Cybersecurity Today — "The Role and Evolution of Virtual CISOs" with Craig Taylor

Host: Jim Love
Guest: Craig Taylor, Head of Cyberhoot and Virtual CISO
Date: October 11, 2025

Episode Overview

In this episode, Jim Love dives into the evolving landscape and role of Virtual CISOs (VCISOs) with cybersecurity veteran Craig Taylor. With over 25 years as a practitioner and leader, Craig explores how VCISOs provide critical security guidance to organizations—especially SMBs and mid-market firms—facing tight budgets, talent shortages, and growing cyber threats. Through personal stories, practical advice, and revealing anecdotes, Craig highlights the benefits and challenges of the VCISO model, cultural impacts, tech stack management, and best practices for organizations seeking to bolster their cybersecurity posture.

Key Discussion Points & Insights

Origins of the Virtual CISO Role

[00:46 – 03:38]

• Historical Perspective:

  • Craig began as a "lead information risk manager" at Computer Sciences Corporation, predating the "VCISO" label. He managed security for multiple accounts, including DuPont and international managed hosting centers.
  • “In the beginning... they had some really interesting idea to assign a cybersecurity lead to multiple accounts... supporting multiple companies that were hosting their data, their data and their websites in our data centers in the United States and abroad.” (Craig Taylor, 01:01)

• Entrepreneurship:

  • After stints at Vistaprint and JPMorgan Chase, Craig cofounded Cyberhoot to provide cybersecurity training and VCISO services.
  • He also created a peer group of ~20 VCISOs/fractional CISOs to share best practices, address AI, and discuss emerging topics.

The VCISO Value Proposition

[03:47 – 08:48]

• Market Forces:

  • Economic constraints and a shortage of skilled professionals make full-time security hires unrealistic for most SMBs/mid-market firms.
  • "You ask yourself this mid-market firm, do we hire a full time lawyer? No... So why are we so focused on hiring a full time security person? It doesn't make sense. We don't need them all the time. Thus the birth of virtual fractional CISO." (Craig Taylor, 05:09)

• Cost and Expertise:

  • VCISOs offer tailored, on-demand expertise (as little as 5-10 hours/month).
  • They help clients meet cyber insurance requirements, manage third-party risks, and use security as a sales differentiator.

Threat Landscape & Attack Tactics

[05:46 – 08:37]

• The Reality for SMBs:

  • No one is too small to be a target: attacks are automated, organized, and commoditized.
  • Even mid-sized ($100M) companies are susceptible: “Cybersecurity attacks are a business; it’s a franchise.” (Jim Love, 06:05)

• Support Ecosystem of Cybercrime:

  • Breachers sell access to ransomware operators, who further outsource support services for victims seeking data recovery.

How VCISOs Deliver (and Structure) Services

[06:42 – 10:53]

• Education First:

  • Many breaches boil down to basic “cyber literacy”—phishing, password hygiene, and multifactor authentication (MFA).
  • “Cybersecurity is the one field of study in the world where so many people... don’t know what they don’t know.” (Craig Taylor, 07:12)
  • Real-world threat education and dark web examples drive home best practices.

• Team-Based Redundancy:

  • Having a networked group of experienced VCISOs provides depth, redundancy during incidents, and knowledge-sharing on emerging threats (especially AI).
  • Anecdote: Retired former Fortune 500 CISOs now contribute expertise part-time as backup.

Challenges of the VCISO Model

[11:13 – 14:55]

• Burnout Risk:

  • Overcommitment without sufficient downtime is common.
  • Craig describes the necessity of process, delegation, and “refusing to be a one-man band.”

• Client Engagement Gaps:

  • Scheduling delays, lack of client action, or budgetary constraints can reduce effectiveness and billable hours.
  • "Suddenly customers are so busy we can't meet this week... and then the VCISO is making less money because they're not engaged as much as they would want." (Craig Taylor, 12:35)

• Fiduciary Duty & Risk Communication:

  • Some clients avoid security testing due to fear of findings they can’t afford to fix, raising tough conversations about risk ownership.

Security Culture: Beyond Technology

[14:55 – 19:50]

• Cultural Integration:

  • Security is fundamentally a cultural issue, not just technical. Changing workforce behavior is key.
  • Craig applies psychology, education, and cyber literacy to engineer positive change.
  • “For 75 years, psychology has said rewarded behaviors are repeated. ... So many of the cybersecurity programs out there are focused on punishing the bad behaviors... and there's multiple studies that have proven that doesn't actually change behaviors.” (Craig Taylor, 16:15)

• Rewards over Punishment:

  • Programs should positively reinforce reporting phishing (“give gift cards, public recognition, etc.”) instead of punishing failure.
  • Quote: “Show me the incentive, I’ll show you the behavior.” (Jim Love quoting Charlie Munger, 19:22)

Managing Diverse Tech Stacks & Vendor Sprawl

[19:50 – 26:04]

• Managing Complexity:

  • The explosion of security tools increases risk and complexity.
  • Approach: Start with a risk assessment (NIST 800-171 + Craig’s custom modifications like materiality).
  • Focus efforts on practical, high-impact controls—sometimes beyond the framework (e.g., insisting on password managers).

• Service Scope Considerations:

  • VCISOs rarely do “wrench turning”—they recommend controls/policies; the client’s internal IT or MSP does implementation.
  • Definition of boundaries is crucial to avoid dilution of expertise.

