At a time when cyber security threats continue to increase in sophistication and prevalence, there’s a real shortage of experienced, skilled security leaders. What’s a company to do? One thing to consider is “renting” a CISO or other senior security executive.
The number of organizations taking on temporary security leadership is on the rise, experts say, to help address immediate security needs when organizations can’t find someone to fill a full-time position—or in many cases when they can’t afford to staff a C-level security position.
[ ALSO ON CSO: Shortage of security pros worsens ]
A new report by research firm Frost & Sullivan and the International Information System Security Certification Consortium (ISC)2, a provider of education and certification services for information security professionals, shows that a significant talent shortage is underway in the security field.
According to the study, nearly two thirds of 14,000 global organizations surveyed online in 2014 (62%) say their organizations don’t have enough security professionals. By comparison, 56% indicated that in a similar 2013 survey.
A major contributor to the shortage is an insufficient pool of suitable candidates, the report says. It predicts that the global security hiring shortfall—the difference between a projection of the workforce that’s needed to fully address escalating security staffing needs and workforce projections—will reach 1.5 million within five years.
For some, renting security executives and staff is the answer.
“We see organizations picking up temporary CISOs while they search for the right candidate in very small pool, particularly of A-players,” says Jeremy King, president at Benchmark Executive Search, an executive recruitment firm that specializes in security and emerging technologies.
“The upside of a temporary CISO is that it enables organizations to usually take some actions to build an information security program and develop a security road map based on the expertise of the consultant and his or her relationship with the C-suite,” King says.
The downside is that it is often very difficult to build and sustain a comprehensive information security program without a permanent CISO who has or is building enduring relationships with other stakeholders inside and outside of the organization, King says.
The concept of the rented CISO is especially appealing to smaller companies that lack internal security resources.
Andrea Hoy, security executive
Threshold Enterprises, a distributor of natural supplements, elected to bring in security help from Arctic Wolf Networks because its business was growing fast and “outstripping conventional incremental approaches to improving network services and providing for security,” says Charlie Muller, director of IT at Threshold.
“Our security challenge has grown exponentially and we found ourselves waking up to a very risk-riddled situation and network environment,” Muller says. “This was overwhelming to our small team.”
Threshold needed to address the challenge quickly and effectively. “The first step was to find the right partnership, and this took some time,” Muller says. “Once completed, the relationship proved to be a natural fit.” In addition to having a security partner, “we realized we needed to outsource and leverage the project management of our security program,” he says.
Arctic Wolf Networks specializes in working with mid-sized companies that are void of a CSO or CISO role and the expertise those roles provide. Its security team provides input on security architecture, best practices, policy reviews, penetration tests, continuous monitoring reviews, incident response and other services.
While the firm doesn’t specially call its security experts “CISOs,” they provide the overall security guidance that clients need when they lack their own security leadership.
By deploying technologies such as security information and event management (SIEM) and providing ongoing expertise, Arctic Wolf Networks has helped Threshold better analyze and address points of exposure to security threats, Muller says. The firm helps Threshold evaluate and deploy whatever security tools and services the company needs based on changing security threats and vulnerabilities as well as its technology budget.
Those who rent themselves out as CISOs say business is growing, although they too are being affected by the talent shortage. Max Aulakh, president of MAFAZO Digital Solutions, works as a “virtual CISO” for several clients ranging from a small company to a large, publicly traded enterprise. Prior to providing this service, he worked in cyber security in the private sector and the U.S. government.
Although demand is growing, “it is difficult to scale this service due to [the] shortage of skills in the industry,” Aulakh says. “Continuous cyber attacks are driving growth and cyber [security] has become a board-level concern for many small and large companies.”
How the rental arrangements work depends on the clients’ needs. “But as a general rule of thumb, they purchase blocks of hours at a premium price,” Aulakh says. “I help with building road maps, manage technical teams, present risk-related information to executive teams in a language they can understand, help coach CFOs on their responsibilities when it comes to security budgets.”
In addition, Aulakh helps clients understand the business impact of security incidents in dollars and what they can do to mitigate risks. “For large companies, the [virtual] CISO role is an interim role,” he says. “But for smaller companies it’s a permanent ongoing relationship, because they cannot afford a full time CISO.”
Renting CISOs can be beneficial to companies because they can help navigate risk and compliance issues and in some cases have had experience speaking with board members, Aulakh says. “They can present a case well and articulate the value of security,” he says.