with the right partners, you can't implement security anyway. If if you have resistance and you don't align with what the rest of the business is doing, it's all gonna fail. So, you know, if if you're positioning yourself as a fractional CISO and you're just a really fancy firewall guy, I I don't think you're labeling yourself properly. The fancy firewall guys are really important and they certainly add value, but they're not a CISO. They're not a security executive.
Terry Ziemniak:Right? And I think that's the you gotta figure out your right spot. There's a lot of valuable security engineers out there and and and value business, and it's it's a great job to be in. It's very lucrative as well. But if you're a technology person, not a business person, you really are not a CISO.
Dejan Kosutic:Yep. Yep. Okay. But very often these, let's say, because most CISOs are really technical guys, really. And how do you make this switch in your head when you're saying, okay, I'm not anymore about, you know, ones and zeros.
Dejan Kosutic:Now I'm about something more ambiguous business. Right? How do you actually make this transition?
Terry Ziemniak:Well, for me, was learning a lot about the business. So when I mentioned the middle of my career, I was working at big organizations as Chief Information Security Officer. I was intentional about learning the business. So in this case, I was in healthcare in The United States working at large hospitals. So I went and I studied healthcare.
Terry Ziemniak:There is American College of Healthcare executives that have fellowship programs that was it took me about a year and a half to study and and pass this certification. So I was intentional about learning the business. Again, your CSO needs to know the business or at least understand business to make all the parts work because, with all the outsourcing, a lot of this technical stuff can be outsourced. In many cases, it should be outsourced. But again, to align with business, you have to understand business.
Terry Ziemniak:To align with HR, you need to know what their issues are, what their concerns are, what their goals are, what their pain points are. Because a lot of security failed because the the the CISO, he or she will put in solutions that butt up against the business.
Terry Ziemniak:You know, we need to start doing multifactor, and everyone has to have an iPhone or an Android, or we're gonna do FIDO keys. We're gonna start deploying keys. Users hate keys. Those little FIDO keys for authentication. Everybody hates that.
Terry Ziemniak:If you're not well aligned with business before you introduce it, you're you're gonna have a riot on your hands. Got it. Yeah. So maybe that's part of it too, Dan, is the realization when my projects through my career failed, they failed because of lack of business alignment. I learned that early in my career.
Terry Ziemniak:So the better you know business, the better you align and partner with business, the more successful you're gonna be.
Dejan Kosutic:Yeah. So this kind of a business mind is actually a precondition of a good CSO. Right?
Terry Ziemniak:I I would think so. Any executive, again, even like your your chief financial officer, your CFO officer has to understand the business as well. Anyone in that executive suite is really responsible for understanding and pushing forward the organizational goals. You're not just a cyber guy, you're a business guy.
Dejan Kosutic:Mhmm. Okay. Great. Now let's switch gears and and speak a little bit about the basics of a a fractional CISO, let's say, Most of our audience are are not really familiar with with the details. So how does this fractional CISO differ from, let's say, a full time CISO?
Dejan Kosutic:How much time do you spend, let's say, per each client as a fractional CISO? Is there a difference between VCISO and fractional CISO? So all these kinds of questions. Can you
Terry Ziemniak:just give a little bit of a background there? Yeah. Yeah. Happy to. So, you know, maybe one thing first we can throw up toss off the list is an interim.
Terry Ziemniak:So there there's interim gigs where maybe you work full time for a limited window. You had a full time CSO. He or she quit, and you got a gap to fill. That's a full time gap. That'd be an interim position.
Terry Ziemniak:So that that that's one kind of position. I I held that myself once early in my career as well. So there's the interim that's typically full time. It's gonna be on-site typically. You have the full time responsibility.
Terry Ziemniak:Don't make any big changes. You just keep steering the ship the way it's going, make sure things keep functioning, and that that really is your goal.
Terry Ziemniak:The virtual CISO, I'm seeing more and more buzz to that, but it's typically an IT service provider that wants to to present a service. You know, we already do your desktops, your servers, and your networks. We also offer virtual CISOs. So that may be like scripted solutions of, We will talk to you about business stuff. So it's almost add on services.
