Skip to content

CyLumena Details Virtual CISO Service


Chris Hart and Michael Pokas from CyLumena stop by TechVibe Radio to talk about its Virtual CISO service.

They answer some questions:

  1. What is the definition of a vCISO or vCISO services? 
  2. What are the roles and responsibilities of a vCISO?
  3. What are some of the scenarios where an organization would find themselves utilizing a vCISO?
  4. What are some of the advantages/benefits of using a vCISO or vCISO services? 
  5. What is the typical size of a company that would hire a vCISO?


So glad you're spending your Wednesday night here with us on tech vibe radio. This is Jonathan Kersting. And this is Audrey Russo.

And Audrey, we got some good people hanging out with us today one of the coolest companies in Pittsburgh Cylumena, these guys spun out from SDLC I was pretty pumped because I like seeing companies being spun out to solve tough challenges, especially cybersecurity stuff. And these guys are tops in their game out of doubt. We've got Chris Hart hanging out with us and Mike pocus guys, thanks for being with us today. I really do appreciate it.

No problem. Really. Start with your backgrounds real quick. We always like to know who we're talking to you So Mike quick, what's your background and what you do with Cylumena.

Ah, so my background I've been in cybersecurity for about 15 years, and I've been in this business longer than I will admit. For the last years I've served in a lot of different roles as far as a security consultant, a virtual c so C so coo and a lot of different things. And so I came over to Cylumen aRecently, about a year ago, I've been part of the company and they called me from DC. So Chris, what's your background in what you do selling? sure I've I've been in cyber for since long before it was even called cyber for almost 20 years.

I'm sorry. Either information asset protection, data protection, even even risk recovery back in the old old days.

Wow. I like cybersecurity better. It's a better term.

It's much catchy. It's absolutely much better. I've spent the last probably 14-15 years as a CISO most previously with with Thermo Fisher Scientific  going all the way back to my satellite days with us. That was the the Cisco and and security architect for the product offering. So yeah, that's a little about me, and give us the pitch for Illumina because I think you guys have a very unique surface, that's for sure.

We're at a cybersecurity. firm located right here in Pittsburgh. We've we've got a number of offerings and one of our marquee offerings is, is absolutely a Cisco as a service or virtual system. But what we do is it not only helps the community when they need a Cisco, but maybe not full time, you know, you take a look at the average midsize company or small company and they really don't need another executive drawn paycheck to get what a Master 10% of needed advice. That's when we come in, you know, we can provide that economy of scale to provide that high level talent, but added at a much more marked pace. It doesn't have to be a full time arrangement. In fact, it rarely is. So that's, that's really where we, where we come in. It provides not only that service, but also what we're finding is that as we provide the software as a service, you know, offerings to the community. But we get back is also a more refined perspective on where the market is in Pittsburgh, as well as what these mid and small companies need. As you know, we focus on the mid, you know, small and mid sized market. We feel it's tremendously underserved. And the more of these systems as a service engagements where we come in and do anything from contract negotiations with security vendors to build out operations platforms or even help remediate some, some audit deficiencies that recently came in, we come in, we help you navigate those things. It gives us that that what is important to the small business to the midsize business feel that I think you really miss out when you deal only with with enterprise.

So if we jump to Mike, talk about what services like give us, give us some really good examples so that people who are listening That's really probably your sweet spot. Well, I understand the value.

Okay. So you know, there's a very simple definition of what a virtual Cecil does is it's a service designed to make top tier security experts available to organizations who need security expertise and guidance. Why virtual seesaw is an attractive option for a lot of people is because you get you get top tier security experts, organizations who don't maybe can't afford a full time internal seaso. So they can have all different levels. And I've I've proved as a virtual CFO and in a full time engagement, and then as low as is 12 to 14 hours a month just helping to be the on demand as an expert on demand. So it virtually scan across all sized companies, all organizations. Here's a couple advantages of being a first a virtual assistant one virtual assistant can come in and they can play the same role and perform the same functions as as a CFO does today. But they can do it at a cost effective model. It's not time necessarily if they can form That. Also you're gonna think, virtual Cecil's coming in with no personal agenda. We're vendor neutral, we do what's best for the organization we come into work with, right? We make decisions based objectively on what's best for that organization. We also provide expertise and advice on demand when you need it, they, they can call me when they need to call me and that they don't need to talk to me for a couple weeks they don't need. So it is very scalable. You take advantage of our accumulated experience. You know, Chris and I have both been doing this a long time. I've been in a number of different industry verticals and a number of different situations. I also have a lot of delicious with vendors, security, this industry contract business owner. So if a particular problem comes up a virtual seaso that's not just limited to one company, I can tap into all my industry contacts and come back with some really good answers for people that those are just some of the advantages.

