Posted by Brian Mizelle on March 3, 2016
If your firm has attempted to hire internal security experts lately, you know they’re few and far between…
Companies often look for a skill range including malware, threat mitigation, cryptography, and forensics, to industry-specific knowledge, cloud and mobile security, advanced analytics, and network virtualization. That’s a lot to ask of any single expert. Add to that list the soft skills needed to do the job (communication, management, reporting, etc.) and you might as well be searching for the Loch Ness Monster.
The shortage of these positions has caused their salaries to skyrocket. So, even if you do find this elusive Nessie, it’ll cost you. Adding up the salary, cost of benefits and overhead, and training to make sure your new security expert is up-to-speed is quite an investment for a very specific skill set.
There is still the risk that this rare creature will be lured away by a job with even better pay and benefits, leaving you high and dry. On average, it takes 50 days to find a qualified replacement (Brookings, 2014) and research suggests that direct replacement costs can reach as high as 50%-60% of an employee’s annual salary, with associated turnover costs ranging from 90% to 200% of their annual salary (SHRM Foundation, 2008).
Depending on a small internal team of highly skilled security gurus often leads to all of your institutional application security knowledge leaving your company when they do. On the other hand, if your internal strategic team works with an outsourced managed services partner, that knowledge is already institutional within your vendor and it isn’t lost.
While it’s wise to keep a small team of application security experts in-house, one of the biggest advantages of outsourcing is the additional bandwidth it provides to do more testing. More testing means increased portfolio coverage, and if done with an experienced vendor allows you to more effectively utilize your budget.
If you take advantage of an outsourced application security testing vendor, you’re not only getting the increased bandwidth, but you’re also getting more breadth and depth in the testing services and skills they bring to your organization.
Breadth of service allows you to quickly evolve from traditional automated dynamic application security testing (DAST), to business logic-based penetration testing, to static application security testing (SAST), and to then increasing your platform coverage (including mobile).
Depth allows you to better tailor your testing based on your applications risk profile, providing you with more granularity to manage your budget. A managed services team can take care of the tactical testing elements of your firm’s software security program while your in-house team ensures that strategy is properly executed with an added benefit of allowing them to work more closely with your development teams.
After all, data should drive policy and strategy decisions. Once outsourced testing gets going, the in-house team can continually examine the vulnerabilities found and evolve your program accordingly. Expanded application security testing allows your in-house team to effectively deal with vulnerability management by monitoring results and prioritization on your terms.
Freeing up your internal team also allows them to guide other internal stakeholders as part of your software security initiative—determining how your organization’s SSI should mature, reaching out to development teams to discuss good coding practices, coordinating software security training and policy.
Managed services has a much broader impact on an organization than just testing a series of apps.
When you bring in a managed services partner, you have access to a pool of experts. Some will have deep expertise in secure architecture, others in business logic testing or threat modeling, and some may be mobile gurus.
Rather than hire full-time specialists in each of these areas, you can simply draw on them as needed. A managed services team works when you need it, doesn’t require that you pay benefits, and comes with its own workspace and set of tools. These team members also have the experience and skills to make the most of these tools. Most importantly, the team can work on multiple tests and projects at once. In the end, you only pay for the people and tools you need when you need them.
When you work with a vendor, it’s not just about throwing tests at them. It’s about a partnership. That experience should guide your program. It’s a relationship that allows you to take advantage of their software and application security knowledge and experience.