Terry Ziemniak:So, Hey, we do business continuity planning and we do compliance work. So it's just kind of more offerings and that's the virtual CISO as we see it here in The States. And again, typically it's going to be a technology company offering that sort of solution. Then you get to the fractional CISO. So in my mind, a fractional CISO has the skill set, the obligations, the accountability of a full time in house CISO, but they're only working one day a week.
Terry Ziemniak:So again, early in my career, I was working full time in these positions. I knew the budget. I met with a leadership team. I would interface with external parties. I would deal with internal parties.
Terry Ziemniak:I would work on roadblocks. I'd have road maps. I'd have staff that maybe I manage. So it's it's the full gambit of what you'd expect a full time CSO to do, but it may be one day a week, two day a week, maybe half a day a week, depending on the size of the organization.
Dejan Kosutic:Okay. And does this involve that you're physically present in the company or you're doing this remotely? How does this work?
Terry Ziemniak:It's almost always remote. So in the eight years I've been doing it, the only time I had to go on-site was that interim gig. So I did, yeah, interim role. They wanted me full time. The most of my fractionals, I have not met face to face.
Terry Ziemniak:But also keep in mind, most of my clients are are smaller, and and a lot of them like the I have data analytics company, health care integration companies. A lot of them are virtual companies. A lot of like, even the employees haven't seen themselves face to face. So it kind of mirrors with how the organization works.
Dejan Kosutic:Okay. So if I understood well, you're working with, let's say, three or four say, clients at the same time, and how do you manage actually priorities? Let's say that two of your clients have, let's say, some kind of a crisis at the same time. How do you then balance these things?
Terry Ziemniak:It's difficult. It's a I've played with that through the years, and I don't have a great solution. But what I've learned is is, I block hours. So every Monday from eight to noon, I work on client one. So blocking your calendar for about seventy five percent of the work.
Terry Ziemniak:So if I'm working ten hours a week with a client, I'll block seven and a half hours and leave two and a half for float time.
Terry Ziemniak:So float time is I I you get a phone call or an email, and that way you can answer it. So block where you can and and then leave the float time is how I do it. I also learned to be very intentional, Dan, on isolating my clients. Okay. I have individual notebooks right here for each of my clients.
Terry Ziemniak:You know, I I have separate repositories for all of it, I'm very intentional splitting the two because you don't want to send client one an email from client two's email account. It doesn't look good, so keeping all of it separate.
Dejan Kosutic:Okay. Understood. And I assume that as part of this CISO role, you also have some, let's say, responsibilities as their, let's say, permanent member of the team, if I may say so. Now, how do you actually enforce this in, let's say, authority, if you're only part time there and if you are really remote? I mean, it's kind of How do they actually accept you as a full member of the team?
Terry Ziemniak:Yeah. Well, that's true. That is a problem. I had one client where I had a big issue like that and it ended up not working out between the two of us because we could not get that result. In that one, the lesson learned for me is I didn't have the right leadership support.
Terry Ziemniak:So I was brought in under one vice president. Things were going fine. He left, and then they transferred me to a different vice president, and she didn't support the project at all. So I didn't have any backing, and and it was constant fights, and things weren't getting done. And we just kinda had a conversation, and and we called it quits.
Terry Ziemniak:So to make it work is there there's other fraction this is not a new concept. The fractional leadership is out there. But if you don't have the support of leadership team and visibility of leadership team, it's not gonna work. One of the things that I always do, excuse me, early on is I build a security steering committee where I make sure I get in front of the president of the company every quarter
Terry Ziemniak:And and and and that sort of visibility and relationship so I can leverage that person to make it work correctly. Yeah, if you don't have the support, it's gonna fail. But just like any other role, even when you're full time, if you don't actively, present yourself as a leader, if you don't build the relationship with the other leaders, if you don't communicate so the organization knows who you are, you're gonna fail regardless if you're a fractional or full time. So it really is kind of the same concept. It truly is a little bit harder, but, you know, if if if the finance executive knows me and the HR executive knows me and and the other executives know what I who I am, it gets easier. So just like full time, you gotta force the visibility. You gotta force the relationships.
