With the continued rise in cyber security threats, highlighted by the recent Tesco banking breach in the UK and the ongoing Russian hacking debacle in the US, organizations across industries are scrambling to get their cyber security measures in order. The General Data Protection Regulation (GDPR) and the Network Information and Security (NIS) directives in the EU have only increased the urgency for organizations in this region to bolster their cyber defenses.
This urgent need to address cyber security, coupled with challenging hurdles to overcome in building internal security practices, is driving more firms to partner and outsource this critical business function.
One of the key internal hurdles we have identified in this market is that clients are challenged to source the required talent to keep abreast of their security requirements. This is a well-documented problem within the cyber security community and is one of the top three drivers that is shaping and driving the outsourced cyber security market at present.
So, the solution seems simple enough, if you can’t find the talent, hand over the responsibility on to someone who already has it.
But this begs the question: if there is a lack of security talent in the market how are service providers finding it?
Well, not easily is the answer. The more successful service providers have branched out and are tackling this problem from several angles. These can be largely categorized under external sourcing and internal sourcing:
- Hire young: For most of the leading providers in the market, partnering with universities to hire graduates straight out of the gate has been a go-to method. EY, for example, has partnered with 12 of the leading universities that provide courses on cyber security and analytics in the US. EY has not stopped there however and is now building partnerships with six smaller regional universities to further plumb the graduate talent pool. Often within these university/service provider partnerships, the service provider is fundamental in helping to shape course work and the curriculum, this is a positive dynamic as it gives students the skills needed to hit the ground running in the workplace.
- Increase diversity: For example, reach out at the grass roots level to mentor female students taking analytics, mathematics, and related courses into the cyber security field. Capgemini has made a huge push in this regard with 20% of its UK and 25% of its Indian security operations now female. Next is looking outside of the professional sphere and into the military, many operations specialists in the army possess the necessary skillset to thrive in the cyber security field. Finally, is an apprenticeship scheme whereby hiring is conducted on behavioral and cognitive characteristics rather than qualification.
- Poach: Or in corporate terms “hire laterally”. With the cyber security talent market lacking the volume it currently requires, attracting talent from competitors, or in some cases startups, is typically going to be on the cards.
- Upskill: This is basically what it says on the box, taking junior staff and putting them through internal and external training qualifications such as the Certified Ethical Hacker (CEH) or GIAC Certified Penetration Tester (GPEN) certificates.
- Creatively use the people you have: The service providers covered in the (upcoming) 2017 Trust as a Service Blueprint all have overall staff counts in the thousands (some in the hundreds of thousands). With such a wide and deep IT talent pool, it makes sense to laterally pull in staff from other divisions in the organization. The most common positions targeted for internal transfer to security teams include application developers, risk and compliance, people assessment and digital transaction professionals. These staff will then be trained in security courses complimentary to their previous experience and skillset.
Sourcing security talent, even for service providers, is a challenge. The one ace these service providers have up their sleeves is the large and diversified IT workforces they have to hand. Some service providers are sourcing up to 60% of their security personnel from inside. With this in mind, organizations need to carefully consider the cost and time involved in building an in-house security team over partnering with and integrating capability from ones that have already fought the battle.