Hungry for Talent – Surviving the Coming Security Talent Famine of 2013
Part 6: Outsource Repeatable Tasks, NOT Complete Roles

his series will explore five tips and one bonus tip for acquiring security talent in a landscape that currently has unquenchable demand and not even close to enough supply. So should you just shut down your security effort until the tide turns and you can find what you need? Your Board will buy into that won’t they? Yeah right! So what do you do? Glad you asked.

This article will explore practical tips for getting fat on security talent during this brutal situation; a famine that is bound to continue for at least the next two years.

Tip #5: Outsource repeatable tasks NOT complete roles

Per Tip #4, we do not think that it makes sense to outsource a complete job, such as a security analyst, to a large consultancy or security provider in which the resource will work directly at the organization; basically an add to staff. Repeatable security tasks and services delivered as a managed service though, such as risk analysis, remediation activities, incident management, security architecture, forensics, or application security is a totally different story in our opinion. This is exactly where we think this problem will be solved in the short and perhaps even long term.

With the explosion of task specific cloud managed service offerings, coupled with limited security talent to go around, it just makes more sense for an organization to hire internal resources that can ensure that security execution lines up with the values of an organization, and then to outsource repeatable processes and tasks to a specialized provider. We have seen this in its infancy with existing security managed service providers, who right now often focus on the discipline of log aggregation, reporting, and elements of incident management.

With my cloud provider company Delphiis, we are banking on this trend to continue by offering a whole new bevy of additional managed service areas in risk management & remediation, security project management, security architecture, and more. We have seen other companies spring up as well in the areas of application security, forensics, and so on.

So my tip is to start by creating a process map for the services that your security program wants to deliver. This might be services such as incident management, risk analysis, operations, whatever. With that laid out, look to create what we call a “Delivery Architecture”. This architecture will illustrate the most optimal way for you to deliver the services in your program through internal and external resources. Play an active role in these determinations and go with your gut; it will serve you well.

Further, focus on outsourcing services that are repeatable, as well as highly repetitive. These are the ones that often produce tasks that are often better controlled and managed by internal resources but delivered by external ones.

As always, please provide your feedback to Mike.Gentile@cisoshare.com or @MikeGentile03 on Twitter; I always read them.