Rent, Buy, or Both: Considerations for Acquiring Security Talent at Your OrganizationBy: SecureWorks
(First in a series of five)
Measuring Your Organization's Ability to Acquire Security Talent
Whether you are a bank, a bio-tech, or something in-between, today's security landscape has put the need for acquiring security talent for the common organization on the rise. From managing security equipment, to managing risk, to complying with security regulations, it is clear that the need for a competent security team has never been greater, and this need is not going away any time soon. So as an organization, what is the best way to fill this need? This article series will explore this topic and provide five considerations to evaluate before deciding whether you should attempt to hire your own internal information security team, outsource your internal security needs to an external firm to place a team within your organization, or implement a combination of both these approaches.
Each article in this series will explore one of the top five considerations to help you evaluate the best approach for acquiring security talent at your organization. This first article illustrates the importance of measuring your organizations ability to find, measure, and retain the best possible security team your organization.
Consideration #1: The ability to acquire security talent
One of the key issues associated with building a security team is the ability to find skilled resources in a reasonable amount of time. These days, it is not uncommon for a security position to go unfilled for months at a time. This is troubling news considering how badly most organizations require security skills and the risk impact to not having skilled resources on-board as quick as possible. So why is talent so hard to find right now and how does this impact whether we hire internal or external resources?
One reason for the lack of resources is that demand for security professionals is unbelievably high as our world becomes more connected through the internet. This reason is also magnified when considering that at the same time the monetary value of sensitive information has also increased. In other words, more people want to steal information because it is worth more and it has gotten easier to steal as our world has become much more connected. Another interesting consideration associated with the demand equation is that the role of information security in the common organization is still very new and immature.
The CISSP certification has only been around for 20 Years. Compare that to the American Institute of Certified Public Accountants (AICPA), which is the management body for Certified Public Accountants, which has been around since the 1800's. Our domain is still very young, and as a result the pool of experienced security professionals is more limited than in other common organizational roles.
So if I am an organization that is in need of a security team, one of my critical tasks will be to measure my ability to acquire security professionals in a very tough market. Below are the most important things to consider before making a decision about going internal or external in your approach:
a. Do we have the ability to know what we are looking for? If you are leveraging your internal human resources to do the recruiting, will they have the expertise to adequately measure a candidate's security ability. Perhaps you may even have a security team, but if they are not qualified will they be able to make an accurate call. This is important, because making the wrong hire for a key security position can do more damage than having an open requisition for a little bit longer. Often, if you are going to contract out your security effort, the outsourced firm will be much better at measuring the pure security skill of the candidates. This can pay dividends. So I guess you should just outsource everything. Not quite. There are other things to consider, most important of which being the understanding of your organizations culture.
While internal recruiters may not be as effective at measuring a candidate's pure security ability, measuring their ability to fit in with the company culture is a different story. They will generally be pro's at this when compared to our outsource buddies. If you are outsourcing your security team, the hiring managers from that firm will probably have limited visibility or understanding of your culture. Even worse, they may hire someone based on their own company culture, which might not align with yours. Alright, so I have the skill and culture stuff down, what else do I need to consider when dealing with this resource availability thing.
b. Do you know where to look and do you have access? The security community is very close and connected. Again, we are a small pool of people that are trying to perform some very complex tasks. This has kind of made us a highly connected exclusive club. If your internal recruiting team is not connected or does not have access to this community, they might miss out on some of the best candidates. Generally, organizations that specialize in providing long term out-sourced security teams are connected into the community. They have to be to survive, and as a result have better access to a much broader pool of talent. This often will allow these organizations to find talent much quicker. So if I can find them, what else do I need to consider?
c. Can you get them to stay? Since security professionals are in demand, it is often hard to get them to stay at one organization in a full-time role. Even if they wouldn't leave quickly, they often perceive they will get bored or their skills will become antiquated if they stay in one place. In these situations, these resources often then pass on these opportunities. Conversely, outsourcing your internal roles to an external team can often reduce this issue. Skilled professionals often feel more comfortable joining a team at an external organization that specializes in security for the following reasons.
First, working at your organization as a contract worker may be the same exact work as if you hired a resource internally, but one key difference is that in this situation these resources still have access to other like security professionals at the mother ship. This keeps their skills a bit fresher, or at least the perception of this, which makes these resources more comfortable going into this kind of arrangement. Second, these outsourced contracts are generally 2-5 years. Associating a time-limit on a contract creates the perception that the job will come to an end. This often makes a resource feel more comfortable that they will not be trapped in the same organization forever. Of course, there is a flip side to this issue.
Sometimes when you bring in an outsourced employee they will not be considered part of the organization's family. That different color contractor badge leads them to feel like a second-class citizen and can make them feel a bit disconnected from the team. This can reduce the resources loyalty to the organization they are serving. This issue does not exist when you bring on an internal full-time employee of the organization, so again this item should be considered in the internal/external hiring decision process.
As you can see, there is definitely a lot to think through even in this first consideration. Stay tuned for the next article in this Series: Consideration #2: Ability to Scale your Security Needs.
In the meantime, feel free to send comments or questions about this article to email@example.com or visit CISOHandbook.com for more free articles.
Mike Gentile is the Founder & Senior Editor, CISOHandbook.com, and a Dell SecureWorks sub-contractor.
Contributors: Robert Sutton, Practice Director, Global Information Security Residency & Consulting; Ryan Kelley , Security & Risk Consulting, Dell SecureWorks; and Gary White, Security & Risk Consulting, Dell SecureWorks.
This article series was developed by the team at CISOHandbook.com with contribution and peer review from the Security Residency & Consulting Group at Dell SecureWorks. CISOHandbook.com is a free resource for security managers, professionals, and project managers.