Pinpointing the Win-Win in Building, Improving Cybersecurity Programs

Mike Rock, Chief Information Security Officer (CISO)

Photography by Tracy Doyle


If you’re a C-suite executive with questions about your company’s cybersecurity program, or lack thereof, Vernovis Chief Information Security Officer (CISO) Mike Rock has some answers for you.


Spoiler alert: He’s not peddling products or services, just promoting practical, real-world advice for developing or improving your company’s business plan for protecting its digital assets, business operations and reputation.

Rock, formerly the CISO for a Fortune 500 financial services company, joined Vernovis  in January of this year. Vernovis is a boutique consulting firm that provides on-demand project resources to leading businesses in the Cincinnati, Dayton and Columbus areas. The firm offers mid- to senior-level consultants and subject matter experts in the technology, cybersecurity, accounting and finance fields.

“I originally started as a consultant, and within the first three or four weeks, they made the decision to bring me on board to build their cybersecurity practice,” Rock recalls. “Since that time, we’ve seen and heard a lot of interest in what we’re building – a cybersecurity practice where we don’t sell anything, we only provide professional advice. My key role is to help small to medium-sized businesses understand where they are from a cybersecurity perspective and what I feel they could be doing to enhance their cybersecurity efforts, rather than trying to sell them something and convince them they need it.”

In 2017, 58 percent of the 2,216 confirmed data breach victims were small businesses.”1 Depending on the source, the average costs for small business breaches range from $117,0001 to $879,5822 before even considering the cost of disruption of operations. Small to medium-sized businesses clearly can’t afford to ignore their cybersecurity needs, but most don’t have huge amounts of resources to spend building or improving their security programs. That’s where Rock, with his straight talk and seasoned advice, rolls in. Compliance and risk assessments, remediation project management, security program road mapping and oversight, and other ongoing CISO advisory services are all subjects he is more than well-equipped to discuss.

Since April, for example, he has been involved in a Vernovis-sponsored C-suite cybersecurity speaker series, hosted by the Cincinnati USA Regional Chamber of Commerce, addressing basic questions such as “Security Program? CISO? What Are They and Why Do I Need Them?” The series also addresses security spending – what it takes to build, improve and maintain security programs. Additionally, Rock highlights questions C-suite executives should be asking their security program leaders.

Rock likens his professional advisory role to that of a real estate home inspector.

“People hire home inspectors to go from one end of the house to the other, telling them where all the issues are so they can decide what they are going to fix, or if they should even buy the house. But home inspectors aren’t contractors,” says Rock. “They don’t come in and fix the stuff. And homeowners feel comfortable heeding their solid advice because, frankly, the home inspectors don’t have a dog in that hunt. Their job is to get dirty, find everything that’s wrong and write it all up in a way the homeowner understands, and advise them on what they probably should get fixed and what they can probably get away with not fixing. That’s the best analogy for what I do.

“I’m not a hardliner,” he adds. “I just assess a company’s cybersecurity situation, offer options, discuss how much they want to spend in that space, talk over what it means and offer practical alternatives. Nobody wants to spend a million dollars to solve a $100,000 problem. At the end of the day, it’s about taking care of our clients. I treat our clients’ money like my own money. As far as I’m concerned, I don’t want them to overspend or spend in the wrong directions.”

Rock values the opportunity to impress upon business leaders who might still be dragging their feet when it comes to establishing a cybersecurity plan, that technology and security today are integral aspects of a business, not plug-ins or add-ons. He emphasizes the necessity of embracing technology and security as core business responsibilities.

“For me, it’s all about trying to find the win-win for my clients,” Rock concludes. “I bring the real-world perspective to them. I say, ‘Here are the real-world risks. And remember, you’re not playing with house money, you’re playing with your customers’ data.’”


Vernovis is located at 4770 Duke Drive, #180, Mason, OH 45040. For more information, call 513.234.7201, email or visit