What You Must Decide Before Hiring ANY Information Security Talent
Each article in this series will explore the top considerations to help you evaluate the best approach for acquiring information security talent at your organization. In the first article, we explored how to measure your organizations ability to find and retain IT security talent. We followed that up in article #2 with understanding the importance of knowing how your organization could scale information security resources if it was required. In this article, we will move on to the next critical piece in the information security resourcing puzzle: The impact on your information security effort to having external resources on your team that effectively have two bosses: you and their security consulting manager.
Consideration #3: Understanding Information Security Impact of Serving Two Masters
Just when you thought outsourcing everything is the answer. One down-side to outsourcing internal information security to an external firm is that the members of your information security team will serve both your organization and ultimately the one that pays their salary. This can mean competing objectives that should be thought through and the impacts evaluated. For example, the overall objective of your information security program is to protect information assets at your organization. A common objective for a consultancy is to maximize profitability. Those two objectives can run into each other at lightening speeds. The good news though is that this risk can be minimized with some adjustments.
One way to minimize the impact of competing objectives is to be sure to clearly document the roles and responsibilities, as well as associated objectives of any outsourced roles. When you do this, it becomes much easier to meet expectations and remove conflicts because the resource can be held accountable to how their role objectives are described, with nothing else getting in the way.
Yet another approach is to ensure that expectations are clear within the Scope of Work between your organization and the selected outsourcing provider. If your scope of work describes outsourced roles that are either too nebulous, too specific, or not what is truly required for the position, success will be difficult to attain. There is nothing worse than when your scope of work calls for a Firewall Specialist and then when the resource gets on-boarded they are asked to write security policies. Finally, it is still important to note that the impact of serving two masters will not be an issue at all if you only hire internal full-time information security resources.
We are now three considerations down with two to go. In the next article, we will take on consideration #4: Why are you looking for information security talent in the first place?
In the meantime, feel free to send comments or questions about this article or any in this series to email@example.com or visit CISOHandbook.com for more free articles.