Last Updated on July 28, 2020
In-source or out-source? … This is a big decision for so many of our clients and prospects. The question most organizations are asking is, “Should we hire a (or another) full-time information security expert, or hire a fractional expert—and how should we decide?”
We have helped many clients work through this issue. From our experience, these are the four key factors to consider when making your decision about outsourcing information security.
Like IT… Why Hiring Outside Talent is an Advantage for Most Organizations
1) Your Needs
It’s often a big mistake to say, “Information security will always be a concern for us, so we should definitely hire someone full-time. This will guarantee we have reliable, consistent information security expertise.” The problem here is information security experts are in such high demand that their average tenure in a full-time position is 17 months or less.
Another challenge is that it can be very hard to find a single person with all the expertise you may need to cover all the specific information security goals, objectives, and metrics that are important to you. That said, you probably are most concerned with a select few things, like GDPR, HITRUST, PCI, proving your network or application is secure, and so on.
It’s often smart to have full-time staff who are knowledgeable in key areas and rely on outside help for expertise that’s not as business-critical. For instance, this approach works well for payment processor organizations that have strict PCI compliance needs but also want to be ISO 27001 certified. These firms can hire a PCI expert full time and bring on ISO 27001 expertise as needed.
2) Your Recruiting Resources
Something often overlooked when considering full-time versus fractional staffing is how robust your recruiting resources are. We interview three to ten information security experts every week and all of them have multiple offers on the table.
If your organization is a highly desirable place to work (you pay well, offer great benefits, boast a stellar reputation, support work/life flexibility, etc.) you may be able to out-compete other organizations for full-time talent. If not, you could be paying a lot for a person who could exit very quickly and leave you in a worse place than you were before.
3) Your Budget
Let’s get down to the nitty-gritty. If you are an information security expert thinking about hiring another expert, you know what top talent is worth. If this is your first time thinking about hiring a full-time expert, consider that an information security practitioner that can advance your security posture starts at $110,000. One with a very specific skill set will add tens of thousands more. Someone approaching a CISO level skill set is going to cost $200,000-plus.
Salary, plus benefits, plus associated HR costs, plus average turnover of 17 months equals a significant expense to hire full-time information security staff.
Fractional talent will almost always cost less than full-time talent. For instance, our Virtual Security Team (VST) engagements usually range from $60,000 to $180,000 per year, with the median falling around $85,000. Obviously, there are no HR costs associated with hiring fractional talent, but there is effort involved in finding, vetting and onboarding on outside firm.
The other bonus with fractional talent is you have more flexibility as your needs change. If you need to change the terms of the engagement, add or remove pieces to the scope of work, etc., it’s very simple to make those changes and adjust costs immediately.
4) Your Culture
Company culture is huge when it comes to staffing. It can make all the financial sense in the world to outsource information security talent. But ultimately, if management wants someone on the payroll, that could be your best option.
Speaking from experience, relationships without management buy-in don’t tend to go well. If your culture is one that likes to keep business matters in-house and rely on full-time employees, then outsourcing something as crucial as information security could be a seriously wrong move.
Disclaimer: We want to remain as objective as possible here. But since we are an organization that provides fractional security talent “for a living,” that is challenging. In our experience, 90% of the time hiring fractional talent is what we feel is best for an organization that needs information security expertise. Likewise, we have more than once advised people not to hire us because it’s not what we feel is best for them.
In the end, we genuinely want to help you identify what is best for you! Contact us to talk over your InfoSec staffing concerns.