Organizations looking to outsource cybersecurity roles and functions face real challenges in finding the right firms. Hiring the wrong firm or individual for the job tends to build adversarial relationships between the client and the firm, and they often end up parting ways after only a short amount of time.
If the client chooses not to end the engagement, they end up making changes to rectify details that weren’t dealt with up front. Relationship managers may change, or the service provider will restaff so that different people are servicing the account.
As a result, hiring the wrong people for your cybersecurity can create more problems than you had to begin with.
Don’t Make These 7 Mistakes During Your Hiring Process
Poor experiences with firms often occur because mistakes were made by the client during their vetting process. Here are some of the most common mistakes that clients make when they’re looking to hire a cybersecurity firm.
1) Hiring When You’re In Crisis Mode
The biggest mistake that businesses commonly make is attempting to hire a firm during a crisis instead of retaining a firm before there’s a security incident. Doing this doesn’t allow for proper vetting or price shopping. On top of the current incident, it can lead to some negative outcomes in the future.
Related to this, companies often go on a hiring blitz immediately after a security incident. Although it may be necessary, that kind of strategy also typically results in a patchwork of employees, and it rarely leads to long-term strategic hires.
People hired in the heat of the moment tend to last maybe 6 to 12 months, 18 months max, and then they move on to more cohesive organizations.
2) Expecting Instant Results
Second, many clients expect that hiring a cybersecurity firm will produce results immediately, despite any historical lack of attention to information security. This is especially true in larger organizations, who might anticipate results after just a couple of weeks.
It’s going to take a little while for any new firm to get their bearings with that company, and some of these organizations have a lot of complexity. Ironically, the client struggling with organizational complexity internally is often why a security function is being outsourced.
It’s not realistic to expect an outside firm to hit the ground running with respect to internal processes and organizational complexities if the internal team was already struggling with those in the first place. That said, a good partner will know how to zero in on what’s important and demonstrate incremental value early in the relationship.
3) Using IT-Centric Job Descriptions to Hire Security Roles
This rule goes more for companies that are looking to hire individuals for a specific role or function — oftentimes, those companies will use job descriptions that don’t align to security standards. Instead, the job descriptions are focused on basic IT skills.
To illustrate, a random job search pulled up a current posting for a Cyber Security Director. The only security requirement in the posting was for “knowledge of information security frameworks,” while the majority of the post focused on prior experience with network administration.
This typically results in poor visibility of the role, and there’s usually a very small and highly unqualified candidate pool as a result. These types of posts act like warning beacons for true cyber security professionals, telling them this organization doesn’t understand or value their skills.
Interestingly, human resources can often play a role here. HR may not be well-versed in the difference between IT-cybersecurity and general IT, and oftentimes human resources will push for job standardization.
Job standardization is great for posting inside your company, but when you’re trying to attract external talent, if you don’t align to industry standard terminology and pay scales, then your job is not going to appeal to top candidates.
4) Not Understanding The Cybersecurity Job Market
Another mistake that hiring companies make is lacking understanding of the current market for cybersecurity services. They don’t realize that there’s a major gap right now, and that security pay rates differ rather significantly from general information technology roles.
Ironically, not understanding the job market is often one of the reasons why they’re outsourcing or using an external firm to help get hires. There’s just no understanding of the fact that cybersecurity is a different beast and needs to be treated as such.
5) Hiring Doesn’t Match The Bigger Picture
Firms are often attempting to hire cybersecurity roles or even whole functions without looking at the bigger picture of their cybersecurity. Cybersecurity covers a lot of different areas and functions, and not every organization needs to cover all of those functions.
Some organizations may just not have or need certain functions because of the way their business is structured. If they don’t understand how cybersecurity fits into their organization and what their needs are, they end up with piecemeal hiring that doesn’t last.
6) Hiring Untrained People to Save Money
Companies struggling to hire for cybersecurity will often avoid bringing in the experts to save a buck. Instead, they try to hire existing IT service providers and ask them for security services.
These general-purpose firms generally don’t have the right skill set or the right level of training and knowledge to be successful with security. They may offer security services, but you get what you pay for here. They likely won’t have the experience required to truly solve any of the tough security problems.
7) Non-Specific Contract Language
Last but not least, once a firm is selected, clients frequently use boilerplate IT contract language. There’s a lot more risk associated with security than there is with general IT, and that needs to be called out in the contract.
There should be additional performance clauses and further requirements in the contract for vetting and insurance coverage. Not having that contract language can come back to bite the client later if there’s a problem with the firm or if they’re unable to deliver on specific contract clauses for any reason.
How to Make Great Cybersecurity Hires
Now that you know what to avoid, it’s also important to touch on a couple of items that you should keep in mind as you’re hiring a cybersecurity firm.