That's a really great point. I mean, I think that was pays for itself to sit in your connections alone and being able to solve a problem quickly and cost effectively, I think is enough to where it's like why would you not Do this, it seems like a perfectly sane thing to do.

So, how some for many mid sized companies or smaller companies, where your services still would be needed? They might use managed service providers. How do you work with managed service providers? Can you talk about that? Because I think people will get confused. They'll think that their managed service providers really operates in a way that a system might and that's very different.

Okay, do you want me to answer that one? Yeah, go ahead. Okay, so my past we, we just saw that so so we are virtual CFO, convenient, divisible, like I said that does that does advice on demand, but also a lot of my engagements, I also own the managed services side of the house, remove vulnerability manager managed services, and that includes internal managed services and also third party, again, as a as a person with no personal agenda and being vendor neutral, won't pick the best third party that's best for that organization. And we can manage that manage service just as well as if they were our own company. So it's very much a very much an advantage for virtual seaso to be experienced and has experience with managing projects because a lot of times, a company will sign us up just specifically to manage the managed service providers or manage Pacific projects. I've had engagements where all they wanted me to do is make sure we set up a good vulnerability management system and made sure it ran.

That's really, that's good to think about. That's good to know you. And you could also would you ever provide a service for people thinking about managed service providers from taking it in house to out of house and working with them and helping them through that process? Because I think what you're providing is a lens that most people aren't thinking about.

Yeah, as an organization grows, the needs change and and part of the solution So ostensibly is a leader. It's a cyber leader with the organization and we would act as if things need to be in sourced absolutely we can help articulate the the analysis necessary to see if that is the right approach, or continue to outsource or in most cases, what ends up being a hybridized mob. So absolutely, it gives one throat to choke ours, we can be as hands on or as hands off with those other managed services as the as the customer dictates. So yeah, it It provides that seamless visibility into and again, don't forget when I mentioned that when you're a virtual see so your, your next you consider yourself and you want to be considered an extension of that, that organizations management team and when I need to perform the same services as an internal see so some of that would be going out and doing evaluations on tools and third party vendors and third party Mehta services and coming back with with recommendations That's a big part of what we would do.

Well, I would imagine also people listening and they have startup companies that have taken venture capital, that the assurance of having someone in your kind of capability that virtual and has a contract and as part of the team, as an investor, I would be happy to hear that. Because I know public boards are requiring that now. So totally different conversation, different kind of company, but even those that are venture backed or capital intensive, they would probably be thrilled to know that they have a CISO as part of their team they and that's that's a great point. And here's another another with that is that as a virtual see, so you you haven't made the full time commitment to a full time salary and benefits and everything else. When you're when you don't require services anymore. It's very easy for us to move on to something new, so on a small startup company that maybe can't afford it for full time, but in venture capitalists who are who are worried about where they're spending their money, we don't need to be full time. And we're easily brought in and out as we need.

It's giving me the security, quote, unquote, to know that my money is going somewhere where someone's got their eye on this thing, because when you're building a company, you're not necessarily keeping your eye on this stuff. It's not it's not out of malice or out of neglect. It's just because you're busy building at the earliest stages.

Especially as a startup, I've been associated with startups and you know, you virtually go down or down the list and say, you know, you know, Joe, you're, you're in charge of it, and you're in charge of HR, and they don't really have the benefit. All right, I've been down that road where people have been in charge of HR who couldn't, who have never had that, that responsibility. So having somebody that's got this expert knowledge coming from the outside, it can be a real advantage to small startup companies. You know, I think that's a great example.

So your services are available anywhere right? You're not just bound to Pittsburgh, if you're virtual can be represented.

That's correct. Yep. That's united states all across the United States. Obviously, our heart is in Pittsburgh. So that's, that's absolutely our focus areas like that we love.

So yeah, but they could be provided everywhere. There is a certain amount of touch that's necessary, but it kind of leads right into our current COVID situation. No, it's great. Are you seeing any trends, anything that you might want to share? Like it since this pandemic or even before? Are you seeing any trends?

Right. Well, one big thing that I'm seeing is I'm seeing a lot of COVID related phishing scams. Oh, yeah, that's very prevalent that early on, and I just know that I just had a conversation with some with some clients earlier today that they're getting a lot of those calls. Not everybody's trying to Take advantage of that. So that's one, one thing I am seeing. The second thing I'm seeing is that remote workforce now that we're going to be working remotely. There's a whole new set of security concerns that go along with that, right? We have to think about.

Yeah, you don't even want to know about my internet connection here.

So we if people want to know more about you, too, what's the website?

So people want to know they can go there. We thank you both. for joining us. This whole concept of virtual CISOs is awesome.

Very cool. Thank you so much. Right.

We really appreciate the opportunity. Thank you.

That's for sure. Hey, we're taking a quick break. We've got more tech vibe coming your way. This is Jonathan Kersting.

And this is Audrey Russo.

Transcribed by