Internal Security Expertise - Have you got the balance right?
Posted by Gunter Ollmann on September 02, 2008 at 4:52 PM EDT.
As I’m sure you’re already aware, security doesn’t come cheap. While individual security technologies get cheaper as they commoditize, the constant influx of new threats drives the need for new classes of protection and new locations to deploy them – meaning that organizations rarely see their IT security budgets shrink.
But, having said that, where does most of that expense go?
If you were to examine a typical organizations IT security budget, you’d probably see that the majority of spend isn’t in new appliances or software license renewals, instead it’ll lie in the departments staffing costs – appearing as salaries, compensation, training and certification, etc.
This is at odds with the way most organizations normally deal with specialized and professional skill requirements. For example, unless you’re a specialized legal firm, the probability that your organization needs to employ its own full-time board-certified legal team is practically nil. Sure, your organization probably warrants an internally staffed legal council position, and maybe some sufficiently trained support staff – but you’d unlikely to be able to justify employing a dedicated bar-certified team, and then expect to keep them trained and certified in all the latest legal advances. Just about every organization I deal with (including some of the biggest international companies) relies upon external agencies to provide these specialist services and consultancy – as and when required – it’s more cost effective that way.
With that in mind, why are organizations building up their own highly-trained (and expensive) specialist internal security teams? Granted, some of the security technologies being deployed by organizations are relatively complex, but do they really require a Masters degree and CISSP certified experts to babysit them full-time? From my perspective, if they do require that level of internal skill and support, the protection technology was either inappropriate for the business or it’s been poorly configured and not optimized for actual business needs.
Sure, you do need to maintain some baseline level of security skills and headcount in order to ensure the efficient operation and delivery of business continuity. And maybe you’ll also require some level of escalation and response if you’re large enough and under a barrage of targeted attacks. But, is the balance correct?
If lawyers aren’t your thing, how about an example of first aid? Most organizations will have several employees trained in basic first aid, and will regularly retain and refresh their skills. Their role is to be the first on the scene, do what they can to advise or remediate the problem and, most importantly, understand when to call in the experts. While some organizations may even have a dedicated nurse on staff, what you’re not going to find are a bunch of salaried doctors and surgeons on the full-time payroll looking after just their employees (unless you’re in the military).
It doesn’t make sense to operate that way, and yet organizations are still failing to make the same leap for security professionals – adopting the more cost effective outsourced-expert practices they already have in place for other specialist service areas.
The security marketplace has evolved considerably over the last 5 years, and there are plenty of service providers out there that can provide one-on-one access to qualified and experienced security professionals capable of meeting with any security requirement an organization is likely to have. Nowadays you can tap in an incredibly broad range of expertise – ranging from hard-core security researchers capable of helping you evaluate the security of new products you’re thinking of buying and deploying throughout your enterprise, through to 24x7 security sentinels; so knowledgeable about the security product you’ve deployed that they’re capable of guaranteeing protection with money-back SLA’s.
It costs a lot of time and money to develop and grow a top-notch security professional. And, once they reach that level, it requires a lot of time and effort to maintain those skills. Just like learning a new language, while you can do a 4-week intensive course to learn the important bits – it doesn’t make you fluent – and, more importantly, unless you constantly practice those skills, you’ll lose them quick enough. So, for those organizations that believe in training up their internal security teams to “professional level”, are they really investing those hard-fought budget dollars in the right place? How are the latest batches of security professionals going to keep their skills honed to a fighting edge for this time next year when they may or may not be needed?
I know that some organizations may have concerns over “outsourcing” certain skills and support for fear of breaches in confidentiality and security etc. – and yet they don’t give a second thought to contracting an external legal firm to deal with their most confidential contracts, employing external accountants to look over their financial books, or even providing all-access keys to their external cleaning company.
I think that a change in mindset is well over due. Organizations should take a closer look at their security budgets and evaluate whether they’re getting the right value out of their internal teams and whether their skills investment meets the daily need of the business.