By: Justin Fimlaid

On Demand CISO

We come across companies and organizations all the time that need security help.  Some companies are able to address the need by hiring in-house security engineers or security analysts.  The Chief Information Security Officer (CISO) remains a hard position to fill. This could be for a variety of reasons, but the common reasons we often hear are:

  1. Too expensive.
  2. Not enough work to justify a full-time resource.
  3. Too hard to find a CISO that matches the organizational culture.

Truth be told, it’s a tough role to fill for all these reasons.  The Ponemon Institute published an article on security staffing in February 2014: IT Security Jobs Research

This research is insightful if you are currently trying to address security staffing needs.  One point that’s resounding – Security Executives are hard to find, hard to recruit, and hard to keep.  The average Security Executive stays in their role for only 2.5 years before moving on.

If you struggle with any of the reasons above or struggle to keep consistent security leadership then perhaps a contract CISO is right for your organization.  The role goes by a few terms including On Demand CISO, Virtual CISO, Contract CISO.  Some of the benefits of having an On Demand CISO include, but are not limited to:

  1. a temporary CISO (for companies taking a little more time to find the right person to hire in house),
  2. small or medium sized companies who want a CISO but don’t have enough work to justify a full-time resource,
  3. strong security expertise to train and build the in-house security muscle,
  4. help with annual information security planning,
  5. and an on-demand advisor to augment your in-house team.

Contract CISO’s don’t have to be full time and one day a week might be right for your organization. When you pick a company to partner with for your On Demand CISO they should be flexible to your needs.  It’s also important to point out that not all On Demand CISO’s are equal. It is important to find someone who has been a CISO and understands the challenges of the role.  Many security firms claim to provide this service; instead they offer a senior advisor with limited experience as an industry CISO.  At NuHarbor our staff includes former CISO’s of Fortune 500 companies.  Our staff have lived the security challenges you might be facing today.