The rise of the "on-demand" Chief Information Security Officer
- 24 October, 2017 10:08
As companies strive to improve their levels of security in the midst of increasing cyber threats, many are finding it difficult to recruit sufficient numbers of skilled staff. Deploying and maintaining an effective IT security infrastructure is no easy task and people with the knowledge and experience needed are in short supply.
The situation is likely to get worse before it gets any better. As organisations come to rely increasingly on digital assets and workflows, maintaining security becomes a higher priority. This, in turn, is resulting in more competition for any qualified professionals who are on the market.
The problem is particularly acute when an organisation is searching for a Chief Information Security Officer (CISO). CISIOs need a rather unique blend of both technical skills and business acumen acquired over many years. They need to understand the challenges posed from a corporate perspective as well as have a deep technical understanding of the threats faced and ways in which they can be overcome.
If a suitable candidate can be located, the salary required to secure them can be significant. Many CISOs command salaries in the hundreds of thousands of dollars, making their appointment impossible for all but the largest organisations.
An alternative approach
For organisations unable to find a permanent CISO, an alternative is to take a different tactic and source the needed skills using an 'on-demand' approach.
Rather than looking to employ a hard-to-find CISO on a full-time basis, a suitably skilled candidate could be retained as a consultant for a pre-determined amount of time each month. This could be a particularly effective strategy for a smaller organisation that is unable to meet the cost of having such a person on the full-time payroll.
Working with the organisation, this on-demand CISO can undertake a forensic examination of the existing security infrastructure that is in place and make recommendations for its enhancement. They can also take the time to gain a deep understanding of the unique business requirements of the organisation and its employees.
The on-demand CISO is also able to work closely with the board to ensure it understands the risks and challenges being faced. Security has changed from being something handballed to the IT department into something that is top of the agenda for many boards. By having access to this advice, strategic decisions can thus be made from a fully informed perspective.
Bridging the divide
An on-demand CISO will also be in a strong position to help bridge the divide that often exists between a business and its IT department. This divide is often something that has occurred over a period of years and can hamper the efficient deployment and use of technology.
It can result in the selection by the IT department of systems that are not the best fit for business processes. At the same time, it can lead to business units bypassing the IT department altogether and resorting to so-called 'shadow IT' and securing their own technology resources directly.
This type of divide can also have significant negative consequences when it comes to security. If services and resources are being used within an organisation without the knowledge of the IT department, any defences that are in place could be compromised or rendered ineffective.
A fresh perspective
Importantly, an external on-demand CISO will be able to provide fresh perspectives gained from their work in other places or sections of the market. This can allow the organisation to benefit from new ideas and strategies that might otherwise have gone unnoticed.
Not being able to secure or afford a full-time CISO does not need to prevent an organisation from having access to the security skills and knowledge it requires. Using an on-demand CISO is the answer.