Information Security · Security

How to find a Chief Security Officer to do some part time consulting?

Brian Reale CEO / Founder ProcessMaker

July 15th, 2015

We are an enterprise software company delivering SaaS and On Premise solutions.  Everyday we are selling into larger and larger accounts and we are seeing more and more Fortune 100 and HIPAA customers.  Now I am looking to provide my IT Manager with a Chief Security Officer as an outside consultant/advisor to begin reviewing and working with our team on all of our security policies and procedures, preparing better to speak to HIPAA requirements, etc.  Any ideas on where I can find this sort of consultant?  Has anyone done anything similar as a step prior to hiring an inside CSO role?  

David Ward Founder & CEO, Telegraph Hill Software

July 15th, 2015

Hiring a consultant as a predecessor to a CSIO is pretty common for growing companies.  I may have some options for you, particularly if you don't need someone on site, but can advise you remotely re HIPAA, PCI and other such related security requirements.  Contact me directly if any interest.

Barry Greene Business Development Executive ★ Internet Technologist ★ CyberSecurity Expert ★ Emerging Technology Mentor

July 15th, 2015

I can see why you need some security help. I would look at a several of options:

1. Hire a security consultant that would be a mentor to your CxO team vs a CISO. Getting an extra person on the team has not been fixing the security issues networks are facing. Whole team mind shifts are needed to get people to rethink how everyone approaches their job. 

2. Look for a security consultant who breaks down the problem and respects the knowledge within the team. For example, one day workshops that have one topic area and leads the workshop team through a discovery exersie. The objective is an action plan. Security "consulting" with no action plan is counter productive. Check out this as one example:

3. Explore putting someone who deep security experience to be part of your adisory board. This is trading equity for experience that is high demand and cannot be cloned. The contracted advirory role would be to mentor the team. 

And then there is the traditional model of hiring security consulting companies and trying to find experience CISOs. The security consulting companies would have people who have 3 years of security experience and call themselves "experts." Trying to find CISOs who have 10 years of security operations experience is close to impossible. Trusting vendors with their special "security widget tools" would be costly distractions. Hence, the recommendation to find someone who helps the organization "rethink," have all the CxOs ask about security, and invest in the team. 

Lucas Jaz

July 15th, 2015

Hate to sound obvious, but have you looked at FD:Advisors? Obviously wouldn't be a consultant, but great for advisors and you can look by those expert areas...

Hovhannes Tumanyan CTO at Kiwi Crate

July 15th, 2015

You may want to search on LinkedIn for security companies/startups - Shape Security, CyPhorge, Nok Nok Labs are just a few examples. Feel free to shoot me an message if you'd like introductions or advise (I used to be in security space for many years and even carried CISSP for a while).


Eleanor Carman Incoming BLP Sales Associate at LinkedIn

July 15th, 2015

If advisors is what you're looking for, you should check out all the great advisors we have on FD. For those specific qualifications (CSO, SaaS, security policies, etc.) you can go into edit profile here, make sure "Find Advisors" is check marked in the I'm Looking To section, and then scroll down a little till you see the yellow box that asks what kind of skill sets you want potential advisors to have. Then you'll be matched with people that are actual experts in the topics you care about!

Oleksandr Andriyanov American Programming Company at CEO

July 15th, 2015

Barry is right, CISO is more than just a security expert - this is the person which can build a culture of security in the company. 

For the very beginning it is enough to use just a IS expert or consultant. 

PCI DSS certification or any other official compliances are normally made by certified companies or experts.

So, if you want - it's better to hire expert, perhaps part-time and afterwards step-by-step train him to be your CISO.

From another prospective, CISO is a normally very concerned executive, due to professional transformation, so it's not recommended to hire him while the business is growing - he  can really block the existing processes in your company.

Indeed, part-time expert is highly recommended :)

Anyway, feel free to contact me directly if you would like to have more details.

Gaurav Garg Vice President

July 15th, 2015

I am strategy consultant focussed on Healthcare providers. HIPAA compliance is not a checklist. It requires a broader assessment of Depending on what you are looking for, I can make some introductions. I will caution against using digital security as a proxy (Identify and Access Management) as a proxy for HIPAA compliance. 

In general, HIPAA compliance requires a broader perspective that will include infrastructure assessment, business processes review and people training. I published a framework for building HIPAA compliant Hybrid Cloud solution recently. The presentation is available on my LinkedIn profile (I am not sure if we are allowed to share outside links here or not).

I can introduce you other people as well who can be independent auditors.

Lee Grecs Senior Cyber Security Analyst

July 15th, 2015

I'm in the cyber security field. Based on the networking that I do, security conferences are a great place to start (e.g., Blackhat and Defcon coming up and also RSA early next year). Other than that most security people network on Twitter. Also look in your local area for security organizations that have monthly meetups. Some possibilities are ISSA, ISCACA, OWASP, HTCIA, and InfraGard. Good luck.

My-Ngoc CISSP Executive Vice President at Link Technologies

July 15th, 2015

Brian, I would love to help you with this my firm, Secured IT Solutions, and I provide part-time, as-needed, and/or interim CISO consulting. My cell is 702-373-9113 if you would like to talk. I hope to be able to help you with your need. Sent from my iPhone

Brian Milnes CIO and VP Business Dev at XBRLCloud

July 15th, 2015

My company validates 10K/10Q filings for a large section of the US SEC filers, so I have very solid experience with very high security applications. HIPPA on the other hand is more complicated, poorly understood and fairly randomly applied.  I'd split the roles if I were you, into security and HIPPA compliance.

Please feel free to have your IT manager and CTO contact me and I'll give the standard advice. They're really very divergent processes.