How to Take a Strategic Approach to Infosec Staffing

The global cybersecurity industry has grown 10% in the past 12 months, but the demand for infosec staffing still significantly outpaces the availability of qualified workers. Because of this shortage, many companies mistakenly approach infosec staffing as a traditional IT staffing problem.

However, infosec is highly specialized work, and hiring traditional IT talent leaves organizations with significant skills gaps. The pay scale for infosec workers is currently much higher than for IT workers in general, so it’s very likely that infosec people will leave for a better opportunity if they’re not seen as specialized talent and are not paid accordingly. This results in a constant shortage of staff, with many open requisitions, and a heavy workload for those who remain.

To compound the problem, organizations will frequently try to solve staffing problems with training. They’ll often either train current IT employees to move into the cybersecurity space or they’ll outright hire unskilled workers with an empty promise of training.

Together, the knowledge gap and the shortage of staff can create an unpleasant working environment, resulting in many difficult tasks languishing. Once they’re trained, if dollars ever materialize for costly infosec training, given the poor working environment, those staff will often leave for better opportunities.

As a result, the organization continues to suffer from a lack of qualified personnel, and the original problem is never permanently solved. In fact, struggling to address infosec staffing needs causes even more problems for organizations.

What Problems Arise When Staffing Isn’t Handled Strategically?

Several problems can arise for your organization if you’re having difficulty with infosec staffing. Very quickly, understaffing has a chain reaction on your business.

If you don’t have enough cybersecurity folks on staff, then employees have to pick up slack. Overworked employees get burnt out, the quality of their work drops, and then you start to miss important details. If you have gaps in cybersecurity, you’re more likely to have an increase not only in the frequency of incidents, but in the severity of them as well.

The increase in the frequency of incidents because of the unskilled people, coupled with the shortage of people to begin with, means that you’re going to have a very high stress, high stakes environment.

There’s going to be a lot of security events. People are going to feel overworked, which is going to result in a loss of employee satisfaction. That’s also going to drive people to exit — if it’s a poor working environment, and they can leave for what is at least perceived as greener grass on the other side of the fence, they’re going to jump pretty quickly.

Understaffing also means that your top people will have considerably less experience. When you’ve got junior or unskilled staff trying to lead infosec initiatives, they may not have the business savvy nor the experience to be successful on projects of that magnitude.

Moreover, those messages may be received poorly from IT leaders, business leaders, and other technical staff because of the perceived lack of knowledge and skills.

You can also certainly expect that you’ll have more outages from your tools. And when cybersecurity tools break, they tend to break other IT tools as well. There could be business-wide outages as a result.

Clearly, understaffing very much creates a vicious cycle that can impact company revenue.

Related: How to Provide Better Cyber Protection When You’re Understaffed

Taking a Strategic Approach to Your Infosec Staffing

Taking a strategic approach to your infosec staffing requires you to take into account the following 6 factors as you build your team:

1. Organizational Cost

Obviously, overall cost to the org is a big factor. We all have limited budgets to work with, and every person you hire equals dollars spent.

2. Identify Your Skill and Training Needs

Spend some time thoughtfully identifying the specific skills your organization needs, as well as a plan for ongoing training for various resources. If you have a clear idea of what you need, you’ll be able to spend more effectively to attract and retain that specific talent.

3. Workload Management

Consider the level of staffing you need to break up the work effectively. You don’t want to overwhelm a few key individuals by asking them to do essentially everything in the org.

4. Succession Planning

Even in the best organizations, infosec is a hot market. There’s probably always going to be a better opportunity out there for your employees. Even if you’re doing everything right, you’ll always have some turnover.

5. Attract The Right Talent

You also need to think about how to attract the right talent. This is true both for employees as well as consultants and contractors. Organizations can get a reputation where consultants may not want to be part of the org because it’s viewed as a meat grinder.

The money may not be worth it when there are so many other opportunities. Also, understanding how to write the appropriate job descriptions, how to set the pay scale, etc. are all crucial parts of attracting the right talent in the first place.

6. Retain Your Workers

And then, of course, there’s worker retention. And, again, cybersecurity is a little bit unique here. We typically don’t think about worker retention for contractors. But in cybersecurity, you may have a significant amount of your staff that you’re filling with contractors.

And you choose to fill roles with them specifically so that you can raise and lower your staffing quickly and cost effectively.

But you don’t want to have high turnover on those contractors either because at least some are sure to be in key roles. So, given the skills gap, it’s likely you’re going to end up with contract roles that are much longer, and these people are going to have some pretty core knowledge for your organization.

You don’t want to lose those people on a whim because they got offered a 20% pay raise elsewhere. Or worse, because your organization is struggling financially and you decided to pass along a contract concession to the vendor resulting in mass exits.

If you can do these things well, then you’ll have a much better staffing experience, happier employees, and a more successful cybersecurity organization.

How to Develop and Implement a Strategic Approach to Staffing

If your organization is struggling with infosec staffing, the key is to engage a company to help build your employment strategy. If you haven’t successfully built a team after several attempts, it’s unlikely you’re going to build it yourself unless there’s significant changes in the organization and culture.

Seek out a firm to partner with that has experience in putting together infosec staff in other organizations. Lots of folks are willing to come in and help to build a practical approach.

The biggest takeaway here is to understand that cybersecurity isn’t just another IT organization. IT skills are always a challenge, but cybersecurity is a particularly difficult challenge right now. If you don’t go into it thinking about it from that perspective, then you’re unlikely to be successful.

You also have to keep your eye on the ball about building a positive culture, because it’s going to be very difficult to attract and retain qualified workers and the right talent. And your culture becomes even more important when we’re talking about information security.

Black Kilt Helps You Take a Strategic Approach to Staffing

Black Kilt has years of experience being that strategic partner for organizations of every size. As a smaller firm, we don’t have delusions that we’re going to come in for a Fortune 10 company and take over all of their staffing needs. We truly see our engagement as a strategic partnership that helps them find the right solutions for their needs.

Initially, we can help design the organization by determining how many levels of leadership are appropriate and what types of roles are needed in order to staff the organization appropriately.

But more importantly, we can also help define the mix of how many employees, consultants, and contractors would work best for your company. We also help to put together a plan and a hiring timeline, because restaffing and reskilling your entire organization takes time.

Finally, we have the contacts, partnerships, and connections throughout the cybersecurity industry to help get your hiring plan in front of the right people. We’ll get the right talent from a variety of sources , be it direct hire, staffing firms, or other contract organizations.

Get Started on Strategic Staffing with Black Kilt Today

We encourage organizations that are interested in embarking on a strategic infosec staffing journey to reach out to Black Kilt for more information. Initial consultation is always free — during that call, we take a look at the culture, the willingness to change, where the organization is at today, how they got there, and how strong the desire is to truly solve the problem.

If you’re serious about engaging in the journey, then we have consultants available to be your guide. Contact us today!

Related Posts