Dejan Kosutic:Yeah. Especially if you're if you're speaking a business language, then then this communication is easier. Yeah. Yeah. Okay.
Dejan Kosutic:I've read somewhere that you've said that this this security leadership is really about educating stakeholders. Right? So how do you normally do it? How do you really preach about security?
Terry Ziemniak:Well, the reason communication is important is because back to my earlier statements, cyber is a business risk, and you gotta manage it. This is not a true technical problem. You need technology to address the gaps, but these are not technology issues. You need if you're trying to have a conversation with leadership about cyber risk management as it applies to compliance, and they don't know cyber. They don't know threats.
Terry Ziemniak:They don't know compliance. They don't know how it affects us. They they don't know what their prospects are asking. If if the leadership isn't educated on the situation more broadly, you can't have a meaningful conversation. And, again, that that would apply really to any abstract concept.
Terry Ziemniak:Again, the finance person talking about financial risk. If leadership team is not up to date on on the the the context of financial risk, you're gonna have a bad conversation. So I I mentioned the date my steering committees. My steering committees always start with education. Every meeting because, again, I'm kinda forcing them to sit with me.
Terry Ziemniak:We'll spend ten minutes talking about I don't know, the OWASP top 20. We will talk about the Verizon data breach report. So it was always something that we can talk about to get them thinking about cybersecurity. When I have other committees like or groups like we have most of my clients have policy groups or perhaps we do a cyber incident, management group. Those always include education.
Terry Ziemniak:Mhmm. When I have one on ones with leadership. So you you you just gotta find ways to do it because leaders are busy. The CEO doesn't wanna spend time in cyber because that's where they hire you. But you gotta make a point to to slow feed this, a, to get him or her thinking about security, but also reinforce that you are the expert. You know? Hey. Mhmm. Terry knows this. Terry brought it to me.
Terry Ziemniak:It applies to our business. That adds value, and I and I gain I gain a little more credibility. I have more credibility. Maybe the boss knows a little more more about cyber, but it's intentional and you gotta be consistently slow dripping security so you can have meaningful conversations.
Dejan Kosutic:Okay. Okay. I understand that you are kind of speaking about cybersecurity whenever you meet them one on one or or in these groups. But I mean, let's say, steering committee is what once a quarter and you can maybe educate them for ten minutes or twenty. But it seems like it's not enough.
Dejan Kosutic:Right? How do you actually educate them enough? Do do you do some other channels, so to say?
Terry Ziemniak:Well, you know, honestly, even when I were was a full time CISO, I didn't get any more time than that with executives. Again, these are the same problems that full time CISOs have, the fractional have the same problem. How do you change the culture? How do you educate leadership? They're not gonna give you hours a day to talk about cybersecurity because the business has other things to do.
Terry Ziemniak:So you gotta find ways, and and you're not trying to make the CEO an expert in cybersecurity. You want him or her just to be aware that there's problems, things are happening, and Terry is an authority in that space. So he he really don't other things that I've done, Dan, is I started doing some big companies monthly email blasts to leadership teams. So you start meeting the leaders, and you call it I actually called it, I don't know, cyber for business leaders. And I would put in a link to maybe a Wall Street Journal article, an interesting article, and then I write two bullet points.
Terry Ziemniak:This is what it means for us. We as a health care organization, da da da. We whatever it may be. So you can eat just simple things like that that that, again, slow trickles, small bites, getting them thinking about cybersecurity. So, again, face to face, committee meetings.
Terry Ziemniak:And and, again, I would even do leadership focus, very simple newsletters, but you're not gonna get much time. And that's just the reality of of any position. So you you gotta recognize what it is, work with what you can. But that being said, you will find some cyber aligned leaders. So maybe the CEO is too busy and doesn't really care about cyber, but maybe your CFO does, and you build a stronger relationship with the CFO.
Terry Ziemniak:So there's other leaders you can work with and pull into your camp. So those that are responsive, you strengthen those relationships even more than others. But again, this is not a fractional issue. This is an executive Understood.
