Each article in this series will explore one of the top five considerations to help you evaluate the best approach for acquiring IT security talent at your organization. In the last article, we explored measuring your organization's ability to find and retain information security talent. In this article, we will move on to the next critical consideration for acquiring security talent: understanding how well your organization could scale your information security team if it was required. This consideration is critical when taking into account the traits of information security in the common organization.
Consideration #2: Ability to Scale your Information Security Needs
Information security has some characteristics that often require an organization to acquire more re-enforcements on a moment's notice. The biggest reason for this is that fun little thing called the "Security Incident." One day your organization is moving along fine, the next day it has been hacked and is on the cover of the Wall Street Journal. If this situation occurs your IT security team may have to double or triple its size within weeks. This item should be carefully considered as you decide how to staff your information security effort. If you only have a full-time internal team and no bench, make sure you think through how you will be able to bring on resources quickly when needed to handle an incident response case and/or contain a breach. Often, many organizations believe that they could just bring in consultants and away they go.
In those situations though, a consulting team that has not done work before in the organization often will struggle to acclimate to the new environment. It is like putting an American sub crew on a German U-boat. Though this worked out ok for Matt McConaughey in the movie U571 in the end, they almost sunk a couple times initially before they sorted it out. During an incident, passing time is often your biggest enemy, so losing efficiency while a foreign consulting team acclimates to your environment can be costly if not a death sentence. If you are outsourcing the majority of your security team or a combination of internal and external resources, this can really help alleviate this issue as it maximizes the ability to scale your team quickly and with resources that are more familiar with your environment.
We are now only two considerations in and wow, there is a lot to consider. In the next article, we will keep things rolling with Consideration #3: The Impact of Serving Two Masters.
In the meantime, feel free to send comments or questions about this article or any in this series to firstname.lastname@example.org or visit CISOHandbook.com for more information.