By Jeremy Wittkop, InteliSecure CTO
My previous posts have touched on hiring and cultivating talent as two of the three main strategies organizations can employ to build their cybersecurity team. Hiring well is difficult and time consuming even when cybersecurity hiring is your primary responsibility and when your business is cybersecurity. However, most people hiring cybersecurity professionals are in the business of doing something else, which makes the task of hiring highly skilled cybersecurity personnel even more difficult. Hiring can also be expensive. Probably the only thing that is more disruptive and expensive over the long term than hiring well, is hiring poorly.
Cultivating talent is also difficult. It requires organizational changes in order to create an environment to foster growth beyond formal education. It also requires compensation and benefits packages that evolve with the marketplace and remain competitive throughout the professional’s evolution. It is very time consuming to cultivate talent and cultivating talent only to see that person be hired by another company can set your organization back years in terms of building a world-class cybersecurity practice inside your organization.
This post focuses on Managed Security Services (MSS). These services and corresponding service providers are growing in popularity because the first two strategies discussed are both difficult and costly. Most organizations are in business to do something other than cybersecurity, so dedicated HR teams and building an apparatus to hire or cultivate specific cybersecurity talent, and then retain it, is often a defocusing and ineffective proposition.
Truthfully, the understanding of that idea is part of the reason why I came to InteliSecure. It is very difficult to solve today’s cybersecurity challenges, even when you spend every hour of every day thinking about how best to do so. It is infinitely more difficult to solve those problems when the majority of your time and effort is spent on trying to solve completely unrelated problems. Managed Security Services Providers (MSSPs) allow you to focus on what your core business objectives are while the providers focus on solving your cybersecurity challenges.
It is a fact that there is a shortage of qualified professionals to fill job roles, but there is no short-term solution that is going to produce an army of qualified professionals to help fill that gap. Some organizations can compete for the services of the available professionals by creating more attractive compensation packages. Some cannot. Some of InteliSecure’s Managed Services clients are based in the San Francisco Bay Area and have told me, “Regardless of what I pay, the best and brightest cybersecurity professionals do not want to come work for us when they can go down the road and work for Apple or Google.” The truth is, this shortage has become so severe that not only can cybersecurity professionals command very high salaries, but they are also able to choose where they want to work. Further, in order to advance their careers and build their skill sets at an exponentially faster rate, many of the best choose to work for MSSPs, since they are exposed to a multitude of systems and problems at a much faster rate than they would in a single environment, regardless of size.
A good example of this was when one recruiter told me that the reason he targeted my SOC personnel so aggressively was that each of them had exposure to eight systems, so six months of experience with me was comparable to four years of experience in a more traditional environment. Additionally, MSSPs tend to have access to better training and more sought-after mentors than other companies would. In light of these considerations, it is not difficult to see why MSSPs offer attractive career options to cybersecurity professionals, especially early in their careers.
It stands to reason then that organizations are solving their skills gap problem in the short term by turning to those same providers for access to those professionals. Many organizations I have spoken with may have the budget and desire to staff internally, but they simply cannot staff to the levels they need because they are not able to attract the talent. For an individual organization, MSS may be the long-term solution, especially if they are comfortable with the provider and the services they are receiving. However, while Managed Security Services acts as a force multiplier for the overall cybersecurity labor force, it will not be a long term solution to the problem we face with respect to a lack of qualified professionals to face the mounting challenges presented by increasingly sophisticated cyber threats.
The MSS approach is not as easy to execute as it first seems, as you must thoroughly vet your MSSP much like you would vet a new employee. If you’d like to learn more about vetting Managed Security Services Providers, you can view my post on the topic here: https://www.linkedin.com/pulse/peeling-onion-11-questions-you-should-ask-any-mssp-wittkop-cissp?trk=prof-post.
There are also many other benefits to a MSSP beyond just talent acquisition. If you choose the right MSSP, the talent acquisition portion will surely be done for you, but even better than that, you don’t have to worry about contingency plans if the person you have hired leaves, or the disruptive activity of finding and training a replacement.
You also don’t have to get involved with difficult staffing models in order to get the coverage you need. Years ago, one of my tasks as Managed Services Director at InteliSecure was to change our offering from a 6 a.m. to 6 p.m. Monday through Friday operation to a 24×7 operation. Upon doing the research and speaking with my peers in the industry, I learned that to build a redundant and fault tolerant 24×7 model, I needed nine people in each skill set that I wanted! I was shocked! I still get some shock and push back from people when I share that knowledge with them. However, if you think about it, there are three eight hour shifts in a day, and enough days to require two sets of people to man those shifts over seven days. Based on that, we’re already at six people. If you add vacations, holidays, redundancy if someone leaves, etc. you would need nine people per skill set to staff a 24×7 operation. Given that most good Data Loss Prevention programs have Information Security Engineers and Analysts, you can quickly get to needing 18 people on staff! It is unlikely most organizations have that kind of manpower or financial resources to dedicate to a cybersecurity initiative, but MSSPs do, and you can often take advantage of their scale at a much lower price point than if you attempt to staff the same functions yourself.
Another consideration is experience, expertise, and the pace of development. For example, an MSSP may have an individual that works on seven accounts. That person gains seven years of experience in one year compared to someone who has only one system at a single organization. You also get the benefit of leveraging lessons learned from other organizations without feeling any unnecessary pain points.
Regardless of which strategy you choose, addressing the cybersecurity skills gap is an important and pressing need for all organizations. This problem will not solve itself and legions of qualified cybersecurity professionals are unlikely to suddenly materialize, so it is important for each organization to develop a strategy to address the gap and to execute that strategy at a very high level, whether it is hiring to win, cultivating internal talent, utilizing MSSPs, or any combination of the three.
The final post of this series will address the shortage itself and what we as a society and as a group of professionals can do to help fill the gap.