Hired guns: The rise of the virtual CISO

When is the right time to rent yourself a CISO?

Hired guns: The rise of the virtual CISO
Credit: Roel Wijnants

The enterprise is facing a dangerous combination of mounting cybersecurity threats of increasing subtlety—and a widening gap in the skills required to identify and combat them. Having someone who knows how to lead the charge in identifying and analyzing threats, creating strategic security plans and ensuring compliance requires the right level of expertise.

+ Also on Network World: Why you need a CSO/CISO +

The Information Systems Security Association spoke of a “missing generation” in information security, pointing to an estimated 300,000 to 1 million vacant cybersecurity jobs. To further complicate the labor shortfall, security professionals at enterprises understand they are in demand, and it is understood that employees will be receiving offers from other companies. According to a Ponemon study, senior security executives on average leave after 30 months on the job.

Almost three-fourths of respondents in a 2014 Ponemon report said their organizations do not have enough IT security staff. The fact is enterprises are looking to fill security positions. According to Burning Glass, a labor analytics firm, cybersecurity job postings grew 74 percent from 2007 to 2013. Filling those positions, however, is another story.

Finding the right person to drive enterprise security

According to Cisco's 2015 Annual Security Report, 91 percent of companies have an executive who is directly responsible for security, but only 29 percent of them have a chief information security officer (CISO). Businesses with a CISO in place recorded the highest levels of confidence in their security stance, both in terms of optimization and clarity.

Many organizations are asking other executives to step into the gap, and they often lack the expertise required to outline a solid information security policy and drive it forward. Would you want a podiatrist filling in for a neurosurgeon?

For small- to mid-sized businesses, it may be difficult to justify the expense of a full-time CISO. Recruitment can also be a challenge. How do you find the right fit for your business within your budget when you lack the internal experience to properly evaluate a candidate?

Enter the virtual CISO

For smaller businesses, it simply doesn't make sense to invest in a full-time CISO when you can hire a virtual one and get the specialty skills you need to draw up a strategic overview and deliver the big picture. With a virtual CISO, there's no need to worry about benefits or monthly overhead.

Say you’re a larger enterprise. You're suffering from attrition and need someone to step in on an interim basis. You want some supervision and advice for a relatively green InfoSec manager or you want to ensure that you only pay for what you actually need. Renting a CISO could be the answer.

Making the business case for a virtual CISO

There’s no set universal standard for hiring a virtual CISO. You can set up a retainer for a certain number of hours, you can hire someone on a project basis, and/or you can even buy a chunk of support hours and use them when you need them. It's a way of getting the cream of security talent without buying the whole cow.

Contracting a virtual CISO can be far more cost effective than hiring a full-timer. They can fill in where you need it the most, helping your CIO pull together your security policies, guidelines and standards. That could entail anything from coming to grips with HIPAA or PCI compliance to staying on top of vendor risk assessments.

A qualified virtual CISO is going to be fully up to speed on the latest best practices, they have experience dealing with a wide variety of scenarios, and they are well-positioned to train your internal security staff.

The normal annual contract rate for virtual CISOs is 35 percent to 40 percent of what it costs to pay the normal industry salary for a full-time information security team to perform the same services, according to Bank Info Security.

Preventive security vs. post-incident cleanup

Many companies are being forced to spend an ever-increasing proportion of their budget on cleaning up after incidents. A virtual CISO can be invaluable as a firefighter, but don't wait until a breach occurs; prevention is always better than cure.

Whether you're looking to get a snapshot of your security posture, you need to fill a temporary gap, or you need a leader to roll out a companywide information security policy, the virtual CISO is a compelling value proposition. Until the new generation of security graduates matures, the virtual CISO may be your best shot at tempering security risks.

The opinions expressed in this Blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated companies.

This article is published as part of the IDG Contributor Network. Want to Join?

To comment on this article and other Network World content, visit our Facebook page or our Twitter stream.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.