Many companies are trying to do more with less these days, while there is also a need to have skilled resources available to support their Cybersecurity program. The need for compliance has increased over the years. Just to renew a cyber insurance policy requires companies to have vulnerability management programs, drafted policies and segregation of duties. This makes starting that new business a challenge and scaling the SMB’s to larger customers ever more challenging.

When it comes to your Cybersecurity program, having certified, experienced and knowledgeable staff is a must. A virtual CISO, or CISO-as-a-Service, may be a good model to adopt until your organization is large enough to support a full-time headcount. Below are some tips for finding the right CISO for your organization.

Benefits of Engaging a vCISO:

• Just-in-Time-Leadership: Gain executive-level cybersecurity leadership from people who have 20+ years of experience, and can communicate at the technical and business levels.
• Cost-Effective: Engage with a monthly fixed retainer that fits your budget, without incurring high salary and overhead costs. 
• Compliance Support: Meet the requirements of HIPAA, ISO-27001, PCI DSS, and SOC2, as well as being able to support frameworks like NIST 800-53, 800-171, NIST CSF, CIS-18, and the Trust Services Criteria.

What to Look For in a vCISO:

• Experience – Ensure the vCISO you are engaging has multiple years of experience across similar industries. Ask them to tell stories of business compromises and system resilience in order to learn more about their response strategies.
• Qualification and Certification – The CISSP certificate is the ‘golden cert’ for the cybersecurity leader. This certificate covers all the security domains and requires years of experience before being able to test. Be sure to engage a vCISO who has had their CISSP for more than three years, to ensure they are committed to the industry and keep up on their training. CISO’s with a technical degree or MBA are usually better at understanding new technologies and imparting the risks for your business.
• Leadership and Culture Fit – Having a cybersecurity leader that can communicate with your executive team, especially in the times of crisis, is more important than knowing all the ins-an-outs of particular technologies. Be sure they can communicate at all levels and can pace themselves to the speed and finances of your organization.
• Flexibility and Business Alignment – Just as your business changes, so must your cybersecurity program. A leader who understands your business and can rapidly adapt the controls to meet the business demands is very important. A resource who can also learn new concepts quickly can be especially valuable to your business when taking on new challenges and emerging threats.

How ACSM helps with its CISO-as-a-Service Offering:

• Low Learning Hurdle
• Strategic Alignment and Communications
• Risk Quantification and Mitigation
• Standards, Policy and Process Improvement
• 3rd Party Support
• Product and Cloud Agnostic
• IRP Support w/Forensics
• Sales Support
• Strategic Partnership

ACSM has been helping businesses protect their assets and improve their security and privacy posture since 2006. Our skilled team can help your business understand its cyber weaknesses and potential threats as well as improve your security, privacy, and compliance postures. Our services include penetration testing, maturity assessments, cyber security, and privacy implementation assistance, CISO-as-a-Service, and DPO-as-a-Service, MSP, and MSSP services, to mention a few.
To learn more about how ACSM can support your cyber defense needs, please visit our contact page at https://www.americancsm.com/contact-us/ and schedule a free consultation call today.

The Rocky Mountain Information Security Conference (RMISC.org) is not just a conference; it’s a dynamic hub for learning, networking, and innovation, featuring over 70 sessions led by industry leaders. The conference aims to blend education with practical insights, offering attendees a unique opportunity to dive deep into the latest trends and advancements in cybersecurity.

One of the highlights of RMISC 2024 was our presentation “A One Hit Wonder“. This presentation was a one of the main draws for the speaking tracks and was recognized with some of the highest audience rankings.

For RMISC 2025, we’re back again with a similar styled event, but focused on helping the CISO “sell” their ideas to the executive board.  Our session for 2025 is titled “Boardroom Blunders– Cyber Risk in the Boardroom ” co-presented by industry experts Carlin Dornbusch and Paul Herbka. Once again, prepare to be part of an immersive “live play” that gives you a front-row seat behind closed doors into the secret world of the boardroom. Follow our CISO on their journey from tech hero to business team collaborator. This composite of true boardroom and executive management discussions is designed to aid the CISO, and every cyber leader, to gain the mindshare of executive leadership. This session is unlike any other you have seen.  

