Think your company is too small to attract hackers? That misplaced confidence is exactly why SMBs are prime targets. We break down the real economics driving cybercrime—ease, scale, and profit—and show how default settings, fragile backups, and identity gaps create the perfect on-ramp for ransomware, credential theft, and supply chain abuse.

We also dive into AI risk and intellectual property protection, exploring the new concept of poisoning models with plausible false data to deter theft, and the hidden risks if staff credentials are compromised. From knowledge graphs and RAG to email spoofing and business email compromise, we map how attackers exploit soft spots that leaders often overlook. Then we translate cyber into business language—revenue at risk per day, cost of downtime per department, and cash reserves versus recovery timelines—so decisions align with the realities of payroll, billing, and customer trust.

You’ll come away with immediate, practical steps: enforce MFA everywhere, harden email with SPF, DKIM, and DMARC, deploy EDR, and maintain offline immutable backups you actually test. We share five essential monthly metrics—MFA coverage, phishing report versus click rate, critical patch age, EDR endpoint coverage, and backup restore success—that turn security from guessing into measurable progress. If you rely on uptime for revenue, we explain when MDR or a SOC makes financial sense by compressing detection time from weeks to hours.

Subscribe for more straight-talk security guidance, share this with your leadership team, and leave a review to help other SMBs find the show. What control will you implement first to reduce your downtime risk?

TRANSCRIPT

SPEAKER_00: 0:00 

Welcome to the Reduce Cyber Risk Podcast, where we provide you the cybersecurity training, tools, and expertise you need to protect your company from the evil hacker whore. Hi, my name is Sean Gerber, and I'm your host for this action-packed and informative podcast. Join me each week as I provide the information you need to secure and protect your organization and reduce your cybersecurity risk. All right, let's get started. Hey, I'm John Gerber with Reduce Cyber Risk, and today is Podcast Monday. We are going to be releasing the podcast related to Fractional CISO, Enterprise Security Leadership for Small and Medium Businesses. Now, this is a pretty large podcast, so we actually broke it into two. There's one this week and one next week. But before we get into the overall podcast, there is an article that I wanted to share with you all. Okay, so this article is called Insider Risk in an Age of Workforce Volatility. This is on CSO magazine. It's done by Christopher Burgess. So this is a really great article around insider risk. And I want to mention as far as reduced cyber risk goes, we are focused on insider risk. And it's that was one of the things that I did in a previous life working with a big multinational corporation was around the insider risk threat to organizations. And this article talks about how this is changing, especially with the environment that we have with people and how the individuals with layoffs and so forth is affecting the overall insider risk situation that people are dealing with and companies are dealing with. So the central theme of all of this is that the insider risk is actually increasing due to workforce instability. So we know that we've seen in the in on the web lots of people are losing their jobs, various things, especially around the IT space, because of the rapid AI adoption. And the traditional view is that insiders are what they call rogue employees. And this is an outdated thought process and it has changed dramatically. So it used to be where you thought someone who did this was that was very rare that they would do it, and that the fact is that it's a rogue person. It's just somebody that's very unique. Well, in my time as a CISO, I also realized that that was not truly the case because people are people and people will steal what people want to steal. Um it can be the the un insider that didn't really know what they were doing. You know, basically they were co-opted. It could be the insider that it was not their fault because their account got compromised. But in many cases, the insider threat is someone, if it's someone that's actually within your company, it's a true and it's a really clear and present danger to your overall organization. So what's caused a lot of this is the fact that the layoffs, reorganizations, and job insecurity has reduced the loyalty of individuals to corporations, and it's increased these stress-driven mistakes or malicious actions based on employees. So disengaged or departing employees have a higher risk of data misuse, sabotage, or credential abuse. And the fact that many people are still remote in some form or fashion also reduces the visibility of them and their accounts. So that's a big deal that you're having to struggle with, especially when it comes to remote work. So the expansion of this overall plan around insider, what should you do? Well, the AI agents, automation, APIs, and bots now function as machine insiders with privileged use. And this is the part I bring up a lot around APIs. Because these machines are working within your organization, they don't necessarily have to be the individual. The machine can be doing it for you. Now, an individual