What it takes to be an interim CISO

Being an interim or virtual CISO (vCISO) comes with many of the same demands of permanent security leadership roles, but also has its own unique challenges and rewards.

A silhouette composed of a series of clocks  >  time / transition / impermanence
Thinkstock / Tomislav Jakupec

Whether interim or virtual, non-permanent CISO roles are becoming more common. They help fill a gap for companies unsure of, or unable to find, what they need on a permanent basis and offer benefits to experienced security professionals who want more variety in their role.

These temporary roles offer many of the same challenges faced by permanent CISOs, but also offer unique challenges for those taking up the position and require additional skills and traits.

The role of the interim CISO

Four percent of UK companies are outsourcing the top security role to a virtual CISO (vCISO), CISO-as-a-service, or another third-party organization, according to CIO UK's 2019 CIO 100 survey, twice as many as the year before. A recent ESG survey suggested non-permanent CISO roles are becoming more appealing to professionals with 21% of those surveyed saying they are considering taking such a position. A further 33% are open to becoming a virtual CISO in the future.

Interim CISOs come in many forms. They may be there to help set up a particular project or initiative such as implementing an ISO 27001 framework, building a dedicated security function for an organization that hasn’t had one before, or dealing with the aftermath of a security incident or audit.

Sometimes interim CISOs are there as a stop-gap between two permanent hires. CISOs are often in high demand, and the recruitment process can take months. An organization’s security operations can’t stand still in the meantime, so interims can keep the security function ticking between permanent appointments and help with the recruitment process. Interim CISOs in “holding the fort” roles, however, can have the least impact on an organization.

Richard Brinson, founder of consulting agency Savanti, has had interim CISO roles at Sainsbury's, RS Components, Unilever and most recently Verisure. His first interim role at Sainsbury’s came as a result of a consulting engagement with the supermarket on the security aspects on their digital transformation efforts.

“It was originally supposed to be a sort of three days a week engagement for six months, turned into a 24/7, 365 engagement for two-and-a-quarter years,” Brinson says. “Sainsbury's was really trying to innovate. They wanted to set up their digital and technology team to be able to innovate quickly without getting in their way but without taking too much risk, so there was a big focus on sort of creating self-service, low friction security.”

Brinson says he enjoys the greenfield projects where there’s previously been little in the way of security, or where security was previously largely outsourced and the company is starting to stand up its own security program. “The benefit is that there's no existing processes and things that you have to adhere to,” he says, “but the con of that is there's no existing processes and things that you have to adhere to, so you have to build everything. The most interesting ones are the ones that aren't working. I like trying to understand what problems are, why it's not working, and thinking about how we can tackle and what we need to do differently and get it to work within the culture of the organization and the environment that we're working in.”

Interims and vCISOs can work on any number of clients at a given time. While Brinson usually works on one at a time, James Drake, senior professional services consultant at Optiv, often works as an interim CISO for multiple clients at once. “Often the business drivers [for hiring an interim] tend to be negative,” he says. “I often get involved in response to a breach or in response to an internal or external audit, for example, and they don't have the internal resource to be able to identify which way they need to go.”

As well as looking at security strategy broadly, Drake is often involved in redesigning the risk management methodologies for companies or looking at their third-party management. “It depends on the size of the organization as well. Often, there are businesses which maybe can't afford a full-time CISO but they're looking for someone to set them on the right path.”

One incident Drake was brought in to help resolve was an organization within the retail sector that had suffered a ransomware attack as part of an attempt to burgle a physical location.

As well as helping educate the company about the kinds of threats the retail industry faced and remediating that attack, Drake also helped the CIO liaise with law enforcement. “The CCTV system had been shut down. An individual putting on the persona that they were an IT engineer turned up at the warehouse trying to gain access. Fortunately, in this case, the security guard followed his processes down to the letter and because no appointment had been made, he didn't let them in.”

What’s the appeal of being an interim CISO?

While some of the day-to-day elements of the job may be the same, working for different businesses can mean tackling a variety of threats and challenges, and that can also provide a professional benefit.

“It's interesting to be able to go from one business in the energy sector and dealing with critical national infrastructure to then going across and employing my expertise in the retail or leisure sectors," says Optiv’s Drake. "That expands my knowledge and experience and gives me a much more holistic view of the threat landscape and how it affects businesses in general.”

