Arctic Wolf Networks specializes in working with mid-sized companies that are void of a CSO or CISO role and the expertise those roles provide. Its security team provides input on security architecture, best practices, policy reviews, penetration tests, continuous monitoring reviews, incident response and other services.
While the firm doesn't specially call its security experts "CISOs," they provide the overall security guidance that clients need when they lack their own security leadership.
By deploying technologies such as security information and event management (SIEM) and providing ongoing expertise, Arctic Wolf Networks has helped Threshold better analyze and address points of exposure to security threats, Muller says. The firm helps Threshold evaluate and deploy whatever security tools and services the company needs based on changing security threats and vulnerabilities as well as its technology budget.
Those who rent themselves out as CISOs say business is growing, although they too are being affected by the talent shortage. Max Aulakh, president of MAFAZO Digital Solutions, works as a "virtual CISO" for several clients ranging from a small company to a large, publicly traded enterprise. Prior to providing this service, he worked in cyber security in the private sector and the U.S. government.
Although demand is growing, "it is difficult to scale this service due to [the] shortage of skills in the industry," Aulakh says. "Continuous cyber attacks are driving growth and cyber [security] has become a board-level concern for many small and large companies."
How the rental arrangements work depends on the clients' needs. "But as a general rule of thumb, they purchase blocks of hours at a premium price," Aulakh says. "I help with building road maps, manage technical teams, present risk-related information to executive teams in a language they can understand, help coach CFOs on their responsibilities when it comes to security budgets."
In addition, Aulakh helps clients understand the business impact of security incidents in dollars and what they can do to mitigate risks. "For large companies, the [virtual] CISO role is an interim role," he says. "But for smaller companies it's a permanent ongoing relationship, because they cannot afford a full time CISO."
Renting CISOs can be beneficial to companies because they can help navigate risk and compliance issues and in some cases have had experience speaking with board members, Aulakh says. "They can present a case well and articulate the value of security," he says.
One of the first to work as a virtual CISO--and the person credited with coining the phrase--is Andrea Hoy, who served as a security executive for companies including Rockwell and Boeing before striking out on her own.
"I stumbled onto the idea of being a virtual CISO back in late 2001," says Hoy, president and founder of A.Hoy & Associates.
Sign up for CIO Asia eNewsletters.