that works for your company, maybe they're the one that are controlling the APIs. Maybe those are the folks that are actually managing the AI agents. They could be also doing this, uh co-opting these agents to do this for you as well. And we've had a couple different articles we've done on CISSP cyber training related specifically to this. So it's a big factor. It truly, truly is. So, what are some behavioral or psychological factors? Financial pressure, right? People don't have enough money. So because the cost of living's gone up, they're not making enough money, they maybe get approached by somebody that will actually co-op or help help them get the information out of their company, and therefore they can turn around and use it. Uh so there's that aspect. There's insider incidents increasing result of mix of human stress and automated system actions. So it's kind of that combination of both. What between the AI agents that are working autonomously to the individual who is also working by themselves, potentially taking data out of the company. So, what are some things that you should do and how you should manage this as a company and as an owner of a company? The in threat treat the insider risk as a social technical problem, not just a security issue. So, what does that really basically mean? Well, it's the sociopathic aspects that you're dealing with, as well as it's a technical problem. So it's not just security, go fix it. You need to really think about the overall dynamics within your company. Integrate HR, legal, and security teams to detect any early warning signs of this type of activity or so any sort of workforce distress. Apply zero trust and lease privilege controls as much as many places as you possibly can. Now, if you can start it off at the beginning doing zero trust, amazing. That's great. But if it looks like there's not a way for you to do that in a logical or real quick manner, then at least doing a hybrid zero trust approach is a good path forward. Use behavioral analytics to identify abnormal access and activity patterns. And so ensure that you have the security tools in place to look for those abnormal play things that they're doing, and then put protection mechanisms in place. And then the real key takeaway from all of this is that the insider risk is no longer episodic or basically happening once at a time. It's or we would call rare, right? It used to be in the case where a lot of people would say that the insider risk was pretty rare. And I would say still, for employees, it is not something that everybody is trying to steal your data. That's not the truth. However, it is less rare than it used to be. And then now, with all of these different connections into your organization, due to AI, due to APIs, due to whatever connection you may have that goes into your organization, there's now better chances for data to flow out of it and be basically hidden within all of the legal data that should be coming and going from your company. So that's something to really kind of consider as it relates to the insider risk. Organizations that fail to modernize your insider risk programs will see higher data loss, operations disruptions, and potentially regulatory fines depending upon this the space that you're in. So again, really truly treat the insider risk product or the insider risk threat to your organization correctly. Okay, so before we get into what we're going to talk about today, I just wanted to put a shout out to reducesyberrisk.com. Go check it out at reduce cyberrisk.com. This is an area that you can go if you are interested in any sort of uh cybersecurity consulting, if you're looking on just getting some information around how you can do security assessments, all of this can be done at reduced cyberrisk.com. If you go check it out, I've got areas that are broken into our different services, all of the services that are tied and associated with reduced cyber risk, from your fractional or virtual CISOs to assessments and audits, insider risk management, business continuity, and the like. So there's lots of opportunities for me to be able to help you in different ways within the Reduce Cyber Risk platform. So again, go check it out at Reduce Cyber Risk. Okay, so let's get into what we're going to talk about today. Uh, this is associated with the Fractional CISO, Enterprise Security Leadership for SMBs, and this will be part one. Hey, I'll Sean Gerber with Reduce Cyber Risk and CISSP Cyber Trading, and this is Fractional CISO, Enterprise Security Leadership for Small and Medium Businesses. Hey, I'm Sean Gerber, and this is a product that I put out. I've been thinking about this for quite some time and just trying to figure out what do I do to help small and medium businesses understand what is the need of a fractional CISO. Uh, it's a chief information security officer, if you don't know what the CISO means, because I wouldn't know there's enough acronyms out there for everybody, right? But this is a basically a product that I'm putting out at Reduce Cyber Risk and CISSP for my students to understand what is a fractional CISO, and they understand how would this work within a company. So the ultimate goal is to provide you this information so that when you go out and you're looking for security for your company, you can make the right choices and hire the right people. So, what is a fractional