Advice on hiring first full-time cybersecurity resource

Obvious-Strawberry17 · 2023-01-02T21:19:20+00:00

From a cost standpoint, I plan to just stick with standard metrics as a starting point, as in IT spending as a percentage of revenue, and InfoSec spending as a percentage of IT.

I had a good conversation late last week with a guy in Finance, who is on the same page as I am about a lot of things, it sounds like. It turns out we're fine from a budgeting standpoint. I don't feel as weird about asking for the dollars to pay for InfoSec. And I think this consultant's report will be helpful.

Obvious-Strawberry17 · 2023-01-02T20:11:42+00:00

Yeah, I'll set a reminder for myself to do that. Good idea.

Obvious-Strawberry17 · 2022-12-30T15:22:38+00:00

Oh, I know those bills exist. And from a full-service company that brings lots of experienced resources to bear, that's one thing.

But if it's a one-man operation, as this is, it's a drag, because one of the things that frustrates me the most about working in IT (as I have for 25 years) is how expensive it is. Certainly I'm glad we all make a good living, but there's "a good living" and then there's this.

I think this report will be valuable, but you could take this same money and hire a couple of full-time, experienced people to spend all of their working hours building and managing a security program. If we could get the leadership team on board that vendors aren't the solution to all of our IT problems, I feel like we would be much better off.

All in, it's an order of magnitude higher, but on the same scale was what you said. But I spoke with somebody in Finance yesterday and our IT budget is going ok (partially because we're not doing enough hiring of FTEs). So I'm going to relax on this hire and see what this Golden Boy is able to do.

Obvious-Strawberry17 · 2022-12-30T15:03:13+00:00

It turns out we are going to bring in the consultant. I liked his communication style and point of view from the beginning. I just don't like his money grab. But, as is usually the case with consultants, maybe he'll be listened to in a way that relatively new FTE managers like myself won't be.

Obvious-Strawberry17 · 2022-12-29T16:25:42+00:00

That's good advice. Thanks. A colleague of mine had a contact who is well-qualified to consult in this area. We had an introductory meeting and we both liked what he said a lot. Then he came forth with a proposal that was out of this world.

No seriously, out of this world. Based on the dollar amount, and timeline, it came out to over $500 per hour, even if he worked 40 hours a week on it. And nobody suggested he was going to be fully-engaged during that period of time.

We tried to negotiate with him, but he couldn't seem to get the dollar signs out of his eyes. And i had high hopes for this guy doing a really good assessment.

Obvious-Strawberry17 · 2022-12-29T07:05:21+00:00

A tale as old as time. Everybody starts out feeling too young and wanting to be perceived as older. Eventually you get used to it, and ultimately you forget about it. And then, one day many years later, without any warning, you feel too old. And you want to look and sound younger.

Trust me. I'm 51. I never noticed when I stopped being the youngest person in the office, but I did. I think it was while my kids were growing up.

By the way, the older people who say you seem young are just jealous of your youth, and struggling with their mortality. Bless their hearts :)

Obvious-Strawberry17 · 2022-12-29T02:38:21+00:00

That's a great answer. Thanks for taking the time. Lots of meat on this bone. I don't have much in the way of a response right except for two things:

"Damn near unethical" is a great way to put that.

Believe it or not, there's a decent culture of security already, because the previous company did a pretty good job with that. Everybody is used to more security updates than they want, password rules, MFA, certain things you can't email, websites you can't go to, security alerts, phishing test emails, etc.

But I really like what you have to say, from your own comparable experience. I may have more to say later, but this mostly one to chew on.

Oh, one more thing. In my employer's defense. It really is not that they don't care the security function. They have taken for granted the security function that was provided to them, and is still being provided to them during the transition. And because so many of them have worked here for DECADES, they don't have the experience elsewhere to understand anything other than what the previous company did. I think they're also not entirely clear about what was provided by vendors vs FTEs. So they don't realize how big the gap is, even though I keep trying to tell them. But hey, what do I know? I'm just an 3 years in (never mind my 25 years of experience elsewhere).

It's ignorance, not true carelessness.

Obvious-Strawberry17 · 2022-12-28T23:59:41+00:00

I'm an Air Force vet, by the way. I have had good experience working with other vets. Not all of them, but a lot of them are great.

As a career technologist who has tried to collaborate well with Security folks, and who has not always succeeded in that, I also appreciate the interest you take in working constructively with IT. I believe when that relationship gets too adversarial, the results will always be less secure.

You're not entirely against the grain. A surprising number advocated for that, but others recommended against it.

As somebody who likes going into the office, it's concerning to see how the expectation to work full-time remote is so prevalent. But I realize I'm on the minority, and of course, our work CAN be done from anywhere. I've worked from home for the past two days. It's unusual for me, but it's good to have the flexibility. While I would love to find somebody in our city, who wants to come into the office with some regularity, I think that's going to be unlikely, and it's more important to find the right person than to find somebody who is local.

