Whether we’re out at a client site or collaborating with government, academia and regulatory bodies, a theme of conversation that never fails to come up is the talent and skills shortage of security professionals within Australia.
Indeed, there is strong consensus of the problem with, reinforced by:
Job site Indeed reporting demand for cyber security specialists more than tripled in four months between February and June of 2018 and suggesting that Australia has only 7% of the cyber security expertise it needs!
Naturally, as security and privacy are a growing concern for customers, not to mention a topic of increasing interest to regulators, governments and boards, organisations need strong cyber risk management capability. What we know about building an effective culture of risk awareness is that it needs leadership as well as advocacy. What organisations looking to get themselves up to speed in the cyber risk management stakes need is a leader who is not only highly experienced but a ‘battle-hardened’ professional in the form of a Chief Information Security Officer (CISO). However, aside from the talent shortage, there’s also another very real barrier that makes this option unobtainable for many organisations and that is cost. With an average salary in Australia of around $186,000 for a full-time CISO, many organisations simply can’t afford one.
What tends to happen as a result is that organisations may hire a less experienced security person – whilst strong from an operational or tactical perspective – they lack the skills and experience to engage with business stakeholders, C-Suite and the Board.
The good news for organisations comes in the form of a solution known as “CISO-as-a-Service”. Common overseas for some time and now becoming increasingly common in Australia, this service addresses this gap. It provides cyber security management and leadership in an organisation without the need to bring in a full-time CISO. Furthermore, the service enables an organisation to gain valuable perspective by drawing on a broader team of experienced specialists to address the breadth and depth of security issues facing organisations today.
How does CISO-as-a-Service work?
CISO-as-a-Service is a bespoke service based upon an organisation’s security needs. It can range in duration of time from a couple days per month to a full-time CISO. The organisation gains both on-site and remote access to a CISO, who collaborates to establish a cyber security capability that is commensurate with the size and extent of the security risks to enable the continued operation of the organisation.
The CISO has at their disposal the skills and experience of a broader team to address the dynamic nature of security risks and controls. The service can flex up or down based on changing business needs. It can also manage response to and recovery from critical security incidents as required.
Importantly the service provides key performance and risks indicators to measure changes in culture, security awareness, control effectiveness and shift in residual security risk.
Isn’t that outsourcing cyber risk?
No. Whilst the service can deliver a full cyber security program within an organisation – from helping set the strategy to managing its implementation and monitoring its effective operation – accountability of cyber risk remains with the organisation.
What to look for in a CISO-as-a-Service Partner
First of all, look beyond the marketing and assess the provider for both its breadth and experience. Experience includes the skills and credentials of the team associated with this offering. Typically, a CISO-as-a-Service resource should have 10+ years of security leadership experience, with the proven ability to develop a security program and communicate its outcomes to the business. Certifications (such as CISSP and CISM) also lend to the credibility of the candidate, but soft skills and the ability to engage and communicate with key business stakeholders is also critical.
The Digital Resilience approach
Our team has security leaders from relevant industries who apply their wealth of experience to provide a service that meets our clients’ particular needs by:
Working directly with your team to help plan, design, develop and execute a security program
Providing an expert view of your risk, compliance and security frameworks
Delivering an independent review of risk assessments and audit issues, as well as assisting with designing and delivering control remediation
Communicating with board members and senior business stakeholders in plain and simple language, as well as coach and develop future security leaders within your organisation