It takes careful thought and disciplined execution to assemble the right people in the correct positions to support your cybersecurity program.
Let’s go through the process of discovering who you need, what they will do, and where they will work.
What Needs to Be Done?
The first step is to figure out what activities need to be done and how often.
- Start by considering your program goals (see previous post)[Link]
- Next, factor in existing organizational policies and established practices concerning how work is allocated between departments and whether outsourcing is common
- Finally, consider cultural boundaries and risk tolerances
You may need to interview several people in your organization to discover all these things.
List the Activities
Now, describe the outcomes and activities required to achieve those goals, considering which activities will occur and how often.
- Will your team create new user accounts on a daily basis?
- Will you need people who can process network access requests quickly and accurately?
- How about the cybersecurity due diligence work for the acquisition of a competitor?
Now sort your activities into those that are “core” to your program as opposed to those activities that could be done by others either inside your organization or externally.
A core competency is when you do something better than anyone else.
Apple, for example, is great at designing hardware, but they hire an outside company to manufacture their devices for them.
To make the greatest impact for the money spent on your program, you need to put as much of your staff time into what is core and delegate the rest.
Determine Your Budget
If you haven’t already done it, establish your annual budget and specific limits on your payroll or the number of people you can have on staff. These are key constraints you need to be aware of!
I’ll talk more about budgeting in my next post.
Here’s an Example
Let’s suppose your analysis generates a long list of things that need to be done. Four of the items on your list are:
- Conduct risk assessments on large IT projects once every month
- Detect network intrusions 24/7
- Review the information security requirements for all customer contracts, upon request by your legal team, and
- Perform forensic examinations of workstations involved in cybersecurity incidents, as needed.
When thinking about what’s core, the size of your budget, the frequency of requests, the skills needed to do the work, and other factors, you might conclude:
- Risk assessments for large IT projects often require a deep understanding of how your company makes money, and that takes a lot of time for someone to learn, so you conclude it’s a core activity that will be done by an employee.
- Detecting network intrusions 24/7 requires expensive, specialized equipment and a large team of highly trained and experienced operators, so you conclude this activity should be delegated to either your IT department or an outside service provider.
- Reviewing contracts also requires a deep understanding of how your company makes money and sufficient expertise with contract law, so you conclude it’s a core activity that will be done by an employee.
- In contrast, performing forensics requires specialized equipment and training, but there’s no need to understand your business, and from talking with managers from the largest departments, the need is infrequent, so you conclude this activity should be delegated to an outside service provider on demand.
Staff Your Core Functions
Now, for the activities that are part of your core competency, create position descriptions and proceed to hire them in priority order by working with your HR department.
If you already have a staff of capable individuals, you may need to change their duties either a little or a lot. If so, proceed with great care!
Be sure to consider what kinds of people would be best suited for the different positions; look for fit between duties, attitudes, skills, and personalities.
For example, be wary of hiring a person whose energy is drained by being with people (that is, an introvert) into a role that requires a great deal of interaction with people on a typical day.
Similarly, be cautious about hiring a person whose energy is drained by being alone (typical for an extrovert) into a role that has minimal interactions with people on a typical day.
Check for Aptitude
On the subject of skills and attitudes, some people believe it’s a good policy to hire people primarily based on their attitudes toward the work and being on a team; “hire for attitude and train for skill.”
This is a good approach as long as the person has the aptitude for the job. Otherwise, the person may not learn enough from the training to be successful in the job and their attitude will eventually sour.
Most cybersecurity jobs are highly technical, so you may want to administer an aptitude test for a candidate that you plan to train after hiring.
This is especially important if you want to bring a person onto your team who has been working with your organization for a few years in another department.
Outsource the Rest
For the activities that should be delegated outside your team, create statements of work with measurable outcomes and proceed, in priority order, to find competent vendors by working with your trusted advisors, peers, and your contracts department.
Cyber Risk Opportunities provides middle market companies with cost-effective Cyber Risk Managed Programs to prioritize and reduce your top cyber risks, including the specific requirements of PCI, HIPAA, SOC2, ISO 27001, DFARS, and more.
Get in touch today to learn more and take advantage of a free 30-minute Q&A session with one of our cyber risk experts. Call 253-332-7867, or email us at firstname.lastname@example.org.