By Jeff Cartwright, Vice President, Eastern Canada, Cyber Security Practice Lead and Felix Drouin, Account Executive, Cyber Security
When it comes to cyber security protection, Chief Information Security Officers (CISOs) increasingly face the question, “What have you done for me lately?” As tech leaders struggle to identify and implement appropriate levels of defense, boards have ramped up pressure on accountability and cost control.
That dynamic is contributing to scrutiny in cyber security spend, according to a recent
Gartner article. It also highlights the necessity for a crystal-clear business case, one built on manageable risk and risk tolerance, rather than fear of the unknown. Your resourcing strategies for cyber security talent play a big role in that business case (and budget). Here’s the good news: you have workable talent options beyond the managed security service provider (MSSP).
A Time and Place for the MSSP
MSSPs make sense for many organizations standing up their cyber security operations. They excel at conducting initial assessments and creating playbooks to address the most significant risks across numerous client sites. Being positioned across multiple industries enables them to quickly detect new threats in the ecosystem and create a rapid response plan. Mix this in with a talented internal team, outside consulting, and staff augmentation, and you can have some lucrative results.
That collective experience comes at a cost, of course. Although MSSPs can streamline your security team, you run the risk of letting someone else take care of your sensitive data. On top of that, outsourcing key initiatives and staffing to major consulting firms (PwC, Deloitte, Accenture, etc.) can result in major loss to institutional knowledge over time, and exponentially higher costs when seeking to augment specific skillsets (Architects, SIEM Development, Detection Engineering etc.). Staffing agencies can provide more economical staffing support, but do they have the right talent available in specialized areas?
So how do you decide when, where, and how to put a more flexible and cost-effective cyber security talent structure in place? Here are three initial factors to consider:
1) Transparency
Our best advice is to demand transparency from all of your partners as to their talent’s pay rates. What hourly rate or salary is the candidate who is completing the work personally earning?
When more of the hourly costs or spend goes directly into the candidate’s pocket, which is the case with most staffing agency arrangements, you’re getting a higher skilled individual, with the added bonus of less flight risk. There is a clear benefit to demanding full transparency and reducing your organization’s risk to utilizing under-qualified talent or constant turnover.
2) Data Control
Ironically, outsourcing to protect your assets may expose you to higher risk. More data = a more attractive target. The devil you know may be more palatable than the one you don’t and turning over full control creates a wild card scenario. After months of deliberation, one of our clients decided to build their full cyber security process in-house due to concerns about data control and institutional knowledge retainment.
3) Talent Availability
S.i. Systems is starting to see the talent supply chain responding to heavy demand. In the wake of major breaches in recent years—think Equifax, Marriott, Twitter—cyber security is now a household term. As exposure has risen, so too in parallel have career programs and interest.
Agencies like ours who have leaned into cyber security staffing are investing time and energy to aggregate talent into a more organized and consumable model. Economies of scale make us better at distinguishing the performers from the pretenders, which makes it easier for our clients to bring on fully qualified and vetted talent.
A Viable Hybrid Approach
This is not an all or nothing proposition. The business drivers for exploring a hybrid MSSP-staffing arrangement for their cyber security strategy are familiar: flexibility, scalability, cost control. Here are a few scenarios illustrating the diverse ways Canadian organizations are layering in staff augmentation to MSSP engagements:
• The organization outsources Level 1 activity to the MSSP, using clear scope of work (detection, escalation, remediation/recovery, etc.) protocols and SLAs to kick over Level 2 escalations to an in-house team of contractors and staff employees.
• Organizations lean on outside consulting (PwC, Deloitte, etc.) for an initial assessment including Governance, Risk, and Auditing capabilities and setting a clear roadmap for improved cyber resiliency while using internal hires and contractors to fill skill gaps and clear areas of urgent weaknesses.
• Organizations use staffing agencies to augment their internal team, sourcing key talent such as a SIEM implementation Specialists, Detection Engineers, Security Architects, etc., avoiding exponentially higher staff augmentation fees from major consulting firms.
When they see the budget scrutiny, companies who go down a hybrid approach often wonder why they didn’t do it sooner. With many options potentially in play, it’s best to review your current model to find out what’s best for your organization. While there is no one size that fits all, we highly recommend starting with a review of your partners’ pay transparency, data control, and talent availability.
If you have questions about the talent market for cyber security talent, reach out to us. We love what we do and are happy to brainstorm about the hybrid approach that might work best for your situation.