CISO? So, this is a part-time contracts-based chief information security officer. And the chief information security officer is commonly seen as the individual who will lead security for your organization. They provide that security leadership without the full-time burden of having one. So, a typical CISO in an organization can cost you a very substantial amount of money, and they also are a little bit of a challenge to find. So, this can give you that capability in a way that maybe meets more of what your needs are, especially from a small, medium-sized business, because you probably don't need someone who is full-time on your staff as a security professional, but having somebody that you can reach out to or phone a friend to have you help you with security incidents would be extremely valuable. So the typical engagement of a fractional CISO or a virtual CISO is around 10 to 40 hours per month, depending upon your needs as an organization. Now, this can be done in many different ways. It can be done through phone calls, it can be done through having them show up in your offices. Uh, it can be done in many different options depending upon what is in need for you and your company. Now, there's a flexible model that scales with your business growth. And as your business grows, then your need for a potential CISO increases. It does put you in a great position to hire somebody full-time because you basically can transition from this part-time status to more of a full-time status. So the fractional CISO is a really great option for small and medium-sized businesses who do not know what to do from a security standpoint. There also is a lot of requirements around having a CISO from a regulatory point of view, which we'll get into in here just a little bit. And having that person on staff, even if it is only from a part-time basis, can be an incredible asset to you and your company. So a little bit about my background and why it matters for this discussion. I'm a former military aviator. I used to fly B-1 bombers. Uh, they're a very large, multi-national, you large bomber that's global power, global presence is their ultimate goal. I flew those for many years as a weapons systems officer. But then the God had a different plan for my life and for our family's life, and I ended up starting up a U.S. Air Force red team. And this red team was designed to act as the adversary to the U.S. Air Force. So we would break into physically and networkly into organizations throughout the globe that were tied to the United States Air Force and the DoD. And so this was an important part of what we created. And this was an important part of my learning around what cyber can do to many organizations. So I ended up after that leaving and becoming a security architect as well as the manager of a security operations center for a very large company called Coke Industries. And I did that for many years and moved up through different roles within Coke Industries to become a CISO for a very large multinational that was under the Coke Industries umbrella. This company was called Invista. And we were large on the fact that we had a global presence in the United States, China, and Europe. So understand the big enterprise under levels, but I also understand the small businesses coming from at it, especially now in my current role as a security consultant. So I am working with companies that are in startup mode, super small, to very large financial institutions that if I mentioned them, you would know them. And so those are all big pieces of this that it's I understand the gaps that are needed for security and hence why this program is an important part for anybody's business, whether it's small or big. I've managed enterprise level security programs, budgets, and teams as well. So you name it, I've done it related to a lot of the different aspects related to cybersecurity. So now I'm bringing the same expertise to organizations that need it most because large companies can handle a lot of the security things that occur. They have teams of people that are designed specifically for this. Small businesses and medium businesses, on the other hand, definitely don't have it. Most don't. There's probably some out there that do, but the majority of small and medium businesses are struggling in the security space. And this is where I come into play. So I'm going to bring my real world experience with compliance, incident response, and board-level communications to this discussion so that you understand what is actually needed from a fractional CISO. So, what does a fractional CISO do? They develop, they execute your cyber strategy roadmap and plan. They're the person that will help you get this program in place and done and out the door. They also will ensure that you have compliance with industry regulations and the standards that go with that. As you all know, if you're listening to this, you probably are dealing with some level of requirements due to regulatory aspects. And guess what? They're only getting worse. So you better start thinking about it now if you haven't already. And I guess if you're listening to this, you have, you are thinking about it. It manages vendor relationships and security tool selection. You don't have to worry about it. The fractional CISO will work with those vendors, especially as it relates to breaches. They maybe they