As an organization with a growing business and IT footprint, the risks you are regularly exposed to constantly grow as well. Perhaps your board of directors is increasingly concerned about cybersecurity, given the attention paid to cyber breaches in the news, or the focus on global privacy and cybersecurity regulations. If you haven’t already hired one, you might be considering hiring a security analyst; you may even have written and posted a job description. The problem is that the increase in breaches is coupled with a tremendous gap in talent to address them. In this post, we discuss reasons for the gap, why it inhibits the ability of the SME to attract and retain cybersecurity talent, and the implications for your security posture – how this pursuit can actually hinder your efforts to improve security/reduce risk. The alternative? Outsourcing security to a trusted partner like ActZero.
Why is There a Talent Shortage?
Multiple factors contribute to the shortage. There is greater awareness of cybersecurity issues, stemming in part from an increased number of breaches, and more news coverage about them. Additionally, threats have advanced to a point where IT generalists require more specialized knowledge to prevent them or respond to them when they get through. This need has also influenced the criteria that constitutes a “qualified” cybersecurity professional. We see evidence of this in increasing offerings of cybersecurity programs, and enrollment in cybersecurity certifications as new professionals and generalists try to hone their cybersecurity skills. Meanwhile, established professionals incur sizable salaries that this greater demand and limited supply have afforded them, while highly qualified cybersecurity graduates tend to get “snatched up” by security companies or large enterprises right out of school.
Implications for Small to Medium-sized Enterprises
This skills shortage is getting quantifiably worse. There will be an estimated 3.5 million unfilled cybersecurity jobs by 2021. This is especially tough to deal with for SMEs, who are often without the resources to attract, hire, train, retain, and equip such talent. As a security analyst, would you want to be a “one-person show” with a single SIEM appliance? Or would you want to join an enterprise-grade security team with a 5-million-dollar SOC, and have multiple tools to use and grow with? The point is, even if an SME successfully hires somebody, it’s hard to keep them without deep pockets, and it’s nearly impossible for them to add meaningful value.
How Hiring Hurts
Choosing to hire an analyst can hurt your security prevention posture in several ways:
- Announcing a deficiency: This serves as a flag for hackers (and security companies 😊) that your organization has a gap. Hackers have become increasingly sophisticated in how they target organizations, and while many threats still operate at scale (spray & pray), others are targeting specific organizations that meet particular criteria indicating their vulnerability through vulnerability scans, or simple online research.
- False sense of security: Imagining a scenario where you can hire talent, this can lead to a false sense of security amongst leadership. Decision makers need to understand that having people (note the plural) is just one of the three P’s of cybersecurity – the others being process and platform (i.e., technology). If they fail to understand this, and by extension fail to continue to invest in this risk-reduction effort, the cybersecurity program will fail to evolve at the pace of threats, leaving the organization at risk.
- Technology is wasted without talent to use it: If you have started down the path of building a security operations center (see our post discussing it) by purchasing advanced security technology like a SIEM, that investment is wasted without the talent to operate it (we talk about the shortcoming of SIEM here and our modern approach to it here). Given our premise, that cybersecurity talent is difficult to hire, train, equip, and retain, you can imagine making a significant investment in an analyst and a SIEM, only to have the one leave, and the other remain unused when you are unable to replace the analyst.
- Rendering IT a stopgap: When you fail to make your hire, or that person leaves you, invariably your IT team “gets stuck” managing your security. Not only does this take them away from their core purpose of technological innovation to drive business results, but they usually aren’t an effective stopgap because they are often without the skills to detect and respond to cybersecurity threats.
The Solution: Don’t Hire an Analyst
Deciding not to hire cybersecurity talent is not an excuse for “doing nothing” (see our post on The Cost of Doing Nothing). You will need to pursue an alternative; consider outsourcing your security to a company like ActZero who has the technology, talent, and resources to detect and respond to threats at scale on your behalf. The cost is comparable to hiring a single security analyst (depending on the number of endpoints in your environment) and is much lower than building and staffing a security program.
We’ve established that the in-house/DIY option is complex, expensive, and will take a long time– if you can even staff it. We aren’t saying there is no value in cybersecurity people – we are saying that for the SME, a single analyst won’t meet your needs, will be difficult to attract/equip/train/retain, and may add to the risk facing your business as described above. The other alternative, of going with an MSSP, still leaves you still acquiring expensive hardware, it’s just amortized over time – and you still need to deal with the alerts and false positives they yield (see our MDR vs MSS post). Ultimately, outsourcing your security is the only way to achieve the first of the three P’s (People, Process, Platform (technology)) when you’re unable to hire or retain a security analyst (let alone the dedicated team you will ultimately require).
When you outsource the primary functions of cybersecurity, detecting and responding to threats, to a trusted partner, you gain our qualified talent as an extension of your team. Working together, we enable you to decrease the risk that your company is exposed to. This happens immediately upon completion of onboarding and continues over time as we work together to harden your systems, remediate vulnerabilities, and mitigate compliance risks through our virtual CISO program. Contact ActZero today to discuss how you can secure your small to medium-sized enterprise for an affordable monthly fee.