The Experience

Engaging, enlightening, and interactive – this presentation is a unique journey through the boardroom and into the enterprise. Are you equipped today to win the hearts and minds of your decision makers?

Why You Can’t Miss This

Interactive Learning: This unique format goes beyond traditional presentations. It’s interactive and designed to pull you into the narrative, making the experience not only memorable but also highly educational.

Real-World Insights: Dive deep into the dynamics of the executive staff and the board through a storyline that mirrors true events. Witness first-hand how executive decisions are made and how your ideas can end up on the cutting room floor. And especially learn how to improve your executive communication skills.

Skill Enhancement: You’ll be challenged to assess and enhance your own communication and business skills. The session is structured to help you learn effective communication strategies for gaining favor and aligning your ideas to business objectives.

Learning Objectives

By participating in this session, you will:

• Learn how to sell better to your Board of Directors.
• Understand common pitfalls and avoid common mistakes.
• Learn how to position your cybersecurity, compliance and privacy concepts in another person’s perspective.

Join Us at RMISC 2025 – This session, “Boardroom Blunders – Cyber Risk in the Boardroom” will be Thursday May 29, 2025 from 11:00am – Noon pm.

Also feel free to meet Carlin Dornbusch and Paul Herbka at the American Cyber Security Management booth, located in the expo hall.

This session is just a glimpse of what RMISC 2025 has to offer. We encourage all cybersecurity professionals and enthusiasts to join us at this premier event. It’s more than a conference; it’s an opportunity to network, learn, and prepare for the challenges ahead in the cybersecurity realm.

Don’t miss out on this chance to transform your approach to cybersecurity. Register now for RMISC 2025, and be sure to join us for “ Boardroom Blunders ” to see cybersecurity in action like never before!

For more details on the conference and to register, please visit: (https://rmisc.org/). For more information on how AmericanCSM supports our clients visit: (https://AmericanCSM.com)

Cybersecurity and Privacy Expertise and Community Support at RMISC 2025.

At AmericanCSM.com (https://www.americancsm.com/ ), we are thrilled to announce our continued support and sponsorship for the Rocky Mountain Information Security Conference (RMISC) 2025. This prestigious event, set to take place at the Colorado Convention Center from May 28-30, 2025, represents a vital meeting ground for cybersecurity, compliance and privacy professionals in the Rocky Mountain region and beyond.

As a company that prides itself on delivering top-notch cybersecurity and privacy services—including Security or Privacy Assessments, Pen Tests, and our CISO-as-a-Service and DPO-as-a-Service, AmericanCSM.com understands the importance of fostering a strong cybersecurity community. RMISC 2025 is the perfect platform for this, offering a rich tapestry of sessions that cover the most pressing topics in our field today, from IT security and compliance to emerging threats and cybersecurity innovations.

At AmericanCSM.com, we also offer Privacy services, such as privacy assessments and DPO-as-a-Service, recognizing that privacy and security are two sides of the same coin. Events like RMISC allow us to showcase these services while gaining insights into the needs and challenges faced by our community, ensuring that our offerings remain at the cutting edge.

As always, we are not just sponsors; we are also proud participants. Several of our esteemed colleagues will be speaking at the conference. Carlin Dornbusch, Brian Sudis, and Paul Herbka will share their insights and expertise, contributing to the knowledge exchange that RMISC facilitates so well. Also, Carlin Dornbusch is now a member of the RMISC Operational Committee and now serves as one of the board members for the RMISC newly founded business entity.

Supporting local cybersecurity events like RMISC is crucial for several reasons. First, it allows us to give back to the community that drives our industry forward. These gatherings are essential for networking, sharing knowledge, and discussing new ideas and technologies that can shape the future of cybersecurity and privacy. Second, by sponsoring RMISC, we help ensure that the local cybersecurity, compliance and privacy community remains vibrant and accessible, providing professionals of all levels with opportunities to learn, grow, and collaborate.

We invite all attendees to connect with us during the conference, whether it’s attending one of our talks, visiting our booth in the exhibitor’s hall, or just saying hello. Let’s make RMISC 2025 a landmark event for collaboration, learning, and advancement in cybersecurity!

