Cyber attacks on UK organisations surged 77% in 2022. The global volume of cyber attacks also reached an all-time high in the fourth quarter of the year with an average of 1,168 weekly attacks per organisation according to a report by Checkpoint

As a result, cyber security is now a top priority for every CEO. Whether you are a start-up, public sector organisation or large enterprise. One way to put this at the centre of your company is to hire a Chief Information Security Officer (CISO).

However, this is not always possible due to budget constraints. According to IT Jobs Watch:

The median Chief Information Security Officer (CISO) salary in the UK is £112,500 per year according to job vacancies posted during the 6 months to 7 March 2023.

More companies are turning to on-demand models to ensure they can have access to CISO’s as they need them. Two models to consider are CISO-as-a-Service and a Freelance CISO:

  1. CISO-as-a-Service

EY give a great explanation of this service:

CISO-as-a-Service (CISOaaS) involves outsourcing the IT security leadership responsibilities to a third-party provider. During the past 12 months, the demand for hiring a third-party provider to support implementing an IT security strategy has been growing significantly. With cyberattacks on the rise, it has now become more evident that IT security should be centered at the core of any business strategy. Therefore, CISOaaS might just be the needed solution for small and midsized companies, with a limited IT organization, competence or need. 

However, this service can be expensive ranging from £24,000 to well over £300,000 per year.

  1. Freelance CISO

Hiring a freelance CISO to complete specific deliverables is gaining popularity in the UK. Some common deliverables of a freelance CISO include:

  1. Security assessments: Conducting security assessments to identify vulnerabilities and potential threats to the client’s systems, networks, and data. This may include risk assessments, penetration testing, vulnerability scanning, and security audits.
  2. Security policies and procedures: Developing and implementing security policies and procedures to protect the client’s information assets, including data classification, access control, incident response, and disaster recovery.
  3. Security awareness training: Providing security awareness training to employees and other stakeholders to promote a security-conscious culture and help prevent security incidents.
  4. Compliance and regulatory requirements: Ensuring that the client’s security measures are in compliance with applicable laws, regulations, and industry standards, such as GDPR, HIPAA, and PCI-DSS.
  5. Incident response and management: Developing and implementing incident response plans to respond to security incidents and mitigate their impact.
  6. Vendor management: Conducting vendor risk assessments to ensure that third-party vendors and suppliers are meeting security requirements and not introducing vulnerabilities.
  7. Security governance: Providing strategic guidance and oversight to ensure that the client’s security program is aligned with business goals and objectives.
  8. Reporting and metrics: Providing regular reports and metrics to demonstrate the effectiveness of the security program, track progress, and identify areas for improvement.

Talent Market Place Gigged.AI has seen an increase in this approach over the last 6 months. Craig Short, CTO and Co-Founder stated:

We have seen small to midsize accounts hire experienced CISO’s to complete Security Assessments and review Cyber Security Strategies. These engagements are typically from £3,000-5,000. As a start-up CTO I often use this service myself.

CTO Craig Short

As CyberScotland week comes to a close, considering how on-demand CISO’s can help with talent gaps should be a key consideration for every business leader.