This article was originally was published by Help Net Security on January 28, 2019.
Many companies eventually find themselves in the following situation: they’re growing, their technology, infrastructure and teams are expanding, perhaps a M&A is on the horizon, and the board is asking pointed questions about security. It’s usually at this point that a business starts to notice fissures in the walls of what once felt like a tightly locked structure. New challenges in operations, culture, and security begin to arise.
Inevitably, when a company hits this phase of growth, the question of hiring a CISO comes up. Should you pull the trigger? Maybe. But maybe not.
A CISO is a big and important role for today’s technology, healthcare, financial, and other regulated industries. Hiring a CISO means your organization has hit a point of scale where security is a top priority and needs to become more a part of the culture and the leadership.
Before you hire an expensive recruiter, spend months interviewing candidates and add a hefty new line to your budget, consider a fractional CISO. It’s an option that could provide you with the security leadership you need while affording the most intelligent use of resources.
The benefits of a fractional CISO
Fractional CISO providers can be chosen to deliver the exact skills you require, exactly when you require them.
Consider an organization that is struggling to achieve and maintain PCI compliance for a complex environment. Beyond security expertise, the organization requires a PCI compliance veteran who understands the program-building and transformation journey ahead. Moreover, they require a proven business advisor, one who can educate management, guide investment decisions and build the coalitions necessary to ensure lasting success.
The importance of introducing a seasoned strategist at this stage cannot be overstated. However, as you would imagine, these individuals are in short supply, and their premium rates would be wasteful expenditures as long-term resources.
A fractional CISO can also have a keen eye for resourcing, creating efficiencies by leveraging external relationships and assessing in-house talent to ensure all levels of work will be performed by the best SME for the job. Whether delivering board-level messaging, guiding compliance fulfillment or simply developing security policies, fractional CISOs meet the unique demands of a growing business and its emerging security program.
The right time to make the hire
CISOs are often reactive hires. Major breaches and regulatory compliance pressures have been the driving forces to launch many security programs. Whatever the trigger, there is almost always a specific outcome required in a short amount of time.
Concurrently, this is when a company learns that their existing resources don’t have the right leadership to address the security challenges at hand. Many times, organizations struggle to meet these needs by propelling a senior engineer into the ranks of leadership, only to later realize that they were not prepared for the work they were required to take on. In these instances, it quickly becomes obvious that a different kind of leader and strategy is necessary.
Particularly in these fledgling security programs, fractional CISOs are game-changers in helping emerging leaders span the void between technical know-how and business acumen. Whether operating independently or mentoring and up-leveling existing talent, the fractional CISO can help you jumpstart your security program and implement a program framework capable of serving you well into the future.
What to expect from a fractional CISO
Typically, the person in this role has been in the industry for many years, has had previous exposure to many security scenarios and has skillfully maneuvered his or her way through compliance audits that send many of us running in the opposite direction. Your fractional CISO is there to lead.
He or she will also bring a sophisticated level of visibility to the security program. A hot topic right now is the quantification of security risk. CEOs and boards want this assessed in financial terms. The fractional CISO should have the experience and knowledge to answer this particular call.
A fractional CISO can be the best answer for a growing company that needs leadership and strategy, is heading into unknown or uncomfortable regulatory compliance waters, but isn’t quite ready to pull the trigger on a full-time hire. The fractional CISO can deliver the right mix of security leadership, strategic blocking and tackling, and can help optimize and mature your overall security program.