Reputation
It’s absolutely necessary to look at the firm’s overall reputation, as well as some of the individual personnel in that organization and their past performance on similar projects.
Are their people skilled? Have they worked with clients like you before? What were the outcomes on some of their projects? Are there businesses like yours that are willing to vouch for them?
You should have a good understanding of a firm’s past performance before you hire them. Ask for sample reports and talk about the kinds of projects that they have delivered for other clients.
Before you jump into an engagement, you should already have an informed expectation of what the desired outcome is going to look like.
Look for referrals from your colleagues, as well as other vendors and partners that they may already be working with. Firms are rarely going to get the nod from another organization unless they’re truly good at what they do.
Related: The Benefits of Hiring a Smaller Cybersecurity Firm
Culture
Evaluating possible partners should include thinking about whether they fit into your organization culturally. Every organization has a culture and the last thing you want to do is have a culture clash.
It’s kind of a silly example, but if your organizational culture is shirt-and-tie and in the office every day, and you’re hiring a security firm that has no dress code and is a 100% remote workforce, right out of the gate, you can expect there’s probably going to be a little bit of a culture clash.
It’s a lighthearted example, but that kind of stuff actually happens frequently. Speaking from experience, meetings between stuffy clients and laid back firms can be very uncomfortable for both parties.
It’s also a good idea to ask potential partners about the relationship-building components of their work processes. When a client hires a firm, there can be a lot of mistrust initially. There may be perceptions that hiring a third party meant you couldn’t get it done in-house, creating resentment from internal employees.
Good cybersecurity firms will be aware of this, and will make it a priority to build strong relationships right away. If building relationships and trust doesn’t seem to be much of a priority, that indicates you’ll have to work through some friction.
Reflect Internally
Companies also need to do some internal reflection as part of the hiring process. You should be looking at benchmarking and comparing your company and your security program to your peers and competitors in the industry.
You may think you have a great security program and you’re just hiring to fill a few gaps. But if the reality is you’re at the bottom of the list compared to the competition, there’s going to be a huge mismatch in expectations when that cybersecurity firm comes in.
Your expectations for the hire might be that it’s just going to shore up a few gaps, but the cybersecurity firm sees your security situation as a complete rip-and-replace.
It’s easy to say that your endgame is to secure the enterprise. But if there’s not currently a security function to make that happen, it’s going to be a much longer journey than if there’s already a capable security organization in place, and it’s just simply lacking a few recent or specialized capabilities.
Review Their Insurance and Staffing Practices
First and foremost, you must review the insurance coverage in the indemnification contract language. Cybersecurity is a risky business and insurance is a big expense for security firms. Frankly, their insurance coverage is a distinguishing factor.
Qualified firms should have an errors and omissions insurance addendum, as well as a cyber insurance policy. Any firms that don’t qualify for these riders are probably not qualified to do the work for you.
This insurance is important because if the cyber security firm you’re using has an incident or a breach of its own, you want to be sure that you have some protection or indemnification in case that breach somehow spills over into your business.
It is not easy to get those riders. Black Kilt went through a multi-hundred point checklist and produced evidence and audit samples to obtain them — and we go through that same rigorous process regularly in order to maintain our insurance coverage.
For staffing practices, it’s important to ask about the firm’s subcontract worker policies and practices. Do they subcontract workers? And if so, how and what are those practices? If subs are used, what standards are those subs held to?
Also ask about their background check process. Everybody should be doing a background check on every employee, but cybersecurity firms in general go to a different level.
Whereas a general employee background check can be as little as $100, cybersecurity background checks can run into thousands of dollars. Depending on the client’s functional areas, the investigation may have to check hundreds of boxes and span multiple countries.
You want to make sure that the firm is trustworthy because they’re going to have access to your crown jewels. You don’t want somebody who’s motivated to skim a little off the top to have the highest levels of access to your network.
How Can You Tell You’ve Made The Right Hire?
This is where I like to distinguish between vendors and partners. You can have a good working relationship with a vendor that delivers what they promised. But a partner is someone who truly has your best interests at heart and becomes a trusted advisor for you.
Certainly, they execute on the contract and they execute well. But they also serve as an advisor to help talk about requirements or details that may not have been called out in the contract. They also look for ways to go above and beyond in securing your organization regardless of it being in the contract.
They go the extra mile in helping your organization because they view it as shared success, shared risk, and shared reward.
Black Kilt Helps Rebuild Client-Firm Relationships
We at Black Kilt know how important it is for firms and clients to have strong relationships. If your organization is having difficulty with an engagement already underway, we can provide a solution to that problem.
Rather than looking to terminate relationships, Black Kilt has actually come in as an independent third party and saved many relationships between clients and security vendors. We’re not looking to come in and take over a security organization. We’re looking to be your partner. We’ll help broker the relationship between you and your vendors to try to get them to be more like partners as well.
