Is cybersecurity as a service (CSaaS) a real solution for the IT talent shortage?
Sort by:
There’s a company that offers a solution that I love with regard to workforce development, skill development, proof of skills, etc. It's called Immersive Labs. They have great capability on continuous skill development, skill building, and in a wide variety of ways. They're getting a lot of traction; I have several friends that are using them.
I actually pointed a friend to them because they only had the ability to recruit lower-skilled talent due to the size of the company. I told them, you don't have to compete for a security operations center (SOC) analyst that will cost $175K a year. Get somebody from the junior college who's been an IT person and wants a cybersecurity career. You can pay them $55K a year and then ramp them over a period of time. You'll have lower costs and someone that will be stickier with you. At some point, once they've shown that they can do all these things they might bail and try to get the $200K per year job.
But if you are constantly backfilling you have to basically skill people up. It's lower cost and makes people stickier but you will still need to constantly recruit and train because they’ll either migrate up to some level of management or migrate out. That's the treadmill you're on—otherwise, you're on a treadmill with the vendor. Those are your choices.
For the people I work with and the peers I'm talking to, the number one reason for them to outsource any security service is the lack of necessary skill sets. They're able to tool it right, when I say tool it right, to the existing skill set. There are people who are traditional networking folks or have moved away from endpoint protection but they don't understand Cloud.
So you're actually seeing a big skills gap when you look at SaaS products, which you truly don't manage other than provisioning. You only have authorization and access. Everything else is done by somebody else. That's a different play.
For security as a service, do we also need skill development as a service? And do we therefore have to continually embed that in our culture, in our capabilities, to continually perpetuate learning and application of that learning? Because if we don't, we're going to fail regardless of whatever service model we put in operationally.
You still need someone in the business who is accountable for the cybersecurity. And it’s not just a matter of saying, “You're now accountable for this.” It's giving them the skills and the knowledge they need to know that and know what that means.
When New Zealand changed their privacy laws, one of the requirements was that every company now needs to have a privacy officer appointed. That doesn't mean they need to have someone in there whose job is only privacy, but if there's a breach, or if there's anything that needs to be done around information and data sharing, there’s a person who's responsible for it. You can say to someone, “You're now our privacy officer.” But what does that mean? What are their responsibilities and roles? It's a bit hard to retrofit this but as you start to hire towards certain roles, you have to start putting that in the job description, the contract, as well as the responsibility statement that you put in front of them when they come on board. That way they know this is what they should actually be doing.