had an issue that came up. They are you're working with negotiating contracts with these people. That is what the fractional CISO will do. They'll also be an incredible part in the selection of the security tools that go within your company. You don't have to know what these tools mean, as far as they'll teach you what they mean, but you don't have to try to figure this out on your own. You focus on what you do best, and that is making money for your company. Let the CISO do what they do best and focus on security to protect your company. They also provide incident response leadership when breaches occur. So if a situation were to occur, uh, it's not a matter actually, it's of if it's it's a matter of when it's going to happen. They will provide that incident response leadership for you. They communicate security posture to the board and executives and they'll mentor your IT team on security best practices. All of those things is what the fractional CISO will do for you. So it's an important part of your organization, especially if you have any level of business that is required upon regulatory aspects, or if you're concerned that the security of your protection of your data is at risk. So, what does a fractional CISO not do? Okay, day-to-day security operations, monitoring, patching, making sure that all your servers are up and running, making sure that your AWS environment is up and running if you have that. They do not do those types of activities. Now, you may have someone within your company that does that for you, and that's great, but the CISO will work with them to ensure the proper aspects are completed. However, that's not what they do on a daily basis. They also will not replace your information technology or IT team. They, and in addition, they will not act like as your managed service provider. So they they're not the IT people, right? They understand IT, they understand how it works, but those folks that are operating as your CISO, as your fractional CISO, that is not something they do on a daily basis. They will not implement hands-on technical configurations. I say that out of one side of my mouth, but on the other side of my mouth saying there are times when we do that. Very rarely, but it would be a situation where there are other people that are better suited to make those changes within your company. So they won't typically do the implemented hands-on technical configurations. They won't provide you 24 by 7 by 365 coverage. The CISO is an executive type or leadership type position. It's not something that is on call to fix things. If that's the case, then you're looking for more of someone that is a managed service provider or a team of security analysts or engineers that can help you with that space. And they won't serve as your help desk or your system administrator. So you kind of get it, right? They're not dealing with the IT aspects of your company. They are focused on the security focus only, strategic leadership, and thought process that goes into protecting your company from, I like to say, the evil hacker horde. When does your business need a CISO? Well, when you're handling sensitive customer data, PII, PHI, financial data, all of that information needs to be protected. And when we talk about PII, we're saying personal identifiable information or PHI is personal health care information. So the point of it is that if they're dealing with something that's sensitive, that is regulated by people, by the government, you will want to have a CISO in place to help you with that. If you have compliance requirements that mandate security leadership, NYDFS, this is a part out in New York, they're a requirement. Uh there's a regulatory body out there. They do require a CISO on the board. And they require a CISO in the business that you have. So it's imperative that you have somebody that's in the security leadership role and it's being mandated. So therefore, that's when your business needs a CISO. You've experienced a security incident or a near miss. Hackers do not worry about if you're a small, medium, or large business. They attack everybody. So if you've had a security incident or potentially a close one, you will probably want to consider a CISO or a fractional security person for your organization. Cyber insurance, this is a huge one. This really is. I've seen it in places where people have to get cyber insurance due to the regulatory nature of their role. And because of that, they is the regulators or the people that are underwriters, I should say, that are working on the insurance programs require somebody to be in the security leadership position. And because of that, then you have to therefore get one. So the challenge is if you don't have someone with on your staff, now you have to answer it that I do not have a security leader. Well, then what happens to your premiums? They go up. So again, cyber insurance applications are an important part of any sort of organization, especially if you're regulated, you may want to have a CISO. You're pursuing contracts that require security certifications, such as CMMC. If you're working with the Department of War now, I'm sorry, I keep saying Department of Defense, but if you keep focused on the Department of War, anything that happens within your company that is focused on that and needs a CMMC certification, it will require some level of security