Dejan Kosutic:And who do you normally find the most, let's say, receptive to cyber in a company? Mean, from the senior management, is this really CFO or CTO or maybe CIO? Who do you normally find the best friend of cybersecurity?
Terry Ziemniak:The CTO and CIO definitely are are are number one. CFO potentially would would could be one. In big organizations, I actually when I was a CSO, I reported in one organization up to the chief legal officer. So I was cybersecurity. I didn't report to IT.
Terry Ziemniak:I reported legal. So an organization's legal and risk are all in the same bucket. So your risk legal person's always a good partner. They will always advocate, but not many companies have that. That that's the really big companies will have kind of dedicated groups like that.
Terry Ziemniak:And, again, sometimes the CEOs, sometimes the sales folks, so those that interact with prospects. And the reason that's important is because what we're seeing in The United States here in particular, small companies are having trouble signing contracts with the big companies because the big companies say, you are a risk to me. So that's called third party risk. Before the big guy buys from a small guy, there is a cybersecurity assessment. That assessment, I've seen had blocked contracts.
Terry Ziemniak:So helping the sales guy, the saleswoman understand what the prospects are asking for. Help them build a cybersecurity story. You maybe you have a road map. Hey, salesperson. Understand here's the security program, and here's where we're going.
Terry Ziemniak:And that's where you may wanna talk about compliance, help the sales guy have good conversations with prospects, talking about GDPR. In The United States, it may be SOC two. It could be ISO, whatever it may be. But but strengthen the sales person's ability to talk to the prospects because they can lead with cybersecurity and that may be a differentiator. Great,
Dejan Kosutic:great. So finding, let's say cybersecurity use cases actually makes you friends within the senior management. Right?
Terry Ziemniak:Absolutely. You gotta remember, cyber doesn't exist for itself. Cyber is there to protect the business. So, gotta go find those ways to make cyber more and more important.
Dejan Kosutic:Yeah. Great. I also read that you're a proponent of these well written security policies. So in your opinion, what is a good security policy? I mean, how do you write a good one?
Terry Ziemniak:I never appreciated policies early in my career because I was the technical guy in bits and bytes. And policies were just a document you sort of had. As I've gone along in my career, I've realized that a well written policy enables the business. If I write a good policy, the DevOps person knows the guardrail. The DevOps person knows he can go as fast as possible in this lane.
Terry Ziemniak:But if he goes outside the lane, call Terry. Mhmm. You you clarify responsibilities. You have measurements. You can't really have metrics or KPIs unless you have, you know, your controls and your policy in place.
Terry Ziemniak:So having clarity on what needs to get done and who doesn't allows you to pull out metrics, and you need those metrics to talk to leadership. Your your red, yellow, green charts don't work if you don't have the right metrics to find. So yeah, I appreciate a well written policy, but I also realize nobody reads them. There's only two people in the company that read cybersecurity policies and that's okay. But by making sure they're well written, making sure the right person's accountable.
Terry Ziemniak:So, Hey, finance person, you're responsible for credit card compliance. I'm going to help you write the policy, but you're responsible to make sure it happens. HR has to do maybe training. Hey, here's your policy. We've written it together.
Terry Ziemniak:You're responsible. So it kind of helps also delegate the right responsibility. We have clarity. We have understanding. We can measure success.
Terry Ziemniak:All that's built into the policy. It's So agreed upon rules. The other big thing I mentioned before is empowerment. Things go faster if you have well written policies and standards and procedures. Things can go quicker because you have approved lanes that things can go really fast in.
Dejan Kosutic:Yep. Yep. And do you prefer, let's say, policies or longer ones that are more prescriptive? What is your preference?
Terry Ziemniak:I think short Well, I tell my clients that it's generally an iterative process. So if they have no policies at all, and they need to meet GDPR or the American HIPAA regulations, write policies that cover the basics. Because if you don't currently have a well defined termination process, You can't write all your policies and procedures all at the same time. It's just too much. So we do it iteratively.
Terry Ziemniak:We write, we have the statements of what we're doing. Then maybe we make a second pass through. And now that we're doing terminations, we can document correctly. So for me, iterative to build them, maybe two or three passes. Then it's an annual review every year.
