How about renting a CSO?

At a time when cyber security threats continue to increase in sophistication and prevalence, there's a real shortage of experienced, skilled security leaders. What's a company to do? One thing to consider is "renting" a CISO or other senior security executive.

The number of organizations taking on temporary security leadership is on the rise, experts say, to help address immediate security needs when organizations can't find someone to fill a full-time position--or in many cases when they can't afford to staff a C-level security position.

[ ALSO ON CSO:  Shortage of security pros worsens ]

A new report by research firm Frost & Sullivan and the International Information System Security Certification Consortium (ISC)2, a provider of education and certification services for information security professionals, shows that a significant talent shortage is underway in the security field.

According to the study, nearly two thirds of 14,000 global organizations surveyed online in 2014 (62%) say their organizations don't have enough security professionals. By comparison, 56% indicated that in a similar 2013 survey.

A major contributor to the shortage is an insufficient pool of suitable candidates, the report says. It predicts that the global security hiring shortfall--the difference between a projection of the workforce that's needed to fully address escalating security staffing needs and workforce projections--will reach 1.5 million within five years.

For some, renting security executives and staff is the answer.

"We see organizations picking up temporary CISOs while they search for the right candidate in very small pool, particularly of A-players," says Jeremy King, president at Benchmark Executive Search, an executive recruitment firm that specializes in security and emerging technologies.

"The upside of a temporary CISO is that it enables organizations to usually take some actions to build an information security program and develop a security road map based on the expertise of the consultant and his or her relationship with the C-suite," King says.

[ ALSO: The biggest challenges faced by CIOs/CISOs heading into 2015 ]

The downside is that it is often very difficult to build and sustain a comprehensive information security program without a permanent CISO who has or is building enduring relationships with other stakeholders inside and outside of the organization, King says.

The concept of the rented CISO is especially appealing to smaller companies that lack internal security resources.

Threshold Enterprises, a distributor of natural supplements, elected to bring in security help from Arctic Wolf Networks because its business was growing fast and "outstripping conventional incremental approaches to improving network services and providing for security," says Charlie Muller, director of IT at Threshold.

"Our security challenge has grown exponentially and we found ourselves waking up to a very risk-riddled situation and network environment," Muller says. "This was overwhelming to our small team."

Threshold needed to address the challenge quickly and effectively. "The first step was to find the right partnership, and this took some time," Muller says. "Once completed, the relationship proved to be a natural fit." In addition to having a security partner, "we realized we needed to outsource and leverage the project management of our security program," he says.

Arctic Wolf Networks specializes in working with mid-sized companies that are void of a CSO or CISO role and the expertise those roles provide. Its security team provides input on security architecture, best practices, policy reviews, penetration tests, continuous monitoring reviews, incident response and other services.

While the firm doesn't specially call its security experts "CISOs," they provide the overall security guidance that clients need when they lack their own security leadership.

By deploying technologies such as security information and event management (SIEM) and providing ongoing expertise, Arctic Wolf Networks has helped Threshold better analyze and address points of exposure to security threats, Muller says. The firm helps Threshold evaluate and deploy whatever security tools and services the company needs based on changing security threats and vulnerabilities as well as its technology budget.

Those who rent themselves out as CISOs say business is growing, although they too are being affected by the talent shortage. Max Aulakh, president of MAFAZO Digital Solutions, works as a "virtual CISO" for several clients ranging from a small company to a large, publicly traded enterprise. Prior to providing this service, he worked in cyber security in the private sector and the U.S. government.

Although demand is growing, "it is difficult to scale this service due to [the] shortage of skills in the industry," Aulakh says. "Continuous cyber attacks are driving growth and cyber [security] has become a board-level concern for many small and large companies."

How the rental arrangements work depends on the clients' needs. "But as a general rule of thumb, they purchase blocks of hours at a premium price," Aulakh says. "I help with building road maps, manage technical teams, present risk-related information to executive teams in a language they can understand, help coach CFOs on their responsibilities when it comes to security budgets."

In addition, Aulakh helps clients understand the business impact of security incidents in dollars and what they can do to mitigate risks. "For large companies, the [virtual] CISO role is an interim role," he says. "But for smaller companies it's a permanent ongoing relationship, because they cannot afford a full time CISO."

Renting CISOs can be beneficial to companies because they can help navigate risk and compliance issues and in some cases have had experience speaking with board members, Aulakh says. "They can present a case well and articulate the value of security," he says.

One of the first to work as a virtual CISO--and the person credited with coining the phrase--is Andrea Hoy, who served as a security executive for companies including Rockwell and Boeing before striking out on her own.

"I stumbled onto the idea of being a virtual CISO back in late 2001," says Hoy, president and founder of A.Hoy & Associates.

"It made sense. Small startups post 9/11 [needed] to secure their computing environment" and in some cases large corporations needed help creating a CISO role.

Because Hoy had experience starting a security program from scratch she was familiar with the challenges. Today, she tries not to exceed six "true virtual CISO" positions a year, "because otherwise I am just consulting."

As a virtual CISO, she heads up security functions for smaller entrepreneurial companies and startups that can't afford to hire a full-time CISO, but realize they need to have some information security and risk management in place.

For larger clients, Hoy sometimes comes in to help a new CISO who's just beginning work. For example, she helps provide an initial security baseline and gap analysis. She also works as an interim CISO for companies that are in between full-time CISOs. In this role, she helps the organizations select a full-time person to take over the role.

Whether it's a good idea to bring in a temporary CISO depends on the timelines of projects, the structure of the company, the company's culture, and financial position, Hoy says. "But most of all the importance of its information security posture and risk exposure," she says. "Some companies, in order to meet certain contractual obligations by federal regulations, have to have a system security plan initiated before being able to start any contract or maintain contractual obligations."

Others might have just had a security breach, but are still not quite ready for or can't afford full-time staffing to do the strategic guidance and prioritization of security initiatives.

[ ALSO: CISOs taking a leap of faith ]

A company should not rent a CISO if it does not intend to make any changes internally about its security posture, Aulakh says. "Many times firms bring in CISOs expecting magic to happen, without being willing to allocate any resources for initiatives," he says. "This can have a negative impact on the business, as they have identified liability issues but have chosen not to do anything about it."

And organizations should not rent CISOs if they're not willing to share their time with other companies, or if they aren't really interested in implementing information security as part of their strategic plan, Hoy says.

"You might be better served with a consultant or [managed security service provider] for the specific identified need," Hoy says. "But if you want an overall long-term plan, hire a [virtual] CISO. They will become a part of your company, learn your culture and save you time when you want to add a new tool or technology or upgrade a security technology."

Join the CSO newsletter!

Error: Please check your email address.

Tags Frost & SullivansecurityInfoSec StaffingCSO

More about CSODigital SolutionsRockwell

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bob Violino

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place