Last Updated on January 25, 2023
Security staffing has long been a major challenge, especially for SMBs. It’s bad enough that demand exceeds supply. It’s also difficult for HR teams to zero in on the best candidates for these often technical roles. Then there’s turnover, averaging about 18 months.
Now add the pressures of a potential economic downturn and you have a recipe for unfilled seats, stressed-out security teams, and elevated cyber risk. How can orgs get the security talent they need?
To brief SMB leaders on his “top 10 tips” for advancing security against an economic headwind, Pivot Point Security CISO and Managing Partner, John Verry, recently recorded a special episode of The Virtual CISO Podcast.
Consider fractional support
Pivot Point Security offers fractional support or outsourcing in the form of virtual Chief Information Security Officer (vCISO) services, optionally augmented by Virtual Security Team services.
“We’re seeing this as an increasingly viable business model for many organizations,” reports John.
If you only a vCISO’s skill set in the advisory and governance domains every so often, but not every day, a vCISO can be massively more cost-effective than a full-time CISO.
“As an example, we had a client where we were their virtual CISO for about two years,” recalls John. “They were a small firm in the investment advisory space. We helped them correct some challenges in their environment. When they exited with a billion-dollar valuation, one of the things they were complimented on was their information security posture. And they were able to do that at an extremely competitive rate over a multi-year period.”
Fractional support can also handle tactical/operational tasks that you don’t want to give to more strategic personnel.
“If you’ve got those people but they’re stuck doing things like vendor due diligence questionnaires, answering security questionnaires, or spending inordinate amount of time validating that the processes that need to occur are occurring, you can often offload that to what we call a virtual security team,” John suggests. That’s another good strategy for either getting the support that you need but don’t currently have, or unburdening the more strategic advisory folks in your organization to fulfill those rules, and outsourcing those lower-level roles.”
Attracting and retaining great talent
Security is about properly architected controls executing effectively on a consistent and repeatable basis. That takes the right products and the right processes, but most importantly it takes the right people.
That’s been a tall order in the cybersecurity space, and a down economy may not provide much relief in terms of availability or cost for new hires. Then there’s the challenge of retaining good people once you’ve expended the resources to hire and onboard them.
As John notes, “it’s not really just about the comp. Money is definitely an important part of it, and you’re going to have to make the investments from a dollars perspective. But there are a lot of other things that are important.”
Cybersecurity staffing expert Deidre Diamond, a two-time guest on The Virtual CISO Podcast, equates retention success with what she calls “inclusive cultures.”
Another factor is stress levels. A recent report from email security leader Mimecast found that security teams are facing unsustainable levels of stress, with one-third of security professionals stating they’re considering leaving their jobs—or even the profession—due to stress. Reducing stress in the workplace can definitely help with retaining your much-needed security staff.
To listen to the complete podcast episode featuring John Verry, click here.
What does a day in the life of a vCISO look like? This podcast tells all: EP#4 Andrew Farkas – True Confessions of a Real Virtual CISO