The Gig Economy

by Hank Berkley
Contributing Editor

Volumes have been written about the transformation in the workforce as employees become contractors and companies focus on cutting costs by replacing full-time workers with part-time labor. A lot of this has been presented in a negative light because of the perception that businesses are simply trying to cut corners. While saving money may catch management’s attention, bringing in individuals to work non-traditionally may offer other benefits if it is done correctly.

How is this related to cyber security? Read on.

When we travel to a distant city, we make a choice as to how we will navigate the new locale. We don’t buy a car to use during our limited stay, but instead either rent a vehicle or use a taxi or other car service.

We might consider a purchase, but there is likely a higher dollar cost to owning rather than renting – particularly when you add in the costs of registering the vehicle and buying insurance. There is also a cost of capital as you would have to lay down a large sum initially, even if you would recoup most of that when you sell the car at the end of your trip. And iIf you need a larger car or a high-end means of transport the initial outlay will be even greater.

But there are other issues that can make buying a car a poor choice.

Buying a car takes time. One can’t get off a plane, buy a car and be on the road in 30 minutes. The paperwork, obtaining tags for the car, buying insurance, filling it with petrol can take half a day. And selling the car afterwards can be almost as time consuming.

Whether you rent a car or purchase one it might have a GPS to help navigate through an unknown city, but a cab comes with an experienced driver who knows alternate routes to reduce travel time. His experience and familiarity with the territory can also provide suggestions on better dining facilities or accommodations.

All of this applies similarly to hiring a senior information security officer. You may not initially know exactly what you need from a CISO or where he should fit into your organizational chart. With such a shortage of highly qualified individuals it may be hard to find one. You may find that the better individuals are asking for exorbitant salaries which could have a deleterious effect on the rest of your IT payroll as others will see the inequality. Plus, renting a high-end CISO brings valuable experience to help guide you.

While we don’t want to disparage security workers, we have witnessed more than average resume embellishment in the field of information security. We have particularly seen this with technical people who may have some of the skills needed for operational positions but overstate their strategic abilities. As a CISO can be suggesting expensive and business impacting solutions, having the wrong person – even for a short time – can be bad for the organization.

As we have written here several times, cyber security is all about trust. Picking the right CISO is something that should be done with care and it may be worthwhile to consider a temporary solution. It may also allow you to bring in someone at a higher level than you might otherwise find.

Using a “rental CISO” is not without its negatives. As cyber security requires knowledge of your industry, your culture and your risk tolerance, it is imperative that you have the right person – one who can learn about your business and doesn’t apply a cookie-cutter approach to security. It is also not something that should be done for a very short-term engagement such as a security evaluation as that is something better done by a team of specialists.

There are some firms who have relabeled their security contractors as “rental CISOs”, but there are some definite distinctions between these positions. A contractor typically has a defined task, while the “rental CISO” needs to operate on a broader basis as a member of your management team. The relationship needs to be less transactional with a CISO.

Using a “rental CISO” is not for all organizations, but it is an option that should be considered should you find yourself needing a senior security person. At a time when the role of security people is rapidly evolving, it may offer some ways to hedge your bets.