Building the Right Security Program Team
December 11, 2019
25 min read
As organizations are focusing and spending more on their cyber security programs, they’re running into a new problem: staffing.
With the existing cyber security resource shortage, nearly every organization needs additional cyber security staff.
Whether they’re working on one-time remediation activities to address specific risks, or they need additional staff for their security programs moving forward, having the right resources — and enough of them — is critical.
What to Keep in Mind with Cyber Security Staffing
One-time remediation activities are usually associated with security program development, the retrofitting of security program foundational elements, the implementation or retrofitting of specific safeguards in an environment, or the remediation of specific identified deficiencies.
Security program remediation activities are usually both resource and time intensive, which often means:
- Their completion falls outside the day-to-day activities of existing security staff.
- They require a specialized skillset for the sake of developing and implementing corrective action.
- They may require additional resources to operate on the security team moving forward.
Remediation activities can lead to the need for additional day-to-day staff, but as your security program grows or adapts with your business, you may find that your security team needs specific skillsets.
The average security program has over 96 different processes that need to be performed on an ongoing basis to align with best practice. These include activities like security policy management, risk management, operation of safeguards, incident management, and others.
When you’re looking for day-to-day security staff, it’s important to remember that:
- These resources will perform time-sensitive activities that the organization needs regularly.
- Activities may be repetitive and produce similar outputs.
- The amount of work can vary significantly on a daily, weekly, or even monthly basis.
With all of this in mind, what options do organizations in need of qualified security resources have?
Options for Cyber Security Staffing
Professional service teams are a good option for remediation activities. You can engage them for a specific scope of work on a fixed budget, or on a time and materials basis.
This is a good option if your organization needs to complete a project that requires a skillset you don’t currently have on your team, or if you need a large number of resources.
A professional services team will also typically manage their own resources based on an approved scope of work, meaning you don’t have to burden your own team with management.
Cons of working with a professional services team include the cost, potential problems with timing and availability, as well as competing interests with other clients they might have.
Outsourced Managed Services
If you want a dedicated set of resources to perform daily security program tasks, a cyber security managed security provider can outsource ongoing program activities for monthly or yearly contracts.
The managed service provider usually puts the tasks that will be performed and the results of the engagement into service-level agreements.
Using a managed service provider lets your internal team focus on what it does best and passes the resource availability issues onto the service provider. The service-level agreement provides a clear understanding of what you’ll receive, and it can be more cost-effective than hiring a team internally.
The downside to outsourcing to managed services is that you’re putting a lot of trust into an external provider for critical aspects of your security program.
Current Internal Team
You can use your existing internal team to work on specific projects or to add additional responsibilities to their day to day activities if they have the requisite skills.
This approach will save your organization in the cost of executing the project, but it can have a negative impact on your team’s morale as their duties have increased, especially if they’re already fully allocated. Overly burdening your team might also potentially increase turnover, which will only make any existing resource constraints worse.
A cross-matrixed approach involves distributing cyber security tasks to non-security resources throughout the organization, whether on a project-basis or as a part of their daily responsibilities.
Like utilizing your internal team, this approach can be cost effective, and it drives home the idea that security touches every part of an organization.
Problems with this approach include over-allocating resources, as well as giving security tasks to someone who may not have the right skills or experience to perform them.
Assigning security tasks to individuals outside of the security team might also lead to confusion about who has ownership for performing which security projects in the organization.
Hire New Employees
Creating job descriptions for new roles or bringing on employees with specific experience can help you increase the security team’s bandwidth for the extra workload. Hiring new resources can make it easier to take on both remediation activities, as well as any additional tasks remediation requires.
One of the major drawbacks to this approach include the shortage of available skilled cyber security resources, which means you may end up having to engage a recruiter or specialist, which will add an additional cost on top of a resource’s salary.
Since they’re in very high demand, any potential hires you might find will also likely be expensive and you won’t have as much room to consider how they fit culturally into your entire organization.
Temporary, Project-Based Staffing
Temporary staffing involves bringing in new resources on a contractor basis, usually for a set amount of time or until a given project is completed.
This is a good option to bring extra resources on to take an extra workload without increasing current employee costs, and your team has the flexibility to remove them if they don’t fit with your company.
Temporary resources still need to have direction, and you often end up paying for their time, not necessarily the deliverables that you receive from them. Using temporary staff for a long-term project may also be difficult, since this could result in high turnover for critical positions in your security program.
Much like full-time employees, temporary security resources are also in high demand, so the same problems of finding them and recruiting them still stand.
This is a combination of temporary staffing and hiring new employees. In this case, additional resources can begin as contractors and potentially transition to full-time employment after a specified time frame.
The temp-to-hire option brings all the benefits of temporary staffing and direct hiring, but it also creates its primary downside.
People may not want to take the risk of starting a job they may not keep. Some of this uncertainty can be mitigated with the use of a recruiter, which can help the resource find a new job if you don’t hire them directly.
Using interns can be helpful for completing some of the recurring tasks in a security program that don’t need extensive skillsets to perform. Low-level activities are well-suited to an entry-level intern workforce.
Interns often require management form more senior team members, which can temporarily take away from some of their duties as they are training the interns.
Choosing the Right Staffing Options
No matter which option or combination of staffing options your organization chooses to use, it’s important to think about which options will best fit into both your current and future security environment.
Make sure to weigh the costs against the benefits to your security team and the impact that additional resources can have on your security team and the operation of your security program. Building stronger security programs in the midst of a resource shortage means being creative and open to staffing methods and solutions.