At a time when cyber security threats continue to increase in sophistication and prevalence, there's a real shortage of experienced, skilled security leaders. What's a company to do? One thing to consider is "renting" a CISO or other senior security executive.
The number of organizations taking on temporary security leadership is on the rise, experts say, to help address immediate security needs when organizations can't find someone to fill a full-time position--or in many cases when they can't afford to staff a C-level security position.
A new report by research firm Frost & Sullivan and the International Information System Security Certification Consortium (ISC)2, a provider of education and certification services for information security professionals, shows that a significant talent shortage is underway in the security field.
According to the study, nearly two thirds of 14,000 global organizations surveyed online in 2014 (62%) say their organizations don't have enough security professionals. By comparison, 56% indicated that in a similar 2013 survey.
A major contributor to the shortage is an insufficient pool of suitable candidates, the report says. It predicts that the global security hiring shortfall--the difference between a projection of the workforce that's needed to fully address escalating security staffing needs and workforce projections--will reach 1.5 million within five years.
For some, renting security executives and staff is the answer.
"We see organizations picking up temporary CISOs while they search for the right candidate in very small pool, particularly of A-players," says Jeremy King, president at Benchmark Executive Search, an executive recruitment firm that specializes in security and emerging technologies.
"The upside of a temporary CISO is that it enables organizations to usually take some actions to build an information security program and develop a security road map based on the expertise of the consultant and his or her relationship with the C-suite," King says.
The downside is that it is often very difficult to build and sustain a comprehensive information security program without a permanent CISO who has or is building enduring relationships with other stakeholders inside and outside of the organization, King says.
The concept of the rented CISO is especially appealing to smaller companies that lack internal security resources.
Threshold Enterprises, a distributor of natural supplements, elected to bring in security help from Arctic Wolf Networks because its business was growing fast and "outstripping conventional incremental approaches to improving network services and providing for security," says Charlie Muller, director of IT at Threshold.
"Our security challenge has grown exponentially and we found ourselves waking up to a very risk-riddled situation and network environment," Muller says. "This was overwhelming to our small team."
Threshold needed to address the challenge quickly and effectively. "The first step was to find the right partnership, and this took some time," Muller says. "Once completed, the relationship proved to be a natural fit." In addition to having a security partner, "we realized we needed to outsource and leverage the project management of our security program," he says.
Sign up for CIO Asia eNewsletters.