The Security Unicorn - Finding Skilled Practitioners

You’re looking for someone to lead your security program. They need to have these qualifications:

Technical expertise in all security platforms
The ability to form, execute and track compliance with policies that align to your business needs
The ability to accomplish effective 24x7x365 threat detection and alerting
Experience with incident response
Experience with threat hunting
Experience in performing and managing vulnerability detection and remediation
Project Management experience
Experience in forming effective security training programs
Experience in ensuring regulatory compliance
Able to form reporting on security posture and effectively present to the Board

You’re looking for the equivalent of a unicorn.

People that can encompass all the skills you’re looking for are very rare indeed. Here’s just a few of the skills they’ll need:

Vulnerability and Configuration Management
- Perform black box vulnerability scans
- Perform grey box authenticated configuration scans
- Create and complete projects to close vulnerability and configuration gaps
Penetration Testing
- Able to simulate and perform attack techniques
- These skills need to be kept current as the attack landscape constantly evolves
- Current OWASP knowledge with which to test applications
Security Engineering
- Ability to choose, setup, configure and maintain security control platforms
Audit and Compliance
- Knowledge of compliance measuring techniques
- Current knowledge of policy, security framework, and regulatory requirements
Project Management
- Logistics
- Budget
- Task delegation
- Timeline management
Management
- Oversee the strategy and implementations of the security program
Executive
- Align security strategy with business needs
- Effectively inform the Board of program posture and effectiveness

Obviously, you’re going to have to staff for these functions individually, no single person can do all of those things, there simply aren’t enough hours in a day, much less skills in every area. Even finding a person with the breadth and depth of expertise that they could staff and effectively manage all of those operations at once isn’t very realistic. You need a long-term plan.

Adding Up the Costs

Let’s take a look at costs associated with some of the needed skills we just listed.

Vulnerability and Configuration Management: $70-105K salary plus hardware/software licensing
Penetration Testing: $75-105K plus hardware/software licensing
Security Engineering: $70-110K
Audit and Compliance: $90-120K plus licensing for software
Project Management: $70-105K plus software licensing
Management: $100-150K

For single coverage on each chair, you’re looking at $475,000 to $695,000, plus the costs of benefits. Add to that the costs of building your own 24×7 SOC and payroll doubles to up to $1.3 million. Facilities for them adds yet more, and you’re still looking for a security unicorn to bring it all together. Coming in on the low side of payroll estimates will bring you turnover and re-training, costs unto themselves.

What are the alternatives? Security outsourcing.

What Security to Outsource?

Some areas are obvious for outsourcing security candidates, and some aren’t so obvious.

Network Monitoring: you cut your payroll in half if you outsource this area, and that sets budget goals for how much you’re willing to spend. If you choose a good MSSP, you’ll be assured that analyst skills are kept current.
Vulnerability Management: payroll is further reduced, and you gain assurance that your MSSP can perform this more effectively than you can staff for, as it’s part of the basic business offerings they have. Their experience pays off.
Application Security: an MSSP’s penetration testers apply their techniques to many different environments, exposing them to a continually updated wealth of knowledge that an internal pen tester, focused on your own DevOps and DevSecOps wouldn’t be exposed to.
Identity Governance: performing this internally often proves problematic, especially if the security team is part of IT. Operational needs will divert them, and the priority of IAM reviews will drop.
Audit and Compliance: let an MSSP bring their expertise to you rather than try to hire it yourself.
Security Controls Management: If you use MSSP to handle firewall and endpoint protection management, you further reduce payroll and leverage the expertise and depth/breadth of experience that an MSSP brings.

This leaves you with Project Management, Manager/Director, and Executive presence to staff for internally. The value in terms of ROI is readily apparent, and the increased effectiveness should be: you’ll not have to concern yourself with keeping those staff functions trained and current, provide facilities for them, or allocate payroll for them. Using MSSP to handle all those tactical efforts helps your security roadmap, especially in terms of forecasting budget.

Don’t go looking for a security unicorn. Contact CIPHER to see how we can help!

Dave Rickard is the Technical Director for CIPHER US.

Cookie	Duration	Description
__cfruid	session	Cloudflare sets this cookie to identify trusted web traffic.
__hssrc	session	This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__hssc	30 minutes	HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.

Cookie	Duration	Description
__hstc	1 year 24 days	This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_86671402_1	1 minute	This cookie is set by Google and is used to distinguish users.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
ajs_anonymous_id	never	This cookie is set by Segment.io to check the number of ew and returning visitors to the website.
ajs_user_id	never	The cookie is set by Segment.io and is used to analyze how you use the website
CONSENT	16 years 3 months 14 days 7 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
hubspotutk	1 year 24 days	This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
driftt_aid	2 years	The driftt_aid cookie is an anonymous identifier token set by Drift.com for tracking purposes and helps to tie the visitor onto the website. The cookie also allows Drift to remember the information provided by the site visitor, through the chat on successive site visits.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

Cookie	Duration	Description
ajs_group_id	never	This cookie is set by Segment.io. The purpose of the cookie is currently not identified.
AnalyticsSyncHistory	1 month	No description
debug	never	No description available.
drift_aid	2 years	No description
drift_campaign_refresh	30 minutes	No description available.
li_gc	2 years	No description
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.

Insights > Blog

The Security Unicorn – Finding Skilled Practitioners

Adding Up the Costs

What Security to Outsource?

Did you enjoy this blog article? Comment below with your feedback.

0 Comments

Submit a Comment Cancel reply

GET EMAIL UPDATES

Information Security Maturity Self-Assessment Survey

Learn More

Social Media

LinkedIn

View on LinkedIn

Social Media

Twitter

Twitter feed is not available at the moment.

Social Media

Facebook

Cipher | Continuously improving your cybersecurity posture and visibility#cipher #cipheraprosegurcompany #ciberseguranca #cybersecurity #XMDR ... See MoreSee Less

Ver no Facebook
· Share
Share on Facebook Share on Twitter Share on Linked In Share by Email

Insights

Whitepaper

Dig into the details of cybersecurity and regulations by reading our exclusive white papers. Each paper is written by an expert at Cipher and full of insight and advice.

Learn more