Building an internal security resourceThese are figures that MSPs and IT Providers can benefit from by buying, building, or partnering with the security market development. Be warned, though: do not travel the security road lightly. While presenting at DeepSec in Vienna, Austria, I got the chance to have a pint with Thomas Fischer, Global Security Advocate at Digital Guardian, who has done IT work in places as far flung as Africa, Latin America, and eastern Europe – places other infosec members may fear to tread. Here's what he told me:
"It’s hard to build an IT security resource internally, especially from already busy staff. So, you either plunge them into the deep end of the security pool and see how it goes, or you’re going to have make time for your candidate to figure out security things. Time is the most important thing you can give if you’re considering morphing a systems, dev, or admin into a security resource – and they have to have a natural curiosity and passion for security."The decision to buy or partner with a cyber security firm has a lot to do with the cash flow of your MSP or IT provider business. With the cyber security market subject to the laws of supply and demand (just like any market), good quality cyber security talent is currently at an all-time high demand high and low supply. Expect to pay a premium for a company with some credentials and experience.
Partnering with someone with the right skill setIf your MSP or IT provider business isn’t turning a big enough profit to make this investment, then it may be a good idea to form a partnership with a larger firm that has cyber security skills – with some references, of course. Networking channel events sponsored by CompTIA and ASCI, as well channel partner events provided by suppliers like SolarWinds MSP, is a great place to find firms to partner with. These two strategies can give you access to a “security person.”
Doing it yourselfCentral to the question of building cybersecurity capability is: can an MSP or IT Provider make a “security person”? The answer is yes, provided there is the right material to work with and the person is passionate and motivated. It’s going to take some work to build the cyber security skills necessary to be useful and valued as a security resource. Cyber security capability has to be built on a basic understanding of network administration, system administration, and some understanding of software development. A few entry-level certifications or a technology program and a few years of experience form a solid foundation. Experience in network infrastructure architecture, switch, firewall and router configuration, as well as other operating systems is also a requirement. Other skills that are highly desirable are succinct oral and written communication skills (especially useful for presentations and written work) alongside some experience in managing or serving as a key resource on a project.
Training & FeedingAt some point, to ensure credibility in the market place as a “security firm,” certifications of your security resource are going to be required. It’s a controversial topic in IT security, as what is frequently learned in the classroom on courses that range upwards of USD $5000 in price may not be appropriate for real-life security challenges at the SMB/SME level. In the first year, it may be prudent to consider online course materials rather than in-classroom training, which can cost upwards of USD $10000 when hotels and flights are considered.
Cleaning & MaintenanceThis is perhaps the least expensive but most important requirement for a cyber security resource: the cyber-defense lab. One or two machines with excellent processor capabilities and considerable amounts of RAM are necessary for running Virtual Machines to work on secure configurations, testing and research. If you have standardized customers on a standard platform, it may be a good idea to equip the lab with those, as well. That’s a great place to make sure the latest firmware is good-to-go before melting down a customer’s firewall with an upgrade that goes wrong. Keep in mind most of the software tools used by cyber security professionals are open-source or free.
Treats & RewardsCertainly a quarterly or bi-yearly bonus tied to the security resource’s Management by Objectives (MBOs) is advisable. MSPs and IT Providers can expect a requirement for flexible hours, remote work and overtime (if a customer requires it). Customers don’t like downtime even for security work or really any sort of IT work, so weekend work is usually essential, as well. Since there are so many security conferences and events held in almost every part of the country, employer support for these conferences is important to consider in order to keep the security skill set current.
Discipline & AccountabilityIT Security does not mean that standard employee policies don’t apply to your resource. IT security testing and research should NEVER occur in a production network – the MSP or IT providers and certainly NEVER EVER in a customer’s network. Accidentally infecting a customer’s network could potentially get your organization sued, put the customer relationship under extreme jeopardy, and even get you fired. Every proposed security adjustment, upgrade, or change should require documentation, a test plan and a back-out plan. If something goes wrong, be fair, firm and friendly when trying to figure out what went happened.
Passion & CommitmentMaking security resources feel like they're part of the team can be challenging. As an MSP or IT provider, when discussing security it’s important to have enough of an understanding of security to engage in conversation. Asking open-ended questions is a great idea to connect with the security resource. “What do you think went wrong at Talk Talk? Do we have any customers that could be attacked that way? What can we do to prevent that from happening?” Don’t accept “No” as an answer from the security resource. Instead, ask “how can I do this securely; can you give me options from very secure to hideously insecure?” As mentioned before, buying, building, or partnering for security capability is an important decision for the MSP and IT provider’s growth plan in the years ahead. Perhaps the most important trait is the personality of the resource. Security resources, just like all employees, have to work as a team and be able to engage with team members and customers as required. Pay close attention to those interview behavioral-based questions, and choose someone who would work best at your organization.