"It made sense. Small startups post 9/11 [needed] to secure their computing environment" and in some cases large corporations needed help creating a CISO role.
Because Hoy had experience starting a security program from scratch she was familiar with the challenges. Today, she tries not to exceed six "true virtual CISO" positions a year, "because otherwise I am just consulting."
As a virtual CISO, she heads up security functions for smaller entrepreneurial companies and startups that can't afford to hire a full-time CISO, but realize they need to have some information security and risk management in place.
For larger clients, Hoy sometimes comes in to help a new CISO who's just beginning work. For example, she helps provide an initial security baseline and gap analysis. She also works as an interim CISO for companies that are in between full-time CISOs. In this role, she helps the organizations select a full-time person to take over the role.
Whether it's a good idea to bring in a temporary CISO depends on the timelines of projects, the structure of the company, the company's culture, and financial position, Hoy says. "But most of all the importance of its information security posture and risk exposure," she says. "Some companies, in order to meet certain contractual obligations by federal regulations, have to have a system security plan initiated before being able to start any contract or maintain contractual obligations."
Others might have just had a security breach, but are still not quite ready for or can't afford full-time staffing to do the strategic guidance and prioritization of security initiatives.
A company should not rent a CISO if it does not intend to make any changes internally about its security posture, Aulakh says. "Many times firms bring in CISOs expecting magic to happen, without being willing to allocate any resources for initiatives," he says. "This can have a negative impact on the business, as they have identified liability issues but have chosen not to do anything about it."
And organizations should not rent CISOs if they're not willing to share their time with other companies, or if they aren't really interested in implementing information security as part of their strategic plan, Hoy says.
"You might be better served with a consultant or [managed security service provider] for the specific identified need," Hoy says. "But if you want an overall long-term plan, hire a [virtual] CISO. They will become a part of your company, learn your culture and save you time when you want to add a new tool or technology or upgrade a security technology."
Sign up for CIO Asia eNewsletters.