The wave of cyber security attacks that led tech pundits to christen 2014 “The Year of the Hack” have continued well into 2015, with organizations racing to hire Chief Information Security Officers (CISOs). However, as the Wall Street Journal recently reported, the search for CISOs has become a seller’s market due to high demand and a shortage of talent. And those CISOs that are technically savvy and able to communicate comfortably with their C-suite are commanding top salaries. Industries such as banking and healthcare are paying more than $1 million in CISO salaries, while other industries are ponying up $500,000 – $600,000. Companies that lack the bandwidth – and the bank accounts – to hire a full-time CISO are turning to HOSTING for part-time CISO expertise.
What is a part-time CISO?
A part-time CISO, also known as a virtual CISO, fractional CISO, or CISO on-demand, provides small to mid-sized businesses with expertise and recommendations to address their specific information security and compliance requirements. This person serves a a senior-level team member who is responsible for establishing and maintaining strong security measures and programs to ensure information and technology assets are protected against cyber security threats.
The benefits of part-time CISOs
Engaging with a part-time CISO enables organizations to take advantage of the same knowledge and expertise of a full-time CISO without having to invest in additional overhead. For some organizations, a part-time CISO can implement the necessary security initiatives without having to staff a full-time role, including: risk evaluation, threat assessment, security training – and in some cases – compliance monitoring and audit support. A part-time CISO can integrate seamlessly with internal IT resources, allowing an organization to maximize its resources and take on other initiatives.
What to look for in a part-time CISO
When considering a part-time CISO it’s important for organizations to ensure that that potential candidates not only understand their particular security landscape, but are also up-to-date on trends in cyber threats and the security industry. For example, in 2014, cyber criminals were infiltrating retail giants such as Target and Home Depot. Today, they’re focusing their attention on the healthcare industry; targeting Anthem, Care First Blue Cross Blue Shield, and Premera. A qualified CISO must think like a cyber criminal in order to anticipate current and future security needs.
Formal training, in addition to experience “in-the-trenches” is also key. Look for part-time CISOs that are also CISSPs. A CISSP is a Certified Information Security Professional who has met rigorous background and training requirements to to design, engineer, implement, and manage an organization’s overall information security program. ISC2 which maintains the standard for CISSPs, also has strict annual requirements for continuing education to maintain the CISSP certification.
For organization’s that must adhere to compliance regulations as prescribed by HIPAA/HITECH, PCI DSS and/or SOX, it’s essential to engage with a part-time CISO who has experience establishing and maintaining security programs to address them.
Beyond building a security-focused culture, CISOs must be able to explain risks to senior managers and the boards who may not be tech savvy. This means leaving the tech jargon in the scrum, and providing executives with clear, actionable information – without scaring the bejesus out of them.
HOSTING Managed Security Services™
Led by our in-house CISO, the HOSTING team of CISSP-certified professionals provide organizations with the security and compliance expertise to keep their environments safe – without breaking their budgets. Fast, fluid and focused, they provide managed security services that are customized to a company’s technology, environment and compliance requirements. Contact HOSTING today to learn how they can safeguard your firm against potential cyber security threats.