Kroll's Security Concepts Podcast

Nick Doyle is a managing director and leads our EMEA Security Risk Management practice. He is a former police officer and soldier. He has been with Kroll for over 13 years, and that time he has managed over 600 projects in over 70 countries. He has a wealth of experience supporting multi-sector clients through all of the risk management needs.

Rafael Lopez is an associate managing director and leads our LATAM Security Risk Management practice based in our Mexico City office. He is a security expert with more than 15 years of international experience in project management, physical security, security design, risk assessment and management, travel security protocols and crisis management response.

Michael Miora was a managing director in the Cyber Risk practice of Kroll. He has over four decades of experience in building security products and designing go-to market campaigns for products, including automated business continuity planning, software anti-spam protection and security awareness and training programs for financial healthcare, communications, pharmaceutical and medical devices companies.

Passages from the Episode

Virtual Security Management

“Where are you seeing the greatest demand for virtual security management roles, specifically the virtual security director and virtual chief information security officer (CISO)? Is it more the full security director position that we're posting or just support for a security director?” – Jeff Kernohan

“I believe the answer is both. We were seeing organizations with either no security manager, as well as those with security managers reaching out to Kroll for advice and guidance. I think part of the reason is due to the economic impacts and challenges associated with COVID-19, those teams are no longer there. Therefore, the knowledge library within those organizations has been minimized to some extent. Many organizations could have lost several people from their security teams.” – Nick Doyle

“Rafael, I know for you and the central and South America region, the region that you're responsible for, you've always had a heavy presence of embedded security directors and managers. What trends are you seeing? Do you see more demand for it today?” – Jeff Kernohan

“Yes, it is very interesting how COVID-19 has changed company's mentality regarding virtual services. In Latin America, it's been a difficult region regarding virtual services because fraud is an everyday matter. Companies are untrusting when you talk about virtual services. However, COVID-19 has made companies rethink how they will approach the security necessities they have. Having a virtual security manager is less expensive than hiring one in person because of all the regulations required in Latin America for hiring someone in a company. It is very interesting that more companies are open to experimenting with these new virtual services." – Rafael Lopez

Virtual Chief Information Security Officer

“When companies are looking for a virtual CISO, what typically spurs the need for this outside expertise?” – Jeff Kernohan

“I think that we can categorize the motivation of companies to find a virtual CISO in probably three different groups. The first is that companies decided to embark on some new business venture or some new product or service that puts them under the umbrella of some regulation or law that requires them to have a CISO—they don’t have one, so they have to go out and get one. Typically, it's more effective to find a seasoned virtual CISO than trying to find one you can hire and bring on board that usually takes many months. We can provide a virtual CISO professional in weeks, not months. So that's one reason, probably the first one, probably the most common.” – Michael Miora

“The second one is that they're getting interest from the board or senior management asking them, ‘So what's our security like? How do we compare to others? How mature are we in our security program?’ And most internal CISOs don't have access to the tools of technologies or have the resources to go collect that information, do the analysis and present it. Never mind that most CISOs don't speak the language of business, they speak the language of technology. When they present to the board of directors or to senior management, they talk technology instead of business. They talk things like MTBF, which means nothing to the board, or doesn't want to know about things like that. They're looking for somebody to come in who speaks the language of business and provides a security context.” – Michael Miora

“The third point is a little different. Companies have either experienced a breach, thought there was a breach or very afraid that something is going on that might be a breach. And so they engage some incident response or forensic work. Regardless of how that turns out, whether there is a breach or not, they say, ‘Oh my goodness, we need somebody to help us protect ourselves so that if something happens, we're in a better position to recognize an issue that's coming up before it becomes a fight.’ That's the third kind of a thing that a virtual CISO can do. Oftentimes the internal person doesn't have the time or resources to accomplish.” – Michael Miora

“Michael, as you've stepped in and done this virtual CISO work, what have you seen? You give us some details on some of the challenges you've encountered when you have to step in and fill this role.” – Jeff Kernohan

“Usually the internal head of security, whether he or she has that specific title or not, is in involved in selecting us and bringing us in. There’s very little friction there, there's very little pushback. However, some of the people on staff look at outsiders and say, ‘What makes you think you know better than we do?’. Often times the beginning of the CISO engagement is showing what we can do, how quickly we can get it done and basically how good we are. I've found that in almost all cases within the first few weeks, certainly within the first month of the engagement, that friction goes away. Of course, the other issues are that we find things that they wished we didn't find—issues. They say, ‘Well, I thought we took care of that last month or last year.’ We say, ‘Well, it looks like you tried, but this is what happened.’ Sometimes we are the bearer of bad news.” – Michael Miora

Global Demand for Virtual Training

“We also have the virtual crisis manager. And that's a role that I specifically have been filling during COVID-19 quite often. We've placed these virtual crisis managers across several of those essential businesses that still operated through the work from home environment. What we saw was, we were used to do everything from developing programs, such as how you do your trace controls, how you're doing your emergency response to end COVID-19 diagnosis in your workspace, all the way up to how are you going to bring your people back, developing training programs for them developing how their office is going to be laid out when they come back to work. That virtual crisis manager in my experience has been one of the fastest growing virtual element that I've seen during COVID-19. Another one that I've seen a big push on, and this is probably across all three of you, would be that virtualization of your training.” – Jeff Kernohan

“Have you three seen a lot of demand for virtual training?” – Jeff Kernohan

“For the virtual CISO, that's absolutely the case. The word virtual isn't supposed to mean that because we're there via Zoom or Webex that we're not a full-time employee, but these days with the pandemic it also means that we're doing everything via video, rather than being onsite. Absolutely for the virtual CISO, that's true today. In general, I think there are a lot of things that we can do with training remotely. In fact, for most organizations, most of their employees are spread apart, whether there's a pandemic or not, they're in different offices at different times of day. A video turns out to be the most effective means to perform training.” – Michael Miora

“The most frequent requests that we have received from Latin America clients regarding virtual trainings are kidnapping training that goes from preventative measures that are appropriate management from the corporate perspective, all the way to managing family expectations. One more frequent is extortion from drug cartels. Another would be the security managers training when they have a security guard that has been with them for many years, and then they want to get them up to speed to a manager role or a director role.” – Rafael Lopez

“Nick in EMEA, is it anything different there? Do you see a lot of requests for virtualization of the training that you're providing?” – Jeff Kernohan

“Not so much on the training, more on the delivery of the virtual security manager service. While we're delivering the virtual security manager service, the knowledge transfer is essentially a training package. That's what is reflected in how developed the security managers become.” – Nick Doyle

“Have you seen anything in line of virtual assessment, cyber, physical, whatever it may be from your clients?” – Jeff Kernohan

“We see an increase in doing virtual security assessments, which is an intuitive way to work through the COVID period. We can get a better understanding of our client's businesses on our client's sites. Then we can do the virtual tool with the assistance of our clients. That's a very regular occurrence now.” – Nick Doyle

“Michael, are you able to do that on the cyber side? Is that a big push for you as well, the virtual assessment?” – Jeff Kernohan

“Yes, it is. Virtual assessments are the way we have to do it these days because of the pandemic, but in general, virtual assessments are the most cost-effective way to get things done.” – Michael Miora

Talk to a Kroll Expert

Kroll is ready to help, 24/7. Use the links on this page to explore our services further or speak to a Kroll security risk management expert today via our contact page.