Come listen to our insights on:

• Thursday May 29 at 11:00 – Noon – “Boardroom Blunders – Cyber Risk in the Boardroom” 
• Friday May 30 at 11:00 – Noon – “Leadership, Cybersecurity and the CISO – Wish I Had Known…”

For more information on RMISC 2025, please visit their website at https://rmisc.org/ and we look forward to seeing you there and continuing to build a safer digital world together.

Many companies are trying to do more with less these days. In some cases, they leverage existing resources to play multiple roles in their company. When managing your Privacy Program, you need to be extra careful that your DPO role is not in conflict with the resource being utilized. Case in point is the recent, 3/14/2025, decision of the Data Protection Authority (DPA) in Norway regarding this issue with a local business, Telenor.

Summary of Findings from the Norwegian Data Protection Authority’s Decision on Telenor ASA

The Norwegian Data Protection Authority (Datatilsynet) conducted an inspection of Telenor ASA’s compliance with GDPR requirements for Data Protection Officers (DPOs) and organizational measures. Here are the key findings and implications regarding internal counsel serving as DPO:

Key Findings and Violations

• Article 37 (DPO Designation):
  • Telenor ASA failed to document its assessment of whether it was obligated to appoint a DPO
  • The company’s record of processing activities was incomplete and inconsistent
  • The DPO’s contact information was not properly published (Article 37(7))
• Article 38 (DPO Position):
  • The DPO lacked direct reporting line to highest management level (Article 38(3))
  • Resources allocated to the DPO were insufficient (Article 38(2))
  • Independence and conflict of interest concerns were not properly addressed
• Article 24 (Organizational Measures):
  • Inadequate policies and organizational measures to ensure GDPR compliance
  • Unclear division of controllership responsibilities
  • Lack of documented procedures for DPO involvement

Internal Counsel as DPO – Requirements and Challenges

The decision addresses whether an internal counsel can serve as DPO. While not prohibited, several significant requirements must be in place:

1. Clear Distinction Between Roles

• The job description must clearly distinguish DPO duties from legal counsel duties
• The roles must be formally separated with distinct responsibilities and reporting lines
• Using a separate email address for DPO matters is necessary to differentiate functions clearly

2. Independence Safeguards

• The DPO must be able to provide independent advice that may conflict with business interests
• The supervisor-trainee-lawyer relationship can potentially compromise independence
• Potential conflicts of interest (including share ownership) must be specifically assessed and documented

3. Resource Allocation

• Sufficient time must be allocated for DPO duties – the 50% FTE allocation was found to be insufficient
• The DPO should not face competing priorities between legal counsel work and DPO responsibilities
• The DPO should have access to necessary resources without having to request them from direct superiors

4. Reporting Structure

• A direct reporting line to the “highest management level” must be established and documented
• This reporting line should allow the DPO to bypass intermediate management levels when necessary
• The reporting structure must be formalized in policies, not merely described in presentations

Conclusion

While internal counsel can serve as DPO, Datatilsynet found significant challenges in combining these roles. The decision highlights that:

1. It’s not automatically prohibited for in-house legal counsel to serve as DPO, but robust safeguards must be in place to ensure independence and prevent conflicts of interest.
2. The combination requires clear organizational separation, adequate resource allocation, direct access to top management, and formal policies documenting these arrangements.
3. The company must assess and document potential conflicts of interest, including how the professional dependency relationship related to legal career development might affect DPO independence.
4. The Norwegian authority expressed serious doubts about whether an Associate Lawyer position can be effectively combined with the DPO role, given the inherent tensions between these functions.

You can read the whole story here: https://www.datatilsynet.no/en/news/aktuelle-nyheter-2025/sanctions-imposed-on-telenor-asa-for-lack-in-the-organisation-of-the-data-protection-officer-and-lack-of-internal-control/

ACSM has been helping businesses protect their assets and improve their security and privacy posture since 2006. Our skilled team can help your business understand its cyber weaknesses and potential threats as well as improve your security, privacy, and compliance postures. Our services include penetration testing, maturity assessments, cyber security, and privacy implementation assistance, CISO-as-a-Service, and DPO-as-a-Service, to mention a few.
To learn more about how ACSM can help support your cyber defense needs, please use our contact page https://www.americancsm.com/contact-us/ and schedule a free consultation call today.