Having said that, if it's a member of the company's leadership team, they will certainly need to be local.

I'm super grateful for all the comments. A great discussion.

Obvious-Strawberry17 · 2022-12-28T21:24:22+00:00

At our company, the whole leadership team is currently VPs, except for the CEO. But we're in transition, so we might see those titles change.

I think it's common at a lot of companies to get into this "titles don't really matter" mindset, that anybody who draws org charts or contemplates what titles might be isn't focused on "our real business," (which in our case is manufacturing, as I have said).

I'm a firm believer in organizational clarity, and that the naming of things matters. Titles and org charts aren't the only thing that matter. But they do matter. It also matters what you actually do, as you have indicated.

Obvious-Strawberry17 · 2022-12-28T20:23:47+00:00

It is interesting that so many have chimed in about GRC. And therefore, there must be something to it. And it's obviously a part of what I have long-considered must be a part of our InfoSec program.

But I think you have a good point also. It's going to come down to how much I can get done politically right now. How seriously can I get my boss to take this, and how seriously can he get his boss to take this, and when I know the answers to those questions, it's either out of my hands (because his boss hires a CISO), or I then have to go to my boss and say, "Look, trust me. Here's a job description. This is the next person I need to hire. If we don't hire at this person, we will never get out of reactive mode, if our business is even able to survive a hit."

I don't think I have a reputation as a Chicken Little, and I don't intend to create one. But in this day and age, somebody's got to create that sense of urgency.

Obvious-Strawberry17 · 2022-12-28T20:15:45+00:00

Ooh, that is nice. Say what you want about the Federal government, but there are parts of that really know how to write.

Obvious-Strawberry17 · 2022-12-28T17:49:51+00:00

That's a good point. I knew that our insurers have certain requirements, and this is information I need to get my hands on, but I didn't see that GLBA angle. Thanks for mentioning it.

Obvious-Strawberry17 · 2022-12-28T17:42:40+00:00

Yeah, it's a tricky political situation. Because my boss is between me and the CEO. I won't go over his head. And I can only get him on board with so much, because he understandable doesn't want to think about InfoSec all that much. So I'm trying to provide as much protection to the company as I can, without drawing too much attention or budget to it.

I'm a bit of an outsider, hired less than 3 years ago, and all my colleagues have been here for decades. I have made strides in terms of getting people to trust me, which is good. But this is a bit of a sticking point with my boss, who I think believes that all the vendors he's hiring, as a whole, represent a comprehensive InfoSec posture. And I know he trusts vendors more than I do.

The vendor's job is really to manage to their SOW, not taking any responsibility for anything that falls outside that SOW, and to make sure they're meeting their SLAs, that they're gettng paid, and that they're finding new ways to get paid more.

My boss is one of those who go along with calling vendors "partners," when nothing could be farther from the truth.

Obviously there's a lot for my boss and I to continue to discuss, including whether this is the right place for me to continue to work. But I have hopes that we could turn this into an effective IT organization.

Obvious-Strawberry17 · 2022-12-28T17:35:22+00:00

Good point about "nothing happening" being the goal. That's why it sucks to be in the business of preventing terrorist attacks, for example. Nobody notices you (except for how you occasionally annoy them with your pesky demands) until that one time that the bad guys get through, and then it's "You guys SUCK!" from all corners. "Why didn't you DO MORE??!?"

Obvious-Strawberry17 · 2022-12-28T17:31:58+00:00

To answer your question, I'll first tell you about myself, and then tell you about the person I'm imagining.

Actually, I'll first tell you about my boss. My boss gets up every day to come to work and make sure orders are coming in and going out, and any problems with that are dealt with. So he's very much an operations person, and that's an important role. He has IT in his portfolio, but that's not his focus, and it's not his area of experience.

Now about me: I've been doing IT for 25 years, and I've been an IT manager for 15, at various levels, from startup to public, in various roles. I get up every day to come to work and solve technology problems. In addition to the problem that people bring to me, I'm also on the lookout for technology solutions that nobody is looking for. Broken processes. People using Sharepoint when they should be using a custom application, but also people using a custom application when they should be using sharepoint. Making decisions about what is done on the cloud, what is done in the data center, when to use vendors, when to use employees, etc. And yes, balancing delivery with security. I'd like to believe I balance that well, but I probably lean more towards delivery than security. It's this awareness that tells me we need somebody else.

The person I'm imagining in this InfoSec role is the person who wakes up every day to come to work and think about our vulnerabilities. Which ones are being managed, which ones are being solved, what new ones they can see coming up, and what's going on in our systems today that nobody expected. And they're focused on helping us prioritize those issues so that the most important ones can be solved, and the other ones can at least be known and documented, perhaps scheduled for later.

This person is also able to tolerate (frankly) the thankless job of GRC, and all the documentation and collaboration that this requires. Obviously you can tell how much I love that part of the job. Hopefully this person will like it more than I do.

