How about renting a CSO?

At a time when cyber security threats continue to increase in sophistication and prevalence, there’s a real shortage of experienced, skilled security leaders. What’s a company to do? One thing to consider is “renting” a CISO or other senior security executive.

The number of organizations taking on temporary security leadership is on the rise, experts say, to help address immediate security needs when organizations can’t find someone to fill a full-time position—or in many cases when they can’t afford to staff a C-level security position.

A new report by research firm Frost & Sullivan and the International Information System Security Certification Consortium (ISC)2, a provider of education and certification services for information security professionals, shows that a significant talent shortage is underway in the security field.

According to the study, nearly two thirds of 14,000 global organizations surveyed online in 2014 (62%) say their organizations don’t have enough security professionals. By comparison, 56% indicated that in a similar 2013 survey.

A major contributor to the shortage is an insufficient pool of suitable candidates, the report says. It predicts that the global security hiring shortfall—the difference between a projection of the workforce that’s needed to fully address escalating security staffing needs and workforce projections—will reach 1.5 million within five years.

For some, renting security executives and staff is the answer.

“We see organizations picking up temporary CISOs while they search for the right candidate in very small pool, particularly of A-players,” says Jeremy King, president at Benchmark Executive Search, an executive recruitment firm that specializes in security and emerging technologies.

“The upside of a temporary CISO is that it enables organizations to usually take some actions to build an information security program and develop a security road map based on the expertise of the consultant and his or her relationship with the C-suite,” King says.

The downside is that it is often very difficult to build and sustain a comprehensive information security program without a permanent CISO who has or is building enduring relationships with other stakeholders inside and outside of the organization, King says.

The concept of the rented CISO is especially appealing to smaller companies that lack internal security resources.

[Renting a CISO] made sense. Small startups post 9/11 [needed] to secure their computing environment.

Andrea Hoy, security executive

Threshold Enterprises, a distributor of natural supplements, elected to bring in security help from Arctic Wolf Networks because its business was growing fast and “outstripping conventional incremental approaches to improving network services and providing for security,” says Charlie Muller, director of IT at Threshold.

“Our security challenge has grown exponentially and we found ourselves waking up to a very risk-riddled situation and network environment,” Muller says. “This was overwhelming to our small team.”

Threshold needed to address the challenge quickly and effectively. “The first step was to find the right partnership, and this took some time,” Muller says. “Once completed, the relationship proved to be a natural fit.” In addition to having a security partner, “we realized we needed to outsource and leverage the project management of our security program,” he says.

Arctic Wolf Networks specializes in working with mid-sized companies that are void of a CSO or CISO role and the expertise those roles provide. Its security team provides input on security architecture, best practices, policy reviews, penetration tests, continuous monitoring reviews, incident response and other services.

While the firm doesn’t specially call its security experts “CISOs,” they provide the overall security guidance that clients need when they lack their own security leadership.

By deploying technologies such as security information and event management (SIEM) and providing ongoing expertise, Arctic Wolf Networks has helped Threshold better analyze and address points of exposure to security threats, Muller says. The firm helps Threshold evaluate and deploy whatever security tools and services the company needs based on changing security threats and vulnerabilities as well as its technology budget.

Those who rent themselves out as CISOs say business is growing, although they too are being affected by the talent shortage. Max Aulakh, president of MAFAZO Digital Solutions, works as a “virtual CISO” for several clients ranging from a small company to a large, publicly traded enterprise. Prior to providing this service, he worked in cyber security in the private sector and the U.S. government.

Although demand is growing, “it is difficult to scale this service due to [the] shortage of skills in the industry,” Aulakh says. “Continuous cyber attacks are driving growth and cyber [security] has become a board-level concern for many small and large companies.”

How the rental arrangements work depends on the clients’ needs. “But as a general rule of thumb, they purchase blocks of hours at a premium price,” Aulakh says. “I help with building road maps, manage technical teams, present risk-related information to executive teams in a language they can understand, help coach CFOs on their responsibilities when it comes to security budgets.”

In addition, Aulakh helps clients understand the business impact of security incidents in dollars and what they can do to mitigate risks. “For large companies, the [virtual] CISO role is an interim role,” he says. “But for smaller companies it’s a permanent ongoing relationship, because they cannot afford a full time CISO.”

Renting CISOs can be beneficial to companies because they can help navigate risk and compliance issues and in some cases have had experience speaking with board members, Aulakh says. “They can present a case well and articulate the value of security,” he says.

One of the first to work as a virtual CISO—and the person credited with coining the phrase—is Andrea Hoy, who served as a security executive for companies including Rockwell and Boeing before striking out on her own.

“I stumbled onto the idea of being a virtual CISO back in late 2001,” says Hoy, president and founder of A.Hoy & Associates.

“It made sense. Small startups post 9/11 [needed] to secure their computing environment” and in some cases large corporations needed help creating a CISO role.

Because Hoy had experience starting a security program from scratch she was familiar with the challenges. Today, she tries not to exceed six “true virtual CISO” positions a year, “because otherwise I am just consulting.”

As a virtual CISO, she heads up security functions for smaller entrepreneurial companies and startups that can’t afford to hire a full-time CISO, but realize they need to have some information security and risk management in place.

For larger clients, Hoy sometimes comes in to help a new CISO who’s just beginning work. For example, she helps provide an initial security baseline and gap analysis. She also works as an interim CISO for companies that are in between full-time CISOs. In this role, she helps the organizations select a full-time person to take over the role.

Whether it’s a good idea to bring in a temporary CISO depends on the timelines of projects, the structure of the company, the company’s culture, and financial position, Hoy says. “But most of all the importance of its information security posture and risk exposure,” she says. “Some companies, in order to meet certain contractual obligations by federal regulations, have to have a system security plan initiated before being able to start any contract or maintain contractual obligations.”

Others might have just had a security breach, but are still not quite ready for or can’t afford full-time staffing to do the strategic guidance and prioritization of security initiatives.

A company should not rent a CISO if it does not intend to make any changes internally about its security posture, Aulakh says. “Many times firms bring in CISOs expecting magic to happen, without being willing to allocate any resources for initiatives,” he says. “This can have a negative impact on the business, as they have identified liability issues but have chosen not to do anything about it.”

And organizations should not rent CISOs if they’re not willing to share their time with other companies, or if they aren’t really interested in implementing information security as part of their strategic plan, Hoy says.

“You might be better served with a consultant or [managed security service provider] for the specific identified need,” Hoy says. “But if you want an overall long-term plan, hire a [virtual] CISO. They will become a part of your company, learn your culture and save you time when you want to add a new tool or technology or upgrade a security technology.”