Internal or Outsourced IT Security Hire Decisions are Often Made for the Wrong Reasons
Why are you considering hiring internal or external IT security? This five-part article series explores the top considerations to help you evaluate the best approach for acquiring IT security talent at your organization. In the first article, we explored how to measure your organizations ability to find and retain IT security talent. We followed that up in article #2 with understanding the importance of knowing how your organization could scale information security resources if required. Article #3 looked at the impact on your security effort to having external resources on your team that effectively have two bosses: you and their security consulting manager.
In this article, we look at the importance of understanding the "why" in your IT security staffing effort. Knowing why you are looking for a team in the first place can be the best guide possible in making sure you make the most educated decisions possible in your quest for IT security talent.
Consideration #4: Why are you looking for IT security talent in the first place?
It is important to understand the "Why" when looking to build an IT security team. Understanding this can serve as a guide for the future success of any approach. If you want to hire internal IT security resources, why are you making this decision? Conversely, if you want to outsource some or all of the team, why are you looking to do that? In many instances, an internal or external hire decision is made for the wrong reasons. For example, if your organization is looking to outsource IT security simply because the initial internal team was not successful. Generally, this is the worst reason to outsource your IT security effort. At least it is if you do not first understand the reason or root cause for the lack of success of the first team. Perhaps management is not committed to making any IT security effort successful, or the culture is not ready for a mature security approach. In those situations, the incoming team, whether internally hired or externally brought in, may be put in the exact same situation to fail.
Further, by the way, talented IT security professionals will always ask the right questions to understand root cause and will pass on opportunities if you appear to have not thought these things through. This is ironic because the weaker folks often won't ask these tough questions, which then leads them to take the job; the cycle of failure then continues on and on and on. Ouch! It does not have to be that way. Simply take time to understand the "Why" and make decisions accordingly. It is really that easy.
Four considerations down with one left. In the final installment in this series we will take on consideration #5: Maturity of your IT security program.
In the meantime, feel free to send comments or questions about this article or any in this series to email@example.com or visit CISOHandbook.com for more free articles.