You’re looking for someone to lead your security program. They need to have these qualifications:
- Technical expertise in all security platforms
- The ability to form, execute and track compliance with policies that align to your business needs
- The ability to accomplish effective 24x7x365 threat detection and alerting
- Experience with incident response
- Experience with threat hunting
- Experience in performing and managing vulnerability detection and remediation
- Project Management experience
- Experience in forming effective security training programs
- Experience in ensuring regulatory compliance
- Able to form reporting on security posture and effectively present to the Board
You’re looking for the equivalent of a unicorn.
People that can encompass all the skills you’re looking for are very rare indeed. Here’s just a few of the skills they’ll need:
- Vulnerability and Configuration Management
- Perform black box vulnerability scans
- Perform grey box authenticated configuration scans
- Create and complete projects to close vulnerability and configuration gaps
- Penetration Testing
- Able to simulate and perform attack techniques
- These skills need to be kept current as the attack landscape constantly evolves
- Current OWASP knowledge with which to test applications
- Security Engineering
- Ability to choose, setup, configure and maintain security control platforms
- Audit and Compliance
- Knowledge of compliance measuring techniques
- Current knowledge of policy, security framework, and regulatory requirements
- Project Management
- Task delegation
- Timeline management
- Oversee the strategy and implementations of the security program
- Align security strategy with business needs
- Effectively inform the Board of program posture and effectiveness
Obviously, you’re going to have to staff for these functions individually, no single person can do all of those things, there simply aren’t enough hours in a day, much less skills in every area. Even finding a person with the breadth and depth of expertise that they could staff and effectively manage all of those operations at once isn’t very realistic. You need a long-term plan.
Adding Up the Costs
Let’s take a look at costs associated with some of the needed skills we just listed.
- Vulnerability and Configuration Management: $70-105K salary plus hardware/software licensing
- Penetration Testing: $75-105K plus hardware/software licensing
- Security Engineering: $70-110K
- Audit and Compliance: $90-120K plus licensing for software
- Project Management: $70-105K plus software licensing
- Management: $100-150K
For single coverage on each chair, you’re looking at $475,000 to $695,000, plus the costs of benefits. Add to that the costs of building your own 24x7 SOC and payroll doubles to up to $1.3 million. Facilities for them adds yet more, and you’re still looking for a security unicorn to bring it all together. Coming in on the low side of payroll estimates will bring you turnover and re-training, costs unto themselves.
What are the alternatives? Security outsourcing.
What Security to Outsource?
Some areas are obvious for outsourcing security candidates, and some aren’t so obvious.
- Network Monitoring: you cut your payroll in half if you outsource this area, and that sets budget goals for how much you’re willing to spend. If you choose a good MSSP, you’ll be assured that analyst skills are kept current.
- Vulnerability Management: payroll is further reduced, and you gain assurance that your MSSP can perform this more effectively than you can staff for, as it’s part of the basic business offerings they have. Their experience pays off.
- Application Security: an MSSP’s penetration testers apply their techniques to many different environments, exposing them to a continually updated wealth of knowledge that an internal pen tester, focused on your own DevOps and DevSecOps wouldn’t be exposed to.
- Identity Governance: performing this internally often proves problematic, especially if the security team is part of IT. Operational needs will divert them, and the priority of IAM reviews will drop.
- Audit and Compliance: let an MSSP bring their expertise to you rather than try to hire it yourself.
- Security Controls Management: If you use MSSP to handle firewall and endpoint protection management, you further reduce payroll and leverage the expertise and depth/breadth of experience that an MSSP brings.
This leaves you with Project Management, Manager/Director, and Executive presence to staff for internally. The value in terms of ROI is readily apparent, and the increased effectiveness should be: you’ll not have to concern yourself with keeping those staff functions trained and current, provide facilities for them, or allocate payroll for them. Using MSSP to handle all those tactical efforts helps your security roadmap, especially in terms of forecasting budget.
Don’t go looking for a security unicorn. Contact CIPHER to see how we can help!
Dave Rickard is the Technical Director for CIPHER US.