With the latest reports revealing stats like 250 new malware threats occur every minute and the average cost of a data breach is $3.86 million, it’s no wonder so many organizations feel it’s time to hire a chief information security officer (CISO). But what do you do if you have the need for a CISO, but can't justify the cost of adding a full-time executive? Or you discover the challenge of attracting or retaining one of these heavily-sought leaders is too much to overcome?
There’s another way to get the strategic guidance and leadership you need — a fractional CISO.
What is a Fractional CISO?
Generally speaking, a fractional CISO is a shared resource who brings CISO skills including strategy, compliance management, and mitigation expertise to an organization. By nature of their part-time engagement, their workload can be sized up or down to fit the needs of an organization — use only what you need. They can be the CISO where none exist, or strategically support an existing full-time CISO. In both cases, they can share expertise and advance the skills of the in-house security team.
While a fractional CISO’s role will vary by industry, regulations, and size of the organization, there is a consistent skillset you can expect. Often, fractional CISOs are employed to help bridge gaps in security knowledge. Despite company duration and basic security training, many organizations find that their current security management is lacking in critical cybersecurity tactics or the expertise needed to navigate difficult situations. To consider if a fractional CISO may be right for organization, download this Security Program Competencies checklist and consider if your security program has any gaps or could use more leadership support in these areas.
In some cases, a key difference between a fractional and a full-time CISO is budgetary responsibility. Budgeting for an organization’s cybersecurity systems and processes is sometimes retained by an internal leader. This enables the fractional CISO to be less concerned with budgetary limitations or administrative duties, and more focused on the critical need — security strategy and roadmap. Instead, the fractional CISO works closely with their company’s CIO to enact any cybersecurity changes, keeping within the scope of the CIO’s budget.
When is the Right Time to Hire a Fractional CISO?
Now that you know what a fractional CISO can do, you may be wondering if your organization is ready for one. Key signs that your organization could benefit from a CISO can be divided into two categories.
- Growth - Your organization is growing and you want your cybersecurity processes to be ready for whatever threats, regulations, or challenges may occur.
- Experience - Your current security management doesn’t have the knowledge or experience necessary to tackle cybersecurity from an executive standpoint. This is a very common scenario, as organizations will typically promote engineers from within who unfortunately don’t possess the education or on-the-job experience necessary to adequately fill the role.
- Cybersecurity breach - Your organization has experienced a breach and you need to fix the current issue and prevent future violations from occurring.
- Acquisition or consolidation - Your organization is going to acquire another company or is experiencing a merger. Security systems, protocols and technology need to be reviewed and united.
- Regulatory challenges - Your organization is facing regulatory governmental standards, such as HIPPA, FEDRAMP or PCI.
Medium-sized organizations will frequently hire a fractional CISO when they see gaps in their cybersecurity structure, but do not have the budget or need for a full-time executive. Risk mitigation is also a hot topic for executives and board members in 2019, and the fractional CISO is a great resource for quantifying, measuring, and mitigating those risks.
How to Hire a Fractional CISO
Once you’ve decided that your organization would benefit from a fractional CISO, you’re probably pondering the best way to go about vetting and hiring for the role. In our experience, here are some key skills and attributes to seek:
- Experience - Is the candidate familiar with how to manage a security breach or regulatory changes? This role requires someone who is good in a crisis, as well as being quick to action when the situation requires it.
- Creativity & Agility - Besides being technically savvy, can your CISO devise creative and resourceful ways to merge their playbook with that of your company? Unfortunately, there is not a one-size-fits-all security program, and successful programs are tailored to support the objectives and goals of each unique business.
- Communication - Can your candidate successfully communicate with board members, your executive team, your security/IT team, and your clients? This role requires someone who can speak effectively to all, both in technical jargon and layman’s terms.
- Relevancy - Does the candidate stay on top of current cybersecurity trends, such as risk quantification and mitigation? Hiring a fractional CISO who doesn’t keep up with technology and security trends puts your organization at risk for new threats, which arise every day.
Determining that your organization needs a fractional CISO is just the tip of the iceberg, but don’t let yourself become intimidated by that decision. Whether your company is preparing for growth, responding to a security breach, or facing government or industry regulations, a fractional CISO can be one of your best bets for short- and long-term cybersecurity peace of mind. Cybersecurity is an intricate, sometime perplexing, and always ever-evolving business, but the good news is that you don’t need to know it all. You can always hire someone who does.