Terry Ziemniak:Has anything changed? Do we agree on the measurements? Do we agree on the ownership? Are there any concerns? When you do your annual risk assessment, you go through the policies.
Terry Ziemniak:Hey. We just realized we don't have a backup person for, I don't know, training exercise. So it it it helps with your risk management as well. So, no, you don't want a big one because, again, it's just too much. It's hard to read through.
Terry Ziemniak:You should be able to articulate your core concepts. And maybe a derivative of that, Dan, is you got your policy statements of what you're doing. Don't forget you need your controls. So we encrypt medical data is your policy. Your control says the CTO is responsible for ensuring encryption on your AWS buckets tagged with medical data, whatever it may be.
Terry Ziemniak:So your policies, and then you can get your controls and then you can be very clear, Hey, CTO, here's your control. You're responsible for it. So again, it also helps assign the responsibility and everyone has clarity if you do it well.
Dejan Kosutic:Okay. Let's pick up a little bit about market opportunities for this kind of a service. So what would you say? What are the, let's say, types of companies that would be the best targets for fractional CISO service? I mean, in terms of industries or size of the company.
Dejan Kosutic:So what would you say? Who would, let's say, go for this kind of a service?
Terry Ziemniak:Well, you know, I think nowadays pretty much every company is a data company. We all have data we're collecting. So there's not many companies that don't need a CISO. Now that being said, some companies may have very little work to be done. So if you outsource email, if you outsource some SaaS solution, if you don't really build anything and you're just leveraging stuff in the cloud, you still need a CSO or someone to say, is your cloud properly secured?
Terry Ziemniak:Is your email properly secured? Do we understand our regulatory obligations? Do we train properly? Is our oh, cyber insurance. We didn't talk about that, Dan.
Terry Ziemniak:Cyber insurance, if you don't do that correctly, you know, you there there have been cases in The United States where, people of insurance have been breached, but the insurance says, you did not meet the obligations of the policy. We're not gonna pay you. So, yeah, everybody really has a need. Some can be very small, some may be very large, but really everyone needs it.
Dejan Kosutic:So it's a huge market potential because I know a lot of consultants are actually thinking about switching to a CISO service. And what would you say how should actually a consultant, let's say, with considerable experience in, let's say, I don't know, some kind of cybersecurity technology or let's say on the compliance side, more on the governance side. So how should a consultant, let's say, switch to CISO offering in the market.
Terry Ziemniak:That that's tough because, you know, a lot of fractionals, frankly, they they fail. Wait. Not just CSOs, fractional marketing and fractional a lot of the fractional looks easy, but it's a lot of work. And I'm in some fractional kind of support groups where where we help each other. We talk about the problems, and a lot of us are facing the same problem.
Terry Ziemniak:Unless you're a chief a fractional marketing officer, pretty much no one else knows how to sell. The the the the the the fractional finance person, the fractional HR person, the fractional technology person, and the fractional security person. We don't know how to sell. It's just something we haven't done through our career. So you gotta understand business development is hard.
Terry Ziemniak:It takes a lot of work. So Yep. You know, realize you have to be patient, and it takes a long time to get going there. If you're lucky, maybe one way to take it, I've talked to other folks, one suggestion I had for them is you can consult for consulting companies. There's a lot of consulting companies out there, and maybe you can be a subcontractor for them while you build your business out.
Terry Ziemniak:So if there's IT services companies out there, they may be hiring CISO consultants. So that will be a great place to start because they do the business development for you, they sell for You're gonna make less money, but you've got the structure, you've got a little safety working for another company where they'll do the biz dev, and then it'll give you a year or two to kind of ramp up and learn what you wanna do.
Dejan Kosutic:Mhmm. This is a very interesting, yeah, a way to to penetrate the market, yeah, through other consultants. Do you find some other channels, let's say, good for promoting this kind of business?
Terry Ziemniak:Okay. I I I've tell you, I found bad channels. I haven't found a lot of good ones. I I found ones that don't work. So I've been doing this for about eight years, and and I actually look back over the eight years of of where my clients have come from.
