I read articles almost daily about the skills gap and lack of qualified personnel within the Information Security profession. Just recently, Forbes ran an article that stated by 2019 there will be a shortage of 2 million cyber security jobs. Entrepreneur ran an article entitled “Why you Should Consider Outsourcing Computer Security.” In that article Edward Ferrera states “security is so hot that good people are hard to find.”
This brings me to the point of my article. If you don’t have the funding to create your own stellar team or you can’t find the talent, what are your options. Having been in both the Department of Defense and the civilian world, I can truly tell you that outsourcing is often the best practice. Because businesses that specialize in filling the talent gap can attract top talent, they are prime to fil that role for you. Be aware! Some of these companies, especially ones with high turnover, struggle to find talent too.
How to choose a partner (not a provider) in layman’s terms
- You’ll notice that I chose the word partner here. This is an important nuance that I believe solves many problems up front. Providers often focus solely on SLAs and hide behind legal jargon as a first line of defense. Partners are willing to grow with their clients. Partners are looking for a relationship and want to rely on soft skills as much as technical ones. I have seen providers nickel and dime clients to the point that the relationship is untenable and dissolves (sometimes before the contract expires). I have also seen providers host services for PCI clients but refuse to get certified themselves, relying on nuances in contract language.
- Have dinner with them. Seriously! This goes along with the soft skills piece from #1. People will tend to let their guard down in an informal setting. You are more apt to discover what drives their business in this setting than if you are having a “dog and pony show” at their facility. I don’t mean those stiff sales pitch dinners. I mean, unbutton the collar, roll the sleeves up, and play skeeball. If your provider only wants to talk shop, they are usually more interested in closing than building a relationship.
- Have a “dog and pony show” at their facility. I know, I just dissed this above but it is important to see how your partner will operate in their own environment. You can also see staffing and determine for yourself the level of expertise of the staff. Notice how people talk about their work environment. If employees are not willing to talk about work, they are usually not happy about work. This can be a key indicator of staff turnover. Back to the soft skills, you can witness for yourself the team dynamics. I have been to provider sites before and watched the SOC personnel get in a fist fight, in front of a potential client.
- Ask for the biographies of the personnel at the company. After all, this really is a job interview. You aren’t just hiring a company, you are hiring a group of individuals. Make sure they are hiring the professionals that you could not. You don’t want to hire a company that markets their fully trained and competent staff but can’t produce a single person who has been there and done that.
- Make sure the mission and vision of your partner aligns with yours. This is usually a more difficult step since many companies do not disclose such personal detail. Once again, I am advocating partnership here. If a perspective organization will not provide these simple business goals, steer clear. Are they wanting to expand their service offerings into a space you are wanting to add? This could be a perfect match!
- Now for the technical one. Have your own written (and fully understood) requirements. Know why you are looking to go external to your own company. Use this to look at Return on Investment (ROI). Without having fully vetted requirements and knowing your budget, you could end up overpaying, blowing your budget, and not purchasing the services you truly need. Sounds so easy to manage but I have seen companies spend too much and get few things on their top 10 list. If you don’t have a top 10 list, see if they offer consulting services to help you define one.
There are many articles out there that will bore you with score sheets on how to pick the best provider for your needs. They will walk you through the 25 steps you need to accomplish to select the perfect provider. One thing they always fail to mention is the people behind the company you are looking to hire for your critical manning shortage. Basically, they spend pages detailing step #6 from above. Both quantitative and qualitative analysis must be utilized to provide the big picture.
Why I wrote this
I have been in Information Security for many years. As a member of the DoD I have managed contracts and contractors. In the state level public sector, I have relied on outsourced companies to perform key functions of Information Security. As a consultant for a large Managed Security Service Provider, I have witnessed first-hand the interactions between providers and clients. When asked to pen a blog for Milton Security I did so eagerly. You see, I have seen this company grow for the last 5 years while treating their clients as family. The folks at Milton Security believe in partnerships. They do the soft skills well and have the technical chops to keep you safe.