Relationships with MSPs and Third Parties

[28:37 – 31:52]

• Managing MSPs:

  • Many MSPs lack true cybersecurity maturity, often not deploying basic controls like password managers or MFA.
  • Real-world impact: A 158-year-old UK company went out of business after hackers exploited simple password weaknesses; no cyber insurance, no backups, complete loss.
  • “It’s simple stuff that’s still leading to the demise of companies. It’s not rocket science, so get all these easy, simple things in place and then work your way up the stack.” (Craig Taylor, 30:22)

• Difficult Budget Conversations:

  • Constant tech change (tech debt) and legacy systems mean prioritizing the top risks that can be affordably addressed, and being candid about what remains unmitigated.

Working With Legacy Technology and Constrained Budgets

[31:52 – 36:11]

• Workarounds and Risk Mitigation:
  • When legacy systems can’t be replaced (e.g., Windows XP, floppy drives), Craig recommends extreme segmentation, physical risk controls, and monitoring.
  • Anecdote: Data center theft of rare circuit boards highlights unique physical risks tied to outdated technology.

Memorable Incident: The Gift Card Scam

[36:53 – 40:13]

• A Foundational Case:

  • An HR new hire fell victim to a classic gift-card scam, approving $24,000 for “employee rewards” at the fake president’s request.
  • “It was such a simple bit of knowledge that was missing from this person. Very good human being, but didn't know what was wrong with what she was doing.” (Craig Taylor, 39:02)
  • Memorable Moment: Craig holds up a thick bag of hundred-dollar Apple gift cards saved as a lesson/reminder.

• Protecting the Vulnerable:

  • Both hosts stress the need to proactively protect the elderly and vulnerable from scams, praising retail clerks for asking smart questions during suspicious purchases.

Security Awareness & the Role of AI

[40:13 – 43:40]

• Education Initiatives:

  • Cyberhoot creates monthly micro-training videos on topics like romance scams, charity fraud, QR phishing, and financial scams.
  • Craig advocates teaching people—especially the elderly—how to leverage AI as a simple scam-checking tool: “Is this a scam?”

• Host’s Experience:

  • Jim shares a close call with a sophisticated phishing site mimicking Apple; AI helped recognize the signs.

Biggest Frustration: Good Advice Ignored

[43:40 – 45:39]

• “Customer Has the Right to Be Wrong”:
  • Frustration arises when clients hire VCISOs for expertise, then ignore basic recommendations (e.g., refusing MFA for executives).
  • “They hire us for our opinions and then they ignore our stuff… They don't pay attention to the simple but very effective mechanisms we want as non starters.” (Craig Taylor, 44:13)

How to Hire the Right VCISO

[46:30 – 48:52]

• References Matter:
  • Beyond credentials (CISSP, multi-company exposure), references are critical: “The biggest predictor of future performance is how they were viewed in their previous roles.”
  • Avoid the "department of no"; seek a partner who’s solution-focused, understands business goals, and can adjust security to support rather than block progress.

Naming “Cyberhoot” and Free Training Offer

[49:20 – 51:31]

• Branding:
  • “Owls are wise.... We like the idea, and this has happened to us, where people... go ‘Have you done your hoots today?’” (Craig Taylor, 49:20)
  • Name inspiration draws on wisdom, education, and social responsibility.
• Free Training:
  • Cyberhoot offers free individual access to security awareness videos and phishing simulations.

Notable Quotes

• Craig Taylor on Culture:
  “For 75 years, psychology has said rewarded behaviors are repeated. ... when you use and turn to punishment and negative reinforcement of bad behaviors, you're really doing your company's culture and performance a disservice.” (16:15)
• Jim Love on Motivation:
  “Show me the incentive, I’ll show you the behavior.” (19:22)
• Craig Taylor on the Value of Peer Groups:
  “You always have someone available when you need them... But number two is I don’t have all the answers. ... So being able to bounce ideas and have collective gestalt... is enormously valuable.” (09:55)
• Craig Taylor on Legacy Systems:
  “You work on mitigating risk… We had to move via sneaker net some files from this machine over to that machine in order to work with some really old software that just couldn’t be upgraded… You're going to have to keep moving these floppy disks over to here...” (33:26)

Timestamps for Key Segments

• 00:46 – Craig’s VCISO origin story
• 03:47 – Transition to entrepreneurship and Cyberhoot
• 05:09 – The case for VCISOs over full-time hires
• 06:18 – The criminal “franchise” of cyberattacks
• 08:48 – Benefits of peer group-based VCISO models
• 11:19 – Challenges: burnout, client engagement, “department of no”
• 14:55 – Security as culture; behavioral psychology applications
• 19:50 – Tool sprawl and the NIST-based risk assessment approach
• 28:37 – Relationships (and problems) with MSPs
• 31:52 – Legacy systems and risk-based mitigation
• 36:53 – Memorable incident: the gift card scam
• 43:40 – Biggest VCISO frustration: good advice ignored
• 46:30 – How to select a VCISO: references, collaborative mindset
• 49:20 – Naming Cyberhoot; free training resources

Episode Takeaways

• The VCISO role bridges key talent and budget gaps, offering flexible, expert guidance.
• Cultural change—grounded in psychology, positive reinforcement, and education—remains the bedrock of robust security.
• The best VCISOs are collaborative, honest about their limitations, and leverage networks to deliver holistic, up-to-date advice.
• Organizations, regardless of size, must remain vigilant and invest proportionally in both people and technical controls—starting with foundational, proven measures.

Craig Taylor’s Final Advice:
Don’t just hire for credentials—find someone with a track record of collaborative problem-solving, whose references vouch for their real-world impact and adaptability.

For individuals interested:
Cyberhoot offers free training and phishing simulations at cyberhoot.com/individuals.