You have someone in charge of accounting and finance, human resources, marketing and other departments, but what about information security? It’s a different area of focus above and beyond information technology. Having someone in charge of cybersecurity — typically a chief information security officer (CISO) — can help you manage and maintain your network and your security processes. However, finding someone to fill this role or replace a previous CISO is often more difficult than you might expect.
Putting Someone in Charge of Your Information Security Will Make Your Business Safer
Let’s imagine for a moment that your business experiences a cybersecurity attack. Your email server was breached, and employees’ and clients’ personal information has been exposed. How do you react?
You might have an IT department and maybe even a security analyst, but will they know how to respond? It takes a very specific set of skills to solve a company-wide cybersecurity crisis. Generalist IT teams tend to focus on fixing the problem as quickly as possible — but not necessarily coordinating a response that involves all stakeholders and putting a comprehensive plan in place to prevent this from happening again.
Even worse, you might not have anyone in IT at all — many companies utilize third-party IT services, which often don’t provide support for situations like this. If you don’t have anyone in charge of information security, you’ll likely spend crucial recovery time just figuring out what to do next.
Without a plan, data breaches and hacks quickly get worse. How can you prevent this? By adding a CISO to your team. A CISO is an individual experienced in cybersecurity, who can offer guidance and take control in the event of an attack, mitigate the effects of a breach and put processes in place that reduce the risk of cybersecurity attacks.
However, this role requires a highly experienced individual with very specific technical and soft skills, and they’re not easy to recruit and hire. Cybersecurity talent is not common in today’s job market, so they don’t come cheap. ISACA has even predicted that in 2019 there will be a global shortage of two million cybersecurity professionals.
For most small and medium-sized companies, this is an immediate roadblock because they don’t have the resources to meet the necessary level of compensation. Their IT department may be small, or may not be a formal department, and there just isn’t enough information security work to justify a full-time position.
What to Know if You Want to Hire a CISO
As we mentioned earlier, the information security talent market is extremely tight. This is an industry-wide problem. In fact, there is a negative unemployment rate in cybersecurity, meaning there are currently more open opportunities than there are qualified people to fill them. This is leading to unqualified people filling these roles because the few that are available don’t have the training or experience required.
According to ISACA’s State of Cybersecurity in 2018, almost two-thirds of respondents said it took them three months or more to fill an empty cybersecurity position. And the more technical the position was, the harder it was for them to fill. Cybersecurity Ventures even predicted that in 2021, 3.5 million cybersecurity positions will be unfilled around the globe.
Regarding the CISO market, all of the above applies, but at a larger scale. The skill set needed here is even more robust. They must know security, but also have leadership and management skills and strong technical skills. Many technical cybersecurity individuals aspire to be CISOs, but most don’t have the soft skills that would allow them to be successful in such a leadership role. Anyone who has both is very high in demand because they’re so rare.
Should you be lucky enough to successfully hire a CISO, retention can be difficult. Often there is limited room for growth, usually because there isn’t budget for it or because the next role doesn’t exist. And because the overall market is so competitive, there is often temptation to jump ship for a more lucrative opportunity.
You’ll also need to worry about whether the person you found has the full skill set needed to be successful in their role. You may end up having to hire additional team members or engage third parties to support your CISO’s lack of expertise in a particular subject matter, which only increases your overall cost.
In an effort to mitigate these challenges, some companies will try to get away with hiring a security analyst or engineer. Often system administrators will get promoted into this role. However, there’s a big difference between those roles and a CISO. These more technical roles tend to focus on looking at firewalls and antivirus software. They don’t focus on the bigger picture, because that’s not what their job experience has trained them to do.
An experienced CISO will be able to step in and think about things like the contracts the company has and how those partners are securing their data. They’ll think about the legal side and working with law enforcement. They’ll also structure any employee training that needs to be done to reinforce security internally.
CISOs will live much higher on the organizational chart. They will be someone who is going to report to the CEO and even a Board of Directors. They will develop an organization-wide strategy and make sure it’s implemented throughout all departments, processes and teams.
Considering a CISO For Hire
With all the difficulties that companies face trying to fill even a low-level cybersecurity role, hiring a CISO can feel near impossible. And you shouldn’t wait until you need one. Being proactive about finding this expertise will help your company in the long run, but how do you bring someone on when there are so many obstacles in your way?
For companies that have grown large enough to care about their cybersecurity, but not large enough to support a full-time CISO, a CISO for hire can help.
How does it work? When you partner with MRK, you’ll work with one of our CISOs as your primary point of contact. They can help you create and implement a full cybersecurity plan, as well as make recommendations to update your current systems and ensure that you’re doing everything possible to prevent significant risks.
Other consulting firms tend to swap people in and out, which is frustrating because you’re constantly focusing on getting people up to speed rather than strengthening your security. Or they may be a national firm, so your face-time will be limited. And often the work is completed by the most junior team members.
With MRK, our team of CISOs is locally-based and highly experienced, with decades of experience. And while you’ll only ever have one primary point of contact, you’ll always have access to the full team’s range of skill sets and specialties. Our CISOs may bring one another in on projects as needed — but your overall cost remains the same. We are consultants, but we’re not career consultants. We truly understand your problems and are focused on solving them because we’ve walked in your shoes.
Our team works within your organization to assess, build, collaborate, and report on information security efforts. And we do more than just point fingers. We work as a member of your team to deliver reports, create project plans and be on-site for everything from meetings to times of crisis. We’ll adjust to fit your business and make sure we’re fitting our services to your exact needs and budget. The majority of what we do is custom — if you want to see examples of what we can do, take a look at these scenarios.
And the cost? Whereas the average cost of a CISO is $200,000 (which may or may not include the person’s compensation, benefits costs and onboarding costs to the company), companies like MRK offer CISO services for less than the cost of a full-time employee.
At MRK, we understand the talent pool in the industry, and we work with the best to help you find the perfect fit for your company’s needs. Interested in learning more about our CISOs for hire? Reach out to us today to learn more about our CISO team and how we can help prepare your organization for the future.