A Temporary CISO is the interim appointment of a CISO at an organization for a period of transition. Often an Temporary CISO is needed during a period of crisis for instance during a security breach, because of a key departure or because the existing CISO needs to take a leave of absence for personal reasons. However, it may be impractical to make a full-time hire.
Temporary CISOs have gained in popularity recently for many reasons. This blog entry helps to explore some of the rationale for engaging with a Temporary CISO and what you can expect when you hire a Temporary CISO. Some of the best reasons for hiring a Temporary CISO are the following:
- Return on investment: Temporary CISOs add value by using their expert security and management skills to help deliver an outcome that provides a meaningful return on investment. They can help mitigate a breach, implement a security project to reduce organizational risk or to gain trust with clients, prioritize an organization’s list of security activities or put security policies and procedures in place to mitigate future risks.
- Speed: A Temporary CISO can be added to an organization within days instead of the months that a search for a full-time CISO would typically take. Temporary CISOs are used to getting up to speed quickly – learning the organization’s strategy and objectives rapidly and beginning implementation of the plan in short order. Because of their expertise in the security domain and filling an interim role, Temporary CISO’s are able to complete projects quickly and effectively.
- Expertise: Temporary CISOs operate at a senior level in the client organization with expert understanding of the security needs of organizations. This expertise allow for the Temporary CISO to be effective in the short-term for the client. Often a Temporary CISO is a Certified Information Systems Security Professional (CISSP) which demonstrates his/her vast security expertise and commitment to continued learning about security. (In the case of Fractional CISO all Temporary CISOs are CISSPs.)
- Objectivity: Unencumbered by company politics or culture, Temporary CISOs provide a fresh perspective and are able to concentrate on what’s best for the business. Being independent operators, they are able to provide an honest assessment while working with the existing management team.
- Accountability: Instead of taking on a purely advisory role, Temporary CISOs are managers who will take responsibility for and manage a business or project in their own right. Temporary CISOs expect to be held accountable for results with a successful delivery of the assignment. Temporary CISOs give clients peace of mind because the Temporary CISO has stewardship of the project.
- Effectiveness: Operating as part of the executive management team, the Temporary CISO has the authority and credibility to effect significant change or transition within the client company. Unlike lower level temporary worker they do not just fill a spot. Temporary CISOs add value to the client as a result of their expertise and approach, even when the work and the decisions to be made are difficult.
- Commitment: Temporary CISOs maintain high professional standards because their future work relies upon referrals and a successful track record. They therefore have a stake in the success of the assignments that they undertake.
Temporary CISO assignments vary in scope and requirements, often encompassing executive team alignment, security process creation and implementation, marketing and sales support, breach management and service and product security services. The following stages of the assignment lifecycle are typical of how Temporary CISOs enter into an assignment, reach and carry out the actual implementation and finally exit the assignment.
Early stages have much in common with consultancy but later stages are more similar to project management. The accountability and responsibility that Temporary CISOs have for successful analysis and delivery of a fitting solution is what makes these stages unique for a Temporary CISO approach.
- Entry: Prospective client and Temporary CISO make initial contact and explore the requirements sufficiently for the client to be able to decide on hiring the Temporary CISO. This stage includes a preliminary assessment of what the client thinks and the scope of the Temporary CISO’s contribution. This stage also includes an interview and due diligence to ensure that the Temporary CISO is a good fit. Typically the entry stage results in the Temporary CISO in a provisional role in the engagement.
- Diagnosis: The Temporary CISO researches the current situation to better understand it and the requirements of the varying stakeholders. At this stage a more detailed understanding of the situation is formed as well as approaches to address it. The Temporary CISO brings differing issues to light. For appointments where the Temporary CISO is undertaking multiple high priority projects the various projects may be in different stages and the Temporary CISO may be undertaking implementation in some while performing the diagnosis. Typically this stage will take several days.
- Proposal: The Temporary CISO presents a more detailed proposal which may differ from the preliminary plans presented at entry. The changes if any stem from the Temporary CISO’s vast experience and from digging into the details of the challenge. Once validated by senior management this proposal becomes the plan of record for how the Temporary CISO will execute the plan.
- Implementation: The Temporary CISO takes responsibility for managing the project, tracking progress and conducting periodic feedback reviews with the client. During this stage Temporary CISOs display their expertise, accountability and effectiveness. Depending on the assignment the Temporary CISO gets into the details. This stage includes managing teams and projects and dealing with crises or transformations.
- Exit: When the project end approaches, the Temporary CISO ensures that he/she has met the objectives and that the client is satisfied. The Temporary CISO provides any transition documentation and handoff to a successor or existing staff.
There are many security challenges that a Temporary CISO can solve for various organizations. Fractional CISO can help your organization by providing an experienced Temporary CISO. Please give us a call today to discuss your Temporary CISO needs.