Another benefit is that because the relationship is much more transactional than a permanent appointment, interims can focus on the tasks at hand and avoid some of the more mundane elements of dealing with organizational politics. “I think it's a much more straightforward relationship essentially. You've got a problem; you're paying me to come and give you advice,” says Savanti’s Brinson. “You can be very open with people because everybody knows you're not there trying to climb the career ladder.”

“When you go around and you see how lots of different organizations, the cultures work and how that manifests itself and what things they do well and what things they do not so well, you get really good understanding of how to take the best bits of everything and try and pull that together,” says Brinson. “I think I've learned more in the last four years, than I have in any other four-year period in my life.”

As with any role, being an interim comes with stress, but Brinson says the need to provide return on investment quickly can make the role additionally challenging and tiring. “It's one of those roles where you can never have a bad day. Every call you're on, I think as an interim there is more pressure on you. You've got to be on your game all the time constantly, and that does come with its own pressures.”

The skills interim CISOs need

While the core competencies of interim CISOs and their more permanent peers tend to be the same, interims need to be able to think and act fast to demonstrate their value quicker than a traditional role. That's because the tenure of an interim CISO often depends on the project they were hired for. They also need to be able to see the bigger business picture and work out how security fits into that just as fast.

“When you hire an interim, it can be a very quick journey from the initial discussion to starting in the work. You could be talking about a couple of weeks, whereas hiring a CISO take six, nine, 12 months. Over that period of time they get to know the organization well and may already have a lot of ideas [when they come in],” says Brinson. “Coming in as an interim, it's very much you're coming in cold and you have to very quickly understand who the stakeholders are, what is the organization needs, what problems they're facing. You won't get far if you can't deliver results or demonstrate your value quickly.”

Like any permanent CISO, having a keen business acumen to understand what controls, policies and technologies would and wouldn’t work for that business is important. “I could go into a business and offer Gartner Magic Quadrant ‘top right’ products all the time,” says Drake, “but does that provide any actual workable benefit to a business? Identifying the right tools and technologies but tying it in and making it efficient and cost effective for business is a very important role of the interim CISO, and one where you can get tripped up quite easily.”

Each organization is unique, which means coming in with a ready-made, one-size-fits all plan is impossible. Moving from business to business regularly allows interims to develop a rough template that can be adapted to suit different environments and cultures. “I have a process for how I implement risk management and organization that drives the right conversations and drives accountability in the right place across the business,” says Brinson.  “It's worked at multiple organisations I've been the CISO of.”

As well as the ability to identify the business and technology problems and solutions in the short space of time, interims have to win the hearts and minds of the teams they will work with on an accelerated timeline. “Diplomacy and understanding people are two very key characteristics of an interim CISO. The ability to develop a good rapport and a good working relationship with people within the businesses in a very short space of time,” says Drake.

“If you don't achieve that, then you're not going to be able to drive the change which is which is what you've been employed to do at the end of the day and deal with these business problems which they've been presented with,” says Drake. “A full-time CISO would have time to embed themselves within an organization and develop those relationships over time. An Interim CISO doesn't have that luxury.”

As well as being personable, Brinson suggests that interims should accept that not everyone within a company will be welcoming or receptive to your ideas as they may only regard you as a consultant. “You're going to need to be a bit thick-skinned. It's fairly rare, but there are people who just will not be as trusting or not be as engaged as they would be if you're a permanent.”

What businesses need to know about interim CISOs

For a successful engagement, both the CISO and the company need to be on the same page. Both parties need to discuss and agree on how they are going to implement change. “I think as part of the interview process or of the initial discussion, it's definitely worth trying to get a view of how the interim CISO would plan their attack,” says Savanti’s Brinson. “What would their approach be? Who would they be meeting? Who would they want to influence? An organization needs to have the appetite to do things in the way that the interim CISO wants to do it.”

Organizations need to ensure that the interim reports to someone who can help them make the most impact (e.g., the CEO or CIO), that the interim has the support of senior leaders, and that both parties are in agreement before the engagement begins.

As companies often bring interims in after a negative event such as a breach, or are looking to stand up new security programs and change how they approach security, some organizations might not like the idea of knowing how much work there is to do around the issue or implementing large-scale changes. However, businesses must understand the interim is there to help, and so should be given all the help they can.

“I think a lot of organisations tend to be quite wary of scratching the surface and opening that Pandora's box,” says Drake, “because as soon as you start identifying risks and vulnerabilities you suddenly become responsible and accountable for those risks. Allow the CISO to do their job. Allow them to integrate themselves within the business, give them the flexibility, and empower the CISO from the top down and be able to do their job and provide their recommendations without hindrance.”


Copyright © 2019 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)