Any resellers looking to expand their security practices will soon realise they are not alone. There’s a rush on skills, with end-user IT shops, vendors and experienced security specialists all looking to recruit the best talent.
This is what Damian Huon, managing director of Huon IT, found when he decided to establish a dedicated security operation. While his journey included some roadblocks, the experience offers a helpful case study for other resellers on how to attract some top-level security talent. Being flexible was key.
“First, finding a security guy who can speak business language has been very hard,” Huon told a CRN roundtable last year. “Finding the right security guy, someone who is not already a director or partner of a firm and who you can attract away, has been difficult.
“We’ve had a couple of false starts, but now we’ve found a consultant who has a lot of track record and works for one of the major banks in a three-day consulting role, so he has availability. He’s an independent who is coming in and assisting us to build our practice. He is going to assist us with different security products, then guide us around the vendor space.
“That’s highly attractive to us because we don’t have an expensive salary on board initially while we’re building the practice, and we have some runs on the board with some security tests and pen tests to use for our customers.
“That’s a toe-in-the-water approach, but we’ve got someone we couldn’t afford to put on staff who’s got a great track record,” Huon says.
Compromised
Launching a dedicated security practice is far from easy. Take it from the experts.
“For one, security is hard,” says Ben Robson, director of operations for Melbourne-based security firm IPSec. “Second, it’s expensive; and third, retaining your staff is really hard, because they are always on the look-out for the next thing.”
Robson is a seasoned player in the infosec industry and at the time of writing was in the process of opening a 24/7 security operations centre. He says channel players who want to spin up their own infosec wings must consider the risks of running security services that are unmanned outside normal business hours.
“That is a compromised service,” Robson says – adding that there is a legitimate need for cheaper daylight-hours security monitoring.
“Are your customers going to be happy with you being available Monday to Friday, nine to five, and doing the best you can outside those hours?”
It is a salient point for Australian businesses, since a large proportion of black hats are wide awake as local security professionals are asleep. Sophisticated Russian attackers could hit at 3am, while student-age script kiddies and Anonymous hackers often launch web attacks on weekends.
Joseph Mesiti, sales chief of established North Sydney security player Enosys, urges caution. The security pool is deeper than its shiny, inviting surface.
“Be careful what you take on,” Mesiti says. “Security is very different to other types of managed services. To do it well requires analysts to think outside the box and be proactive rather than reactive.”
Tempting talent
- If you have lemons, don’t make lemonade. Get rid of security staff, regardless of talent, if they hinder the team or business
- Appeal to talented young people with a focus on money and benefits to reduce staff turnover
- Rebalance compensation so it aligns with what’s on offer outside your business to help avoid losing staff
- Make the job interesting and diverse
- Encourage independent research and training, and budget for security conferences
- Allow personal security interests to flourish and become part of an evolving job role where possible
- Set up mentoring programs for new recruits to improve job satisfaction