The Role of the Fractional CISO

I recently sat down to speak with Christopher Prewitt, the CTO of Inversion6, a cybersecurity risk management firm that’s close enough to where I live that we could meet for kosher pizza. The first question I asked had to with the company’s name. Inversion6 had gone by MRK Technology for the previous 37 years, only recently changing its name to Inversion6.

What does Inversion6 represent? According to Prewitt, the new name reflects two ideas embodied by the business. First, inversion: As Prewitt sees things, the current cybersecurity environment amounts to an inverted world. Few things are the way they used to be. The perimeter is gone. People and digital assets are all over the place. Traditional countermeasures are nowhere near as effective as they used to be. If you want to be secure in this upside-down world, you need some fresh ideas.

The “6” in Inversion6 refers to a military term I had never of before, probably because I never served in the military. “Got your 6” means “I’ve got your back.” In the military, twelve-o-clock represents looking forward, straight ahead. Six-o-clock is behind you. Covering someone’s “6” means guarding their back. I’m glad he explained this to me, because I had immediately leapt to the conclusion that “got your 6” meant you were bringing the beer.

Covering someone’s “6” means guarding their back.

This explanation reminded me of watching the Gregory Peck classic World War II movie “Twelve-O-Clock High” for my organizational behavior class in business school. The movie told the story of brave airmen in the Eight Air Force, risking their lives to bomb Germany while coming under heavy fire from fighter planes that approached form the front—at twelve-o-clock.

The movie also provided an excellent business case study in leadership, team building and the allocation of scare resources. There’s a scene where Peck’s commanding officer explains that every squadron in the Army Air Corps is demanding more planes. There aren’t enough to go around, so Peck must demonstrate why their squadron deserves to have them. It’s a classic business dilemma. Every business unit wants capital and people, but the company only has so much to invest.

Leadership and the allocation of scarce resources are two critical success factors in cybersecurity. This is true for all businesses, but especially for smaller firms that cannot afford too many dedicated security team members.

Inversion6 addresses these needs through its fractional CISO service. Clients can avail themselves of a Chief Information Security Officer (CISO) who covers their account on a part time basis. They get the value of a CISO, but on a budget they can afford. Plus, they avoid the challenge of finding a CISO and hiring him or her.

“Many business stakeholders do not know that hacking is essentially an industry now, a collection of large, highly organized entities that are in the business of mounting cyber attacks.” – Christopher Prewitt, CTO of Inversion6

Prewitt serves in this role for several of Inversion6’s clients. He is their guide in the inverted world of cybersecurity. One core part of the job is to work with business managers who may not be familiar with cyber risks. For example, as he explained, some C-level executives do not think their companies are targets of cyberattacks. “I run a manufacturing plant. Why would someone want to hack us?” is point of view Prewitt frequently encounters.

“My job is to explain why yes, even a manufacturer is a target today,” Prewitt said. “A couple of issues are at play here. For one thing, many business stakeholders do not know that hacking is essentially an industry now, a collection of large, highly organized entities that are in the business of mounting cyber attacks. They will attack anyone who is vulnerable.” He went onto say that today’s hackers are looking to commit crimes of opportunity, such as ransomware attacks. In those cases, a manufacturer who didn’t think it was a target might find itself paying a ransom to get its operations going again.

This kind of dialogue is part of a bigger picture, however, which involves bringing tech and business stakeholders together to discuss cyber risk in business terms. “People from IT, security and business management often find themselves talking past each other. As a fractional CISO, I can be there to mediate the conversation and get everyone to understand the business impact of a security issue. I can facilitate discussions of business risk to tech people and tech risk to businesspeople.”

Out of this process, hopefully, come decisions about security that will make a difference in the client’s security posture. An effective dialogue on mitigating cyber risk can also help avoid what Prewitt refers to as the procurement trap.

He said, “A lot of corporate leadership teams are presented with a proposal to buy a certain cybersecurity solution. This may or may not be a good idea. Becoming more secure is about more than just buying the right tools. You have to have people and processes in place to implement those tools and turn them into effective countermeasures. A fractional CISO can get people to come together to understand these realities.”

The fractional CISO service is part of a broader outsourcing relationship Inversion6 has with its clients. They can take care of 24/7 security monitoring, for example, a task that most companies cannot staff for. The company also helps tighten processes for tasks like locking accounts or quarantine infected devices. It all adds up to having the client’s “6” when it comes to cybersecurity.