Terry Ziemniak:Honestly, the majority is is just networking, knowing people. I've had maybe a small percent, you know, hears me on a podcast or maybe finds me on LinkedIn, but nearly all of them come someone knows someone who knows me. So in my mind, I just keep up that visibility within the people that know me. Hey. Don't forget Terry's doing this. Hey.
Terry Ziemniak:Don't forget Terry's doing that. So it's the outreach, which typically is LinkedIn. Now there's other ways to do it. If you're a marketing person, maybe you've got cold outreach, maybe that'll work. Cold calls may work.
Terry Ziemniak:But yes, the business development's really hard. I think there's two kind of clear models, working with your network or maybe your extended network. And then the second model is cold calling and outreach. And that may be, again, with the people that work, use tools like Dripify. You'll find a thousand people on LinkedIn you want with Sales Navigator.
Terry Ziemniak:Use Dripify to send them messages on LinkedIn.
Terry Ziemniak:Yeah. Once they connect, you gotta start chatting on LinkedIn. Then you gotta say, hey. This is what I offer, and then you have the conversation. So it's either build what on what you know or else or maybe a combination, but it it isn't easy.
Terry Ziemniak:And that may be something you may wanna outsource is that business development function. I tried that a little bit. It worked in some cases, didn't work in other, but I tell you, all fractional struggle with business development. The good news is there's a lot of fractional groups out there. Again, everyone wants to be in fractional.
Terry Ziemniak:So if you're someone who wants to be a fractional CISO, you may wanna join other fractional groups because, again, they're dealing with business development problems, and and maybe that's a good networking group for you too.
Dejan Kosutic:Yeah. Great. Makes sense. Yeah. And I I think definitely, as you mentioned, you know, these kind of podcasts and, I don't know, blog posts or webinars, I I think this kind of raising a profile and, let's say, brand, a personal brand of CISO certainly helps with prospecting and finding leads.
Dejan Kosutic:Okay. And do you think that there is, let's say, a difference in the market between, let's say, US and Europe, especially in Europe because you you have these regulations like NIS two, like the DORA? So is there any significant difference between these two markets?
Terry Ziemniak:I'm not sure about the markets. So I have had a couple of international clients through the years. Again, just standard business culture, European culture is different from The US. I had a client in Israel, their culture was significantly different. So, again, that's rolling out a fractional thing, it's just a business thing.
Terry Ziemniak:But again, the message is the same across all of them. You've got to understand how secure you have to be. In The United States, that's asking about regulations like HIPAA and CMMC and all the all the letters we have here in The United States. In Europe, you just have a different set of letters. You've got GDPR and the EU AI Act and whatever it may be.
Terry Ziemniak:But conceptually, management is the same thing. Where's the business? Where does the business need to be? And then how do we get them there and how quickly? So I I don't the the solutions don't change significantly.
Terry Ziemniak:Now how the market functions, again, I wouldn't know the answer to it, but the the the functioning and the relationships of contractors, subcontractor, direct contractor, those all that that may be different. You know, what works in The United States may not work someplace else. But even The United States, working for the government as a contractor is significantly different than working for a large organization. Working for a large organization is significantly different than a small organization, which is significantly different from a founder startup entrepreneur situation. So even in The US, there are differences, but great point, Dan.
Terry Ziemniak:Be aware of that and understand how those sorts of relationships work.
Dejan Kosutic:Yeah. Yeah. I personally don't think that there is a big difference between these two markets. Although there is, I would say, a growing market for fractional because of NIS two. Right?
Dejan Kosutic:NIS two basically forces each and every critical infrastructure company to have CISO, whereas most of them do not. Right? And and most of them will outsource this. So so it's it's basically one one thing that is going on right now in in Europe. Okay.
Dejan Kosutic:Now you're involved with with AI or in particular with AI governance. Right? I think you're running a project and your master's thesis is also on AI or did I get this right?
