Part 5: Outsourcing Information Security Talent
This series will explore five tips and one bonus tip for acquiring security talent in a landscape that currently has unquenchable demand and not even close to enough supply. So should you just shut down your security effort until the tide turns and you can find what you need? Your Board will buy into that won’t they? Yeah right! So what do you do? Glad you asked. This article will explore practical tips for getting fat on security talent during this brutal situation; a famine that is bound to continue for at least the next two years.
Tip 4: Outsourcing is NOT the answer
So the new hot trend in security is for organizations to transfer the responsibility for addressing their inability to find talent to a large consultancy or security company. In this situation, organizations are paying big dollars to a security consultancy to develop the right roles, and then staff and/or co-manage these resources.
So if you buy into my theory that there is a timing issue in terms of available resources due to the immaturity of security efforts in most organizations, this approach has no way of working. In the end, you are going to pay a crazy amount of money for an organization to try to track down people that simply don’t exist. It is like sending out a highly advanced technical crew, with all the right skills and know-how to go find gold for you, but then sending them to dig in a mine that you already know has no gold. Good luck with that.
So the tip here, in almost all circumstances, is to avoid doing this. Further, do not confuse this tip with the next one, which I do believe is an actionable solution that does have a chance for success.
As always, please provide your feedback to Mike.Gentile@cisoshare.com or @MikeGentile03 on Twitter; I always read them.