An Interim CISO is the temporary appointment of a CISO at an organization for a period of transition. Often organizations need an Interim CISO during a period of crisis. The organization needs to hire the Interim CISO quickly due to a departure. Sometimes the existing CISO may need to take a leave of absence for health reasons.
This article aims to explore some of the rationale for engaging with an Interim CISO. It will also explain what you can expect when you make such a hire.
Why an Interim CISO
Interim CISOs have gained in popularity recently for many reasons. Some of the best reasons for hiring an Interim CISO are the following:
Reducing organizational risk: There was a reason that you had a CISO beforehand! You never know when a cybersecurity incident may occur. The time to post, interview and hire a new full-time CISO takes months. Who is managing your cybersecurity risk during that timeframe?
Speed: An Interim CISO can be added to an organization within days instead of months. They are experienced in getting up to speed quickly. They rapidly learn the organization’s strategy and objectives. They have a methodology for assessing the organization and building a plan.
Expertise: Interim CISOs operate at a senior level with expert understanding of cybersecurity. This expertise allow for the CISO to be effective in the short-term for the client. Often a CISO is a Certified Information Systems Security Professional (CISSP). The CISSP and other similar qualifications demonstrates security expertise. These certifications have stringent continuing learning requirements.
Objectivity: Unencumbered by organizational politics, Interim CISOs provide a fresh perspective. They are able to concentrate on what’s best for the business. As an independent, they can provide an accurate assessment of the organization’s cybersecurity.
Accountability: They are accountable for results. They can give clients peace of mind. They have defined deliverables.
Commitment: They maintain high professional standards. Their future work relies upon referrals and a successful track record. They have a stake in the success of the assignments that they undertake.
Return on investment: Maintaining the security program can have significant positive results. Whether it complying with regulations or managing an incident, the payoff can be huge. When the new full-time CISO starts, having a transition plan can have large cost savings.
Engagement stages for Interim CISO
Interim CISO assignments vary in scope and requirements. Some clients may be expecting a caretaker. Others need someone who can drive dramatic organizational change. Below is what you can expect for typical Interim CISO phases:
Entry: Prospective client and Interim CISO make initial contact and explore the requirements. Client and Interim CISO evaluate if it will be a good fit. They agree on scope of engagement. The client sets expectations for the CISO. Client hires the CISO. The Interim CISO sets expectations on a rough outline for a plan.
Diagnosis: The CISO evaluates the organization. The CISO meets with stakeholders. The CISO performs a gap analysis and risk assessment. During this phase, the CISO begins to formulate a plan.
Plan: The CISO get executive buy-in on a plan based on their analysis. It may deviate from the initial expectations based on the data uncovered. The CISO is likely already making changes for some of the most critical areas. Once validated by executive management, the plan becomes The Plan.
Implementation: The CISO begins executing the plan. During this stage they display their expertise, accountability and effectiveness. Depending on the assignment the Interim CISO gets into the details. This stage includes managing teams and projects and dealing with crises or transformations.
Transition: Once the organization hires a full-time CISO then the transition phase begins. The Interim CISO will create transition materials and hand off the projects. If the Interim CISO has done his/her job then the new CISO will be effective much more quickly.
The nature of the Interim CISO’s tenure greatly depends on the nature of the departure. If the previous CISO was terminated then often the Interim CISO has to make significant changes right away. If the previous CISO left on good terms then presumably he/she left a strong plan in place for the Interim CISO.
The phases above are tied to Interim role
philosophy. For specifics on how an Interim CISO engagement’s might differ we offer more specifics below.
Fractional CISO for your Interim CISO needs
Fractional CISO’s Managing Principal has filled in as an Interim CISO. These situations are aways different. The reason for the departure makes a big difference. As does the plan for hiring a full-time CISO.
Fractional CISO provides the Interim capability with a Virtual CISO.
A Virtual CISO (vCISO) helps organizations protect their infrastructure, data, people and customers. Top security experts provide guidance and build the client organization’s cybersecurity program for measurable results. The Virtual CISO is typically providing services to multiple clients at once.
What you can expect with an Interim CISO from Fractional CISO:
An on-site presence for a significant period of time, especially in the beginning. Understanding the culture and getting executive buy-in is key to success. This acclimation can only be done in person.
Availability for every critical cybersecurity need. That includes incident handling and consultation for important initiatives.
Ability to rapidly bring on additional resources if necessary.
In the case where the client requires significant change: Rapid gap assessment, cybersecurity risk assessment and plan. These steps are important so the Interim CISO can address the critical needs.
For Interim projects where the organization wants stewardship of the existing program: Rapid understanding of the program, how it is executing and what if anything needs to change.
Executive buy-in on all important decisions.
Decisive action when warranted.
And it goes without saying but we’ll say it anyway: expert cybersecurity leadership!
If you would like to discuss if a Interim CISO is right for you then please give us a call for a no charge consultation. We can be reached at (617) 658-3276 and our email is [email protected].