Terry Ziemniak:So Yeah. Actually, Yeah. My my master's project, boy, about ten years ago, we what I did is I took a the transaction logs from a large medical application. So there's like a 16 hospital system, thousands of doctors all in the system, you know, looking at Dan's record, logging in, logging out. Nurse Terry comes in. He logs in.
Terry Ziemniak:He so they took all that information, threw it in a dataset, and used machine learning on top of it. And what I was able to find is that doctor Dan does not work like all the other doctors. So if you're an outlier and and you act different mathematically modeling, if you're different from your peers, you'll stick out.
Terry Ziemniak:Nurse Terry acts like a pharmacist. So it would model the expected behavior on roll, and then if your roll didn't match, it would call you out. So you called it it it found some very interesting activity that it would not have otherwise seen.
Dejan Kosutic:Wow. And that that was ten years ago. Right? It was a pretty advanced, would say, use back then. So congratulations.
Dejan Kosutic:Now what do you think nowadays? I mean, with this whole advancement in AI, what is kind of the overlap between cybersecurity governance and AI governance? Where is this, let's say, common thing and where they are different?
Terry Ziemniak:Yeah. So there's a lot of commonality. And actually, when I build my security programs at companies, I don't call it a security program. I call it data protection program intentionally. Because small companies typically don't have well, they don't have a security person, but they don't have a privacy person.
Terry Ziemniak:They don't have a governance person. They they don't have a data person. So I build a structure to help them deal with all those at at, with the same structure and committee, and and I can lead them through all that. There's a a lot of similarity, AI governance and security, in that the controls are very, very similar. There's a big overlap of controls.
Terry Ziemniak:So when you're building an in house AI solution, you're worried about access controls and availability and protecting the data, malicious software, data leaks, all that sorts of stuff in the cyber space is also there in the AI space. There are some unique challenges, some unique controls that you'll probably flush out when you build your AI governance program. Example, in particular, how do you protect your learning data, protecting the learning data? How to manage the privacy of that learning data is a unique concept. Change management and model change management is unique because models more or less change on the fly as as they learn and adapt.
Terry Ziemniak:So, there there's a lot of overlap with a little bit of uniqueness. But if you have a well thought out security program, you could, and you're already dealing with data, you could incorporate AI governance in there because there's a whole lot of overlap is what I found. Mhmm. Additionally, in in these risk concepts, you have to deal with risk of in house AI as well as outsourced AI. So even if you're not building your own AI, a lot of companies, well, maybe maybe or maybe not, everyone's buying AI.
Terry Ziemniak:So Microsoft Copilot, g, your chat GPTs, if you're using Salesforce, which is a big cloud solution here, AI is everywhere. But if you have a as a client, have signed a contract to use the Microsoft Copilot, do you understand the risk that that poses to you? You know, just like everything else, where's the data? What happens with the data when we end our relationship? You know, is there bias built into it?
Terry Ziemniak:Transparency. So the risk concepts that you flush out with your AI governance, be mindful that there's a outsource component of it as well as in house. There'll be a good deal of overlap, but don't forget there's two paths you have to manage.
Dejan Kosutic:Do you think that, let's say, in future, security op I mean, the CSOs will also be in charge of AI governance. I mean, some companies are already emerging, you know, the privacy officers and security officers. So do you think that the same thing will happen with AI governance? I mean, the responsibility for AI and for cyber?
Terry Ziemniak:I think it depends on the company. If it were a big enough company that had a lot of officers, I think it would fit more it'd be more appropriate to put it under the data officer. So you got some person responsible for all the data the organization's accruing and using and and managing and protecting. So I think AI and and and data, those two mirror very well. If you don't have a data officer, I think AI and security would then maybe a secondary fit because, again, the controls are very similar.
Terry Ziemniak:There's a lot of technology involved. So I think that would be a good number two. But I think data governance is even more closely aligned with AI governance.
Dejan Kosutic:So it's also, I would say, an opportunity for consultants, right?
Terry Ziemniak:Absolutely. I was talking to someone very recent, actually, just earlier today, and they're a consulting group, and they do data migrations. So they work with US utilities, and they help migrate data and kind of do that work. And he's he said, hey. We're we're struggling coming up with a offering with with something we can productize.
