How (and When) To Hire Cybersecurity Staff For Your Business
By Laura Cowan
Laura K. Cowan is a tech editor and journalist whose work has focused on promoting sustainability initiatives for automotive, green tech, and conscious living media outlets.
This post is sponsored by cloud consulting firm Trek10, who support businesses by migrating their data to the cloud and protecting them from security threats. All content and views expressed are those of the participants and do not necessarily reflect those of Trek10. If you would like to sponsor news coverage of tech companies and trends in your industry or region, please contact the editor.
How Do You Know When To Hire Cybersecurity Staff or Outsource?
Cybersecurity is a growing concern for businesses of all sizes, from keeping data secure with remote workers, to making sure that all your applications work together in a secure and compliant manner.
As part of our sponsored series on cloud security sponsored by Trek10, we put together a Q&A on common questions businesses ask about cybersecurity and how and when to hire cybersecurity staff or outsource to a contractor. We hope this helps you on your road to handling security issues for your team during these changing times.
Step 1: Hire a CISO For Your Board
The first step to making sure you have a cybersecurity plan for your business is to hire a Chief Information Security Officer to your board. Cloud consulting firm Trek10 engineer Chris Beaufils tells Cronicle that it's imperative to have security front of mind from the founding of your company.
"Success is best found in building a foundation early on," Beaufils explains. "Build a company without considering security for a year or two, and it's exponentially harder to secure a moving train."
It's important to have someone on your founding team or board who has some knowledge of cybersecurity issues that will come up in building your company.
Step 2: How To Structure Supporting Cybersecurity Staff
How do you build a cybersecurity response team for your business once you have someone with security expertise on your board or founding team? Carnegie Melon lists four organizational units that need to report to the CISO in your company to build a cybersecurity team:
- program management: project management office; governance, risk, and compliance; workforce and supplier management; interface with the business
- security operations center: situational awareness, ongoing monitoring, security helpdesk, computer incident response
- emergency operations and incident management: high-impact incidents; planning for incident response, business continuity, disaster recovery; tests, exercises, and drills; incident post mortems; investigations
- security engineering and asset security: security engineering, identity and access management, applications security, host and network security, information asset security, and physical access control
Tools such as CloudSploit have visual tools to help you get a grasp of your company's security risks.
Step 3: Calculate How Many Cybersecurity Staff You Need To Hire or Outsource
How many information security staff do you need for your team? Carnegie Melon recommends hiring "3 to 6 information security staff per 100 IT staff." Trek10's Beaufils says it's a bit more complex, but this can serve as a baseline calculation. The calculation is not about the size of your company overall, in other words, but how many professionals you need working to address cybersecurity issues per number of dedicated IT staff you have. Look at that ratio, and it should give you a benchmark to get started building your security team.
"When evaluating security, companies should be evaluating what kind of partnership they want," Beaufils recommends. Do you need 1-2 full-time security staff to handle monitoring and alerts? A full response team? Do you prefer to have an extension of your team out of house who can work with you or your management board?
Some of these questions can be answered by evaluating your security risks as a company, whether that's building software that needs to be secure, exchanging data remotely or in house among workers, or being compliant on security for your customers' data. Once you know where the biggest security risks are for your company, then you need to calculate the required size of your security team to address them.
BackgroundChecks says in a piece on how to hire cybersecurity staff that hiring cybersecurity staff can be a challenge. The workforce is anticipated to be short 1.8 million workers by 2022. But cybercrime's impact on the economy is expected to be double in 2021 what it was in 2015, and the problems are multiplying. It's a problem everyone in business is facing.
Beaufils explains that many companies have a blended approach to security. "We work with clients," he says, "then have a 24/7 monitoring branch, then we have a separate team to address issues within 15 minutes or less." Your security team might look similar. Maybe you need a few full-time security staff to manage the overall process, and they could work with a contractor to run security monitoring tools and handle alerts.
Once you've calculated the size of your response team, or have a foot in the door on hiring someone to get started on evaluating the problem, you can scale up from there based on recommendations for where your company needs to focus. Beaufils says you know you're on track if you meet the following requirement: "Essentially you'd want to have enough security staff so that any new feature can have enough security attached to it," he says. Your IT team would be a great place to start getting recommendations on the time involved in making sure you have the right size security response team to respond to alerts and keep on top of software releases.
Step 4: Evaluate Your Company's Cybersecurity Needs
Beaufils says that when assessing a company's security needs, one important component is an AWS-inspired well-architected review of the "5 pillars of the cloud:"
- operational excellence
- performance efficiency
- cost optimization
You can run scans with security tools and then, Beaufils recommends, "tackle one issue at a time." One of the issues you might find is not just security breaches, but making sure that your cloud-hosted assets are as efficiently run and monitored as possible. We're told regularly by AWS people that cost optimization is a new focus for many cloud management services, as there can be massive waste and inefficiencies associated with inefficient organization of businesses' assets.
One organization Cronicle has interviewed in the past, Michigan-founded and Washington D.C.-based Cybercrime Support Network, is one outlet you can follow to keep up to date on cybersecurity risks for business.
Keep Up To Date With Business Cybersecurity News
How do you stay up to date with the latest security issues? Keep an eye on the news to see what issues other companies are facing, and you can learn a lot from working within security tools themselves, by seeing what AWS releases come out, for example.
It can be a lot to keep up with. As part of this sponsored series on cloud security tips, our sponsor for this series Trek10 is offering a FREE security assessment this month to get eyeballs on your company's security vulnerabilities and needs.
Our thanks to Trek10 for their generous sponsorship of news coverage in the cloud computing and cybersecurity space. To learn more about advertising and content sponsorship opportunities with Cronicle Press Tech News, please visit our Sponsorship page or contact the editor for more details on sponsorship opportunities.