Consideration #5: Maturity of the Information Security Program
If your information security program is not mature, you really need to think through the implications of this before bringing on any type of information security risk management resource or team. If you bring on internal talent, will they have the skill and time it takes to build new processes while at the same time performing day-to-day activities? If you are outsourcing security to a firm, will you be able to measure their performance if your processes are ad-hoc and not well designed? Is the outsourced organization responsible for building these processes as part of their contract? Ensure that these questions are answered prior to making any kind of move because when you don't, your information security program is going to suffer while you figure it out.
Take time to evaluate how much process development will be required for any role that you bring on. Ensure that you keep day-to-day activities, or the performance of activities within a process, separate from the development or improvement of the process itself. As Ryan Kelley, a security and risk consultant with Dell SecureWorks, puts it, "If possible keep the people responsible for operational tasks from being directly responsible for strategic tasks, as operational tasks will always take precedence. Or, if not possible, then ensure that you are accommodating for this by allowing a much greater project timeline due to inevitable operational interference." In the end, this will help you ensure that you have adequate resourcing to accomplish both important pieces to the maturity puzzle.
Finally, ensure that you have a valid information security program charter. Without this, there are no rules to the road about how to run the security machine. This will lead to chaos in any situation while you figure it out. Either plan to build an information security program charter as one of the first tasks of on-boarded teams or build it before moving any further along in the team development process.
With that, we have covered the top five considerations for acquiring IT security talent at an organization. In the end, the development and acquisition of an information security team can be successful if the team is completely internally hired, completely outsourced, or a combination of both. The critical element is that you think through the considerations illustrated in this series and set up your information security teams for success. For those that don't do this, you are going to slow down the ability to implement a healthy security system during a time when most organizations require security efficiency the most. This is not cool and is not in the best interests of your clients, customers, or the security professionals you look to employ.
Over the next couple months we will continue to explore how organizations staff their information security teams with future articles and series on this topic.
Feel free to send comments or questions about this article or any in this series to firstname.lastname@example.org or visit CISOHandbook.com for more free articles.