Terry Ziemniak:You know? What what can we sell? What thing is there that we we can discuss? I said, you're already doing data migration, you're not far off data governance. Like, can you not do a AI data governance readiness assessment?
Terry Ziemniak:So you're thinking about AI, where's your data? How well managed is it? What's the true source of information, where does it come from, where does it go, what regulations govern it, all that stuff. So yeah, there's a lot of opportunity in data, as well as AI, as well as security. So the good news is there's a lot of opportunity for all of us out You just got to figure out how to position yourself and go get Absolutely.
Dejan Kosutic:And so, do you think that this, let's say, function of CISO will evolve in the next, let's say, five, maybe ten years?
Terry Ziemniak:I see it migrating again more and more away from technology and more and more as a business position. The way I described it to a client a while ago is you've got technology, and technology is important to help protect stuff. But you need a umbrella on top of the whole thing that protects your business. You're not protecting technology. You're protecting your business.
Terry Ziemniak:So your CASO should be talking about business resiliency and contracts and regulations. And by the way, technology as well, but there's a much broader view the CISO has to have. So when I started my career, the security lead always reported the CIO. Now more and more, I'm seeing it outside. And then what what there is conversely is there's a technical security lead that has a dotted line from IT up to security.
Terry Ziemniak:So put security on the top of the umbrella and then put a dotted line down to the technical security lead who's part of the IT organization.
Dejan Kosutic:Yeah. It's very interesting. So let's wrap up the call. And what would be your, let's say, main suggestions for aspiring fractional CISOs?
Terry Ziemniak:Well, one would be, I guess, just get started. You know, don't overthink it. It's out there and there's a lot of business. Find other fractionals to network with. Don't do this on your own.
Terry Ziemniak:There's a lot of online groups out there. And even if you're networking with chief, fractional CFOs and CMOs and COOs, you're gonna have the same problems all the other fractionals have. So so get a network to work with and and listen to. Experiment. You try things, and it's okay if it failed, but, you know, experiment with LinkedIn and experiment with podcasts and experiment with products.
Terry Ziemniak:Subcontract is a great way to get rolling quickly. You know, again, think people are looking for contractors in the skill set. Differentiate yourself somehow. So it's okay to be the technical CISO if that's what you wanna be, but position yourself as that business could be a business CSO may be a different way to present that. And, you know, not all companies need the same CSO, so maybe a company needs a technical CSO, and that that's all they need.
Terry Ziemniak:So realizing your voice early on, take any gig you can get. That's what I So they listen to some of the fractional consulting groups. They say, be selective and know your voice and know what you're going for. That's easy to do when you have a lot of work. When you're getting started, you may not feel like a CSO, but maybe you need to do policy work or maybe you need to do testing work or whatever.
Terry Ziemniak:Just get going, get rolling, get the experience.
Dejan Kosutic:Great. Thanks for this insight. I really learned a lot today and it's been pleasure talking to you, Terry.
Terry Ziemniak:Yeah. Thanks, Dejan. It's been a pleasure.
Dejan Kosutic:Thanks again. And thank you everyone for listening or watching this podcast and see you again in two weeks time in the new episode of Secure and Simple podcast. Thanks for making it this far in today's episode of Secure and Simple podcast. Here's some useful info for consultants and other professionals who do cybersecurity governance and compliance for a living. On Advisera website, you can check out various tools that can help your business.
Dejan Kosutic:Conformio software enables you to streamline and scale ISO 27,001 implementation and maintenance for your clients. The white label documentation toolkits for NIS 2, DORA, ISO 27,001 and other ISO standards enable you to create all the required documents for your clients. Accredited Lead Auditor and Lead Implementer courses for various standards and frameworks enable you to show your expertise to clients. And a learning management system called Company Training Academy with numerous videos for NIST 2, DORA, ISO 27,001 and other frameworks enable you to organize training and awareness programs for your clients work force. Check out the links in the description below for more information.
Dejan Kosutic:If you like this podcast, please give it a thumbs up, it helps us with better ranking and I would also appreciate if you share it with your colleagues. That's it for today, Stay safe.
