Humanise outsourcing with a Pay As You Go CISO

Outsourcing your CISO is an option medium sized organisations should consider says Carl Shallow, who advises a Pay As You Go model to buy in expertise.

Humanise outsourcing with a Pay As You Go CISO
Humanise outsourcing with a Pay As You Go CISO

The terms ‘IT security' and ‘outsourcing' have gone together like bees and honey for years - in-house IT teams hire third-party providers to protect IT systems remotely with a range of tools, technologies and solutions. There's nothing new about that.

But what if security outsourcing was stripped down to its most human form: a living, breathing expert sent out to work with firms on security strategies? No hardware or software solutions in sight.

Outsourcing a dedicated role within a company? Now that's not so commonplace. And while it's not a tactic deployed by all IT departments, it's certainly one that's gaining traction within our industry.

Cut out c-level expenses

For starters, it saves the cost of a fairly sizeable c-level full-time salary and instantly adds valuable senior resource to senior management teams. It's an ideal fit for firms that need expertise on a flexible basis to form a robust information security strategy.

Firms of a certain size often find it hard to justify the recruitment of a c-level figure whose focus is solely on security; that is by no means a new headache. But by outsourcing this they don't isolate themselves from the expertise held by a security professional, who often has in excess of 25+ years experience.

Providing expertise on a Pay As You Go agreement is designed to empower a business by giving it access to the skillset of Chief Information Security Officer (CISO), without necessarily being able to afford the cost of c-level security staff. This way, businesses can develop security strategies and deploy senior resource to help keep networks and data safe without having the expense of a large salary.

Owing largely to the obvious cost flexibility this approach delivers, there has been a surge amongst mid-sized businesses bringing in outside security expertise. Businesses of this size are often looked upon as easy prey by cybercriminals as they know there's a good chance they'll be able to take advantage of holes in the network. So hiring on this PAYG model helps companies recognise and plug such gaps, which may have gone unnoticed for years without access to senior security input.

You get what you pay for

A lot of security standards and practices don't always require a dedicated resource; just someone to oversee strategy and make sure regulatory compliance is catered for, which isn't always a full-time job. That's not to say that hiring a CISO is a waste of time; more that outsourcing makes for a more efficient use of security resources and ensures you get the amount of work you paid for.

However it's clear that someone has to own the security and compliance strategy, what with the dreadful impact breaches can have. So again, having outsourced c-level experience on board gives businesses the expertise they need in an efficient and direct way. It helps businesses avoid the 'head in the sand' approach that often transpires when it lacks a knowledgeable and dynamic IT expert, while keeping spend on data security down to the minimum it need be.

What you should expect

A perk of bringing in a c-level security professional from the outside is that they bring with them the expertise and experience of working with many other customers on all different kinds of network setups, often concurrently on closely related issues. A good outsourced CISO will:

- Look at a business in depth to identify the most valuable assets and where they sit within the context of the network.

- Assess the existing protection and find intelligent ways to fill in the gaps, always taking into account the business's restrictions and data access needs.

- Have a deep understanding of new threats and security products across the entire landscape, and be able to harness intelligence gained from attacks on previous companies they've worked with to put strategies in place to prevent it happening to others.

Crucially though, anyone occupying this outsourced senior security position should be able to integrate themselves in to a customer's business and become familiar with its network, building strategic relationships with the rest of the management team as part of the process.

This partnership should feel more like an inside collaboration rather than a transaction of time for money, and that's where the human element comes in to play. Instead of trying to plug the hole left by the absence of a senior security figure with endless solutions and technologies, just think how much more valuable it would be to have human resource available when it comes to deciding on strategies and setting policies…on a part-time basis.

A full-time c-level security presence is simply too great an outlay for some organisations. That's obvious. But companies know someone must own the security and compliance strategy and often the requirements for this are beyond the expertise of operational IT and security managers. This is when the value in outsourcing is truly realised, and the need for senior roles on a Pay as You Go basis really becomes apparent.

Contributed by Carl Shallow, head of compliance at SecureData.