So this has been an ongoing discussion in the industry for a while now. As companies continue to grow and expand their digital footprint, they expose themselves to a greater number of threats. In turn they need people to manage the monitoring and mitigation of those threats as well as the remediation when things go south. So the solution that all the research firms recommend is to hire an MSSP, because they can do all the things!
How do the MSSPs fill their positions?
That is a question that should be asked when considering that path. Some suggest the MSSPs pull from cheaper labor pools. If that is the case, then what are you actually getting when signing up with these providers? If you are getting cheap labor then you are either getting under-skilled analysts and engineers, or barely entry level prospects with the ability to read a script and follow a basic procedure. The information security industry is not an entry level service. The “junior” analyst needs to have a general understanding of what the based technologies are and how they work. If they are looking through logs and see an IP address, they should know how to look that up and find information about it. Or if a website isn’t loading correctly, where to look to see if it is a network issue, web filtering, or simply just a bad site. On the flip side, a junior analyst would need to know how best to pull in a lot of data and turn it into a presentable format to show to the customer. That being said, are their “senior” analysts just the juniors with more training? How many of the MSSP’s staff are actually veteran IT/InfoSec professionals? How many have had to build and support their own infrastructure? Or are they just good readers and simply email you a canned alert from your SIEM and say “it might be something…” Or are they truly skilled people and the MSSP is offering some pretty good incentives to come work for them?
What are we not offering to entice the skilled labor our way?
- Are we not offering competitive salary and benefits?
- Do we not provide enough training opportunities?
- What are prospects looking for?
Salary and benefits are great to peak some interest, but frankly if it is truly competitive, at some point there is a ceiling and it won’t mean much to a seasoned security architect or engineer. They might be looking for a fun challenge or perhaps a good balance between work and life. This industry provides its share of challenges both fun and frustrating. That last bit can lead to some pretty heavy burnout which then leads to people exiting those positions or worse, staying too long they become a toxic member of the team. Burnout and stress can lead to poor health, so all the money in the world is no good if you are spending all your time in doctors’ offices trying to figure out why you aren’t sleeping or have a sudden heart condition.
Training! Offer it and don’t be cheap about it. It’s the old argument “what if we train them and they leave… but what if we don’t and they stay”. Those of us in the industry are not new to self-education but you as an employer cannot expect that we want to use our free time to learn something that is related to a specific technology we use in that particular job. For example, if we are interested in IoT security research and we spend our free time in our home labs tearing down the latest IP camera to see how it works, we don’t want to share that time with going through the vendor training for our latest spam filtering service. That should be done with reserved time in the office. Now if you offered the latest in SANS training, then you might peak our interest. This is vendor agnostic training that promotes principals and techniques over various subject matters in InfoSec. Sure the classes are expensive, but they are worth every penny. Many can be done remotely or in self-paced virtual classes. That means no travel expenses!
So money isn’t everything, do you offer decent enough vacation time and will your prospects be able to take it? Time off is no good if the prospect is the only member of an incident response team and is on call 24/7. Be realistic in your expectations of the position and be able to support time off for your staff. But even vacation time may not be a big seller, specially if it includes sick time as part of the bank (generic PTO vs separated vacation and sick time). Maybe your prospect is looking for an employer who is active in the community and in turn encourage speaking opportunities both inside and outside of the company. One other possible opportunity is what career paths are available to your prospects? Will there be manager opportunities or senior lead/sme positions available? Not everyone wants to be a CIO and there are usually plenty of managers.
So how do we fix this?
There will be no simple solutions to this, in many cases, you have to realize there is not a lot of difference between your org and the one next door. You both have similar problems to solve and need similar positions filled. At the end of the day it makes little difference to your prospect if you sell X widget and they sell Y. In the end we like puzzles that have possible solutions, not a mess of knotted Christmas lights that keep coming.