There are many possible solutions to the cybersecurity skills shortage, but most of them take time. Cybersecurity education, career development tracks, training programs, employer-sponsored academies, and internships are great ways to build a talent pipeline and develop skill sets to meet organizational needs in years to come.
But sometimes the need to fill a gap in capability is more immediate.
An organization in the entertainment industry recently found itself in such a position. Its primary cybersecurity staff member quit suddenly without notice, taking along critical institutional knowledge and leaving various projects incomplete. With its key defender gone, the organization's environment was left vulnerable. In a scarce talent market, the organization faced a long hiring process to find a replacement — too long to leave its digital estate unattended. It needed expertise, and quickly.
Finding Skills in Scarcity
According to a 2021 ESG report, 57% of organizations have been impacted by the global cybersecurity skills crisis. Seventy-six percent say it's difficult to recruit and hire security professionals. The biggest effects of this shortage are increasing workloads, positions open for weeks or months, and high cybersecurity staff burnout and attrition.
In this climate, more companies are turning to third parties for cybersecurity staff reinforcement. According to a NewtonX study, 56% of organizations are now subcontracting up to a quarter of their cybersecurity staff. Sixty-nine percent of companies rely on third-party expertise to assist in mitigating the risk of ransomware — up from 58% in 2017 — per a study by Ponemon and CBI, A Converge Company.
One way that companies gain this additional support is via third-party staff augmentation and consulting services. Cybersecurity staff augmentation, or strategic staffing, entails trained external consultants acting as an extension of an organization's security team in a residency. Engagements can be anywhere from a few weeks to a few years, and roles can range from analysts and engineers to architects, compliance specialists, and virtual CISOs.
The reasons companies seek staff augmentation services vary. A hiring freeze may prevent an increase in head count, even as the need for extra help persists. A staff member's shoes may need to be filled during a temporary leave of absence. A project may require support for a year or two, but not long enough to justify hiring a permanent employee. A company may need staffing services while seeking a replacement for an outgoing staff member.
Trying Out a New Role
Another motivation for companies to seek temporary staff augmentation is the opportunity to explore the value and benefit of new roles. Hiring a full-time employee is a time- and resource-intensive endeavor involving recruiting, interviewing, background checks, and other HR activities, followed by onboarding and training. In addition, new employees take time to ramp up: According to Human Panel, it takes five to eight months for a new hire to reach full productivity. On top of everything, there's the risk of the employee not working out — a Bamboo HR survey found that 31% of people have left a job within the first six months.
These are just some of the reasons companies often want to try out the idea of a new role before formally opening one, and strategic staffing services allow that flexibility. Recently, an organization came to us unsure if it really needed a firewall engineer, so we placed an engineer there for a six-month engagement. Once the customer realized the value of the role, it opened head count for an internal position and we worked together in the candidate search.
What to Look for in Staff Augmentation Services
Choosing your staff augmentation provider wisely is important in ensuring a successful engagement. One factor to consider is the investment the provider puts into its people. Traditional staffing agencies act merely as a broker between the staff resource and the client organization and rarely invest in training or career development of their staff resources.
A better option is to seek a cybersecurity-focused services provider that fills positions from its bench of in-house experts, rather than subcontractors. This offers many positive aspects: Consultants are more likely to receive training, benefits, and support for technical certifications, and to come from a culture of security — all of which make for a higher-quality engagement. Look for a provider that fosters an open team environment of knowledge-sharing — as a client, you will benefit from the knowledge of the entire team in the provider's pool.
Reeling from its sudden employee departure, the entertainment organization needed a replacement. It reached out to us and within 48 hours, we provided a qualified engineer. Our consultant began filling in for day-to-day operations and resumed the unfinished projects. When the time came, our engineer also assisted with the interview process, helping to select a qualified candidate to permanently fill the role. By the end of the engagement, several projects were complete and a new employee who knew the necessary technologies was installed.
Staff augmentation isn't the whole answer to the cyber-skills crisis. Organizations still need to ensure they have a talent pool of cybersecurity expertise for future years. But when the need arises, a strategic staffing residency is gaining more recognition as an effective way to procure the necessary cybersecurity expertise fast and flexibly, without the risks or cumbersome process of full-time employment.
About the Author
Aaron Mullinax serves as VP | Architecture and Integration for CBI, A Converge Company and brings more than 28 years of information security experience to his role. He is responsible for helping to shape the vision of the area under his leadership by strengthening organizational defenses across people, process and technology.