leadership within your company. So therefore, you're gonna need someone. Now, will the virtual CISO meet that need? In most cases, most definitely. There are some cases where they may need someone full-time, but that's again, that's where you're moving from a small and medium business to a very large company. Your current IT team is overwhelmed with security responsibilities. Yes, if you have an IT team now and all these additional security requirements are coming to them, that's going to be a bit of a problem. And what do you need in that case? You'll need a CISO or a security professional of some level and kind. So the true cost of not having a security leadership. So here's one of the issues that comes up, right? People, the first thing they say is they see the sticker shock. Oh my gosh, it is terribly expensive to have a security person on staff. And you are correct, it is expensive. I'm not gonna hide that from you. It is what it is. But the average data breach cost for a small and medium business right now is about two and a half or two point nine eight million. So let's just call it three million dollars. So if you're a company and you expect that a standard data breach is going to cost you close to three million dollars, that's a big number. 60% of small businesses are closed within six months of a cyber attack. So you have a cyber attack and you've been working your whole life and within six months you're shut down because yeah, you're paying out bills, you're having you can't take care of orders. Yeah, it's a bad thing, right? So your 60% of small businesses go away. Regulatory fines can reach in the millions. Obviously, GDPR and HIPAA violations, those all add up depending upon the job or the different product that you provide. Reputational damage and customer loss. That kind of falls into the 60% that close within six months. And then a loss of productivity during an incident response. So, like when an incident occurs and you're having to fight that fire, what happens? You lose productivity. Why? Because you can't get your product out. And if you can't get your product out, you can't make money. And then the legal fees and forensic investigation costs as well. So all of those things, you add those all up. And then you the fact is that you can't produce for your company, that's huge. So you just think about that. If you had a server in your system that went down and you were down for two weeks, three weeks, maybe even six weeks, can you recover from something like that? Typical response is it's gonna take you anywhere from three to six weeks to get yourself back up and operational. And that's not even fully operational. That's on like on a limping long operational side. So keep that in the back of your mind when you're tabulating all the numbers. Okay, full-time versus fractional CISO. Let's do the math. So a full-time CISO is gonna cost you anywhere from$200,000 to$350,000 plus bonuses, right? So we're talking a lot of money. This can get in the upwards of half a million to maybe even, I've seen some of them close to$600,000. Now, again, those are enterprise level type of positions, but you can see that the that's just the salary. That you have as we as a business owner myself, you that doesn't even add in all the Social Security taxes and all the other stuff that goes along with it. So you're talking a substantial amount of money. Your benefits package is usually 30 to 40 percent. This includes healthcare, 401k, stock options on all of those aspects. And then your bonus structure can be anywhere from 15 to 25 percent of your base. So, real quickly, this person can cost you in the upwards of probably six to seven hundred thousand dollars, real quick, for an enterprise-level CISO. And then you have recruiting fees. Because guess what? Not all CISOs are the same. Hard to believe, but you got to go out and find somebody. So this is gonna cost anywhere from$40,000 to$70,000 to find the person to fit the role. So these are these costs add up substantially. So if you figured this out, you're talking anywhere from$300,000 to maybe$600,000 to get a person on the books as a CISO for your organization. So now let's talk about a fractional CISO. What does that look like? Well, those go from anywhere from five to$15,000 a month based on the engagement level, based on how many hours you utilize them and you use them for your company. So your annual cost can be anywhere from$60,000 to$180,000 all in. You don't have bonuses, you don't have any of those aspects that go along with it. It's just straight cost, right? So that can be a huge cost savings to you if you feel that you're in that boat. So this is where I'm coming back to is if you are a small business, you don't want to spend that kind of money on a CISO because I understand your margins are thin and you're going, I can't afford it, but I can't afford not to do it. This is where the fractional CISO can come in into play. You get enterprise experience at 15 to 30 percent of a full-time cost. That's where I come into play. My background, right? Obviously, I want to be a fractional, I am a fractional CISO for many companies, but I want to be one for you. And so, therefore, well, how do I do that? This is an opportunity to help you in this space. So, how do you hire a fractional CISO? Some key qualifications for you to keep in mind. Look for actual experience, not