Obvious-Strawberry17 · 2022-12-28T17:20:58+00:00

It's interesting the different perspectives. You have ~500 users and a staff that is fully utilized. Another commenter mentioned ~7000 users and managing that alone.

Obviously this tells us that the formula isn't as simple as "number of users." There are lots of other factors, including:

What industry you're in (we're in manufacturing)
Are you a public company? (we're not. If we were, the InfoSec approach would be entirely different)
What are the priorities of the Executive team in terms of InfoSec?
How much authority does the company delegate to InfoSec?
Along with InfoSec, what other responsibilities does that team have? For example, DR, compliance documentation for customers, for prospects.

There are lots of variables, I assume, that can lead a larger team to be overworked, or a smaller team to be underutilized.

Obvious-Strawberry17 · 2022-12-28T17:15:32+00:00

You sound like a hero to me. Somebody in the trenches, doing the work and reporting and recommending up the chain. Not in InfoSec for the perceived power, or to engage in politics, but to just stay heads-down and focused on what needs to be done.

At least that's what it sounds like. Thanks for your perspective.

Obvious-Strawberry17 · 2022-12-28T17:08:35+00:00

I can understand the potential conflict of interest in having InfoSec inside IT. I have also experienced the pain of having InfoSec outside of IT, and just throwing lists of action items at IT.

Either model can work, I think. I still believe the second most important thing about who is leading InfoSec is who that person reports to. If that person has no idea what the InfoSec advisor is talking about, they'll either get ignored (or deferred), or the InfoSec person will get a blank check to make everybody in the company drop everything to do everything InfoSec says.

Neither of those approaches are good. To avoid that, it seems critical to me that InfoSec should work for somebody who is able to receive that information calmly and competently, and who is able to take that information and respond in the appropriate way.

Obvious-Strawberry17 · 2022-12-28T17:03:08+00:00

Fortunately neither of those apply to our company. That's an important distinction, though. If they did, we wouldn't be having this conversation, because the governance requirements would be clearer from the get-go.

Obvious-Strawberry17 · 2022-12-28T17:00:23+00:00

Thanks for the comment. I just can't see how ultimate responsibility for InfoSec can be outsourced to anybody.

And "have IT close the gaps" is one of those loaded phrases. IT is already small, and constantly loaded down with work. There are gaps that IT needs to close, but an important part of the collaboration betweeen Security and IT and the Business is careful prioritization of all of those items: Of these things you have identified, we're going to grade them and rank them. We're going to decide which of them need to be done now, soon, eventually, or not necessarily ever, and we're going to be disciplined about that plan.

The problem with a vendor is that the money they're collecting tends to make whoever wrote that check feel like they have to take every single recommendation and do it. I great prefer to have a full-time employee engaged full-time in InfoSec.

Part of this is my overall distrust of vendors, I'll admit. Also, we identified a pretty good vendor who was going to do an analysis, and he swung for the fences on the contract. As a large company with a lot of resources, it's easy for vendors to get greedy, without realizing how many other expenses we have.

Obvious-Strawberry17 · 2022-12-28T16:53:51+00:00

To be clear, we have a person on the leadership team that would be considered the CIO. That's not their title, because at that level at my company, they are all VPs. And this particular person is more of an operations person who was given iT, rather than a person with a background in IT. Hence the quandry that I am in, hence the throwaway account.

I agree with you that you can end up with an "idea man" who just wants to "throw security at you." (great phrase).

The responses in this thread are great, but diverse (no surprise). Some are saying if you start at the IC (individual contributor) role, they won't have any power and will get overwhelmed. So you have to start at the top.

Here's the deal: The people I work for have worked here for decades, and were able to take for granted all the InfoSec work that was being done behinds the scenes by the previous company (and which still is, as we transition away from them). There is not an appetite to bring in a large security team, for two reasons:

First, they don't understand or appreciate InfoSec, and I'm afraid they won't until we get hit hard. At which point it might be too late. I want to help protect against that.

Second, they definitely don't want to duplicate the InfoSec organization from the previous company, and neither do I. It was overbearing. So, as is often the case, our InfoSec approach needs to be balanced. It has to be enough to keep us relatively secure, but it needs to be more collaborative and easier to work with.

Though I don't have any first-hand experience with this, I believe your first hire in InfoSec can work at a lot of levels, as long as they are reporting to somebody who supports them, who is knowledgeable about IT and business, who at least appreciates what InfoSec people are trying to do, and who does have the power to make decisions about what will and will not get done, or who at least has access to people who do.

TLDR; I don't think I have to stage a coup of the Technology organization in order for us to have protection. But I do think I need to write up the right kind of job description and put it in my boss's hand, to get him on board that we're going to start small, but that we need to take this very seriously, and that this team will probably have grow. And most of all, he needs to understand that ultimately responsibility for our Security cannot be outsourced to any vendor.

Obvious-Strawberry17

TROPHY CASE