For years, a common rule-of-thumb said your security spending should be around 10% of your company’s IT budget—but that rule doesn’t quite hold up anymore. In fact, a 2020 Deloitte survey on cybersecurity says this number is now more like 10.9% and rising year after year. That’s not surprising, as cyberattacks keep getting more sophisticated, and more companies of all sizes get targeted. There may be significant accumulated technical debt for those organizations that have not spent that needed 10% for security over the last few years.
For most smaller companies, that 10 or 11% means you can't hire additional FTE security people until you have at least 200 employees, and even then, you have to be very selective. So, when you’re ready, how should you approach hiring in-house, full-time security personnel? We shared our thoughts on who your first security hire should be here. The TLDR on that is: It depends on a lot of factors, but it should probably be a DevOps person. A skilled DevOps person can code and automate tasks that will help you make the most of the security platform tools that do the heavy lifting of your security program.
One of our clients recently hired several security personnel. They started by hiring a chief information security officer (CISO). They followed that by hiring a security engineer, followed by a governance, risk and compliance (GRC) officer, then an application security engineer, and finally a DevOps person.
That’s a pretty sizable security team for a small company, and it means they’re spending more on security than most companies of their size. Most SMBs and start-ups can’t afford this kind of security team, even if they do ignore the 10% rule. Further, those roles might not even be the types of immediate security hires that makes sense for them.
How you invest resources in security will vary depending on the risks, profile, and priorities of your company. Planning a security hiring roadmap is a bit like growing your security program, and it starts with an analysis of your company’s needs.
START BY THINKING ABOUT RISKS, NOT TITLES
When you focus on your risk priorities, you can think broadly about the most effective way to address them. Should you bring on a new hire, outsource to a security service provider, or invest in software tools or external SaaS security platforms?
For example, due to its industry one of our corporate clients is a ripe target for specific types of fraud, including bot automation and account takeover. They hired employees who focus on preventing these types of fraud by mapping application paths and defining new “speed bumps” against these types of attacks. In their case, building in-house security expertise on the threats specific to their business is a smart investment. They can use a combination of outsourcing and security tools to address the more common security issues that all companies face.
Speaking of which, one of the most common security controls all companies need to implement is endpoint security. Because endpoint security is a universal, high-priority security need, it has a well-developed ecosystem of tools and service providers to which companies can outsource this task. Consequently, we usually see small companies either task their existing IT personnel to managing the endpoint tools or outsourcing it to an IT firm.
Another universal risk area is network architecture, configuration, and monitoring. If you have IT personnel with strong network skills and experience, they can use a proper set of network security tools to manage scanning and monitoring the network for vulnerabilities or intrusions. If your first security hire was an experienced DevOps coder, they can write scripts to leverage these tools to improve the company’s ability to detect, analyze, and respond to risks in (and threats to) your network infrastructure. Of course, network management and monitoring can be and often is outsourced entirely. Network monitoring is a 24/7 job, which requires multiple personnel, even when automation is handling the rote and scale tasks. For this reason, outsourcing can be less expensive for a small company than building a 24/7 monitoring team in-house.
The most common scenario is for small companies to use a combination of tools, staff, and outsourcing to meet the full scope of their cybersecurity needs. Another client—one with high privacy requirements due to the nature of the data it handles—leverages the SPIO platform to continually mature its security program. At the same time, it also works with an outside privacy security consultant and assigns task execution responsibilities to an internal DevOps team. Through this combination, the company benefits from SPIO security expertise to grow their security program, while plugging in additional privacy expertise specifically targeted to their industry’s domain.
BALANCING TASK EXECUTION WITH THE DEMANDS OF LEADERSHIP
In our post on your first security hire, we discussed the challenges of balancing senior leadership experience with practical task experience in a more junior role. We stick by our recommendation of starting with practical DevOps experience for your first security hire or two. Their functional expertise means they can leverage both security tools and outsourced expertise to put your company quickly into a strong security posture.
However, you will need somebody in senior management with authority to oversee company IT security. Identifying that senior person is one of the 21 steps your company can take to immediately improve its security posture. Senior IT security responsibilities can initially be delegated to the head of IT, the risk management/GRC officer, or your vendor management team. These employees may not have the practical security experience, but that’s why it is important that your first dedicated security hires do.
While it can be a challenge for a small but growing company, you want to bring on someone with senior IT security experience as early as possible, so your security program develops and operates strategically rather than tactically. Remember that, even if you bring this person into a hybrid security role, their experience enables them to best leverage security compliance management software like SPIO and third-party security experts for a well-rounded security program. As your company expands and starts looking at working with bigger companies with more stringent security expectations, it will work to your advantage to have someone with seniority who can talk confidently with prospects about your company’s security program.