just technical certifications. There's a lot of great certifications out there that are extremely valuable. However, when it comes right down to it, the experience that people have is so much more than these certifications can ever provide. So, myself, I've got over 22 years in cybersecurity from the beginning to where we're at today. That's a lot of experience that can help you with your company. There's but I can't get that from a certification. Now, the CISSP is a great certification, especially for people who are wanting to get deeper into cyber. However, it's only going to just scratch the surface on what you specifically need. You need to verify they've managed security programs at scale, something that has gone from a small to a large type of company. So that because again, if they were just a CISO in a startup and that's all they did, they may not be the best choice for you if you have a large business. Industry-specific experience, healthcare, finance, and manufacturing, all of those pieces are a big factor. Which one best fits you? Strong communication skills for board and executive members. Okay, this is something I try to explain to people is if you if the guy that you hire just really wants to eat pizza and sit in a closet and doesn't want to do anything else other than technical stuff, that person, he or she is not the right one for you. You need someone who can talk to the executives and the board and break it down into a level that they can understand the cybersecurity lingo and how things happen. You need strong communication skills. And I would actually come out and say, I would take strong communication skills over a large experience base. So they kind of go hand in hand, but not always. Strong communication skills are really important. And then a proven track record with compliance frameworks and that are relevant to you and your business. Now, how to hire important certifications and background. So one is CISSP, certified information security professional. That is a key certification that is will help you if you're looking for a person to be your CISO. CISM is your secure information security manager. C Risk is your certified in uh certified in risk and information systems control. All of those are really key certs that are very valuable to help you know if you're getting the right type of person. Because again, the CISO deals with security issues, deals with managing things, and deals with risk. Those are three big factors that a CISO will deal with. Your industry specific, it could be high trust or PCI, QSI, maybe there's some certs that are specifically to you based on your industry that you're in. But the focus as a CISSP is strong if you're going to validate what they've done. So experience and certifications are important. But remember, certs do not replace real world experience. They just don't. Anybody can take a test. And so taking the test and actually living it are two different things. So how to hire? What are some questions you can ask? Describe the security program you built from scratch. So you ask this person, what did you do? Tell me about it, and then have them explain and pontificate upon what it can provide. How you've handled data breaches or major incidents that have occurred within your organization in the past. That's a great way to find out what they have done. Have they implemented security programs? Have they dealt with the incident? Did they work with negotiators on how to negotiate ransomware? All of those things can come out of that discussion. How do you communicate security risk to non-technical executives? So give them an example. Say, hey, this is an example of something that's security related. Tell me how you would explain this to an executive. So again, reach out to me at Reduce Cyber Risk or at CISP Cyber Training, and I can actually give you some questions related to this if you're interested. So that can kind of help you. What is your approach to security on a limited budget? This is a key part because again, some especially if they come from an enterprise level, right? So if they come from a really large multinational like I did, they'll want to come in and go, let's, we need this, we need this, we need this. And not understanding that you have a very finite budget. This is an important part. So you're going to want to ask them, do you have what have you worked with anybody on a limited budget? And if you didn't have a lot of money, what are the first things you would do within your this organization? Can you provide references of similar size organizations? Basically, if you've worked with companies that are our size, right? You're the interviewer. Can you give me some ideas and some references on who you work with that was the size of our organization? So some questions you can ask that will help get a little bit deeper into what is their knowledge base and what do they actually know. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes as I would greatly appreciate your feedback. Also, check out my videos that are on YouTube. Just head on over to my channel, Reduce Cyber Risk, and you will find a lot of content to help you protect your company from the evil hacker horde. Lastly, head to reduce cyberrisk.com and sign up for my free cybersecurity assessment to provide you guidance around the protection of your organization. Thank you for listening.