Cybersecurity has been becoming a larger and larger concern for organizations. Nowadays, most organizations — regardless of size, industry, location, or profit vs. nonprofit status — find themselves directly or indirectly impacted by cybersecurity.
Even though the topic itself is increasing in importance, it remains a truism that many smaller organizations (and in fact, some mid-sized ones) don’t have specialized security expertise on staff.
That isn’t to say that there’s nobody working on security-relevant tasks in those organizations. They may have personnel that perform security tasks along with their other responsibilities, or they may have outsourced aspects of security to external service providers. However, even though aspects of cybersecurity are being accomplished in those organizations, they’re happening without a single, named, accountable individual overseeing the function.
This can be problematic as an organization grows. It can lead to uncomfortable discussions with clients, for example. It can result in potential audit findings, or put organizations out of compliance with regulatory mandates in some situations, or have numerous other undesired consequences.
For those organizations the question then becomes this: When is the right time to assign someone to security full time, or to shift responsibilities so that oversight falls on a single accountable individual?
Is it when the organization reaches a certain size threshold (e.g., when it gets to 100 workers)? Is it when the organization reaches a certain volume of revenue? The answer, it turns out, is more complicated than any hard and fast rule. That said, there are a few factors to consider that can directly inform the decision as to when is the right time to assign a resource full time.
Why Designate Someone?
To best understand when that time is, it’s helpful to assess the value provided by having an assigned staff member in the first place. It’s advantageous across several dimensions.
First, having a single individual responsible for cybersecurity establishes accountability. When responsibility is distributed among multiple individuals — or when responsibility is otherwise unclear — important security-relevant tasks can slip through the cracks. Designating someone, clearly and unambiguously, helps control this.
Second, it helps defuse conflicts of interest. Sometimes appropriate security due diligence means pushing back on otherwise-valuable activities. When an individual’s job includes both security and something else in equal measure, situations can arise when that person will need to choose one role over the other.
Consider, for example, a situation in which someone is responsible for both security and deploying business applications. What happens when, perhaps because of a software flaw or some other reason, fielding an application into production potentially puts the organization at risk?
In that case, the individual with those combined responsibilities would have to decide whether to release the application (because of the application deployment function) or to push back on the application (because of the security function.) Making the security function independent and focused would help prevent such situations from arising.
How Will You Know?
The point is that there’s clear value in assigning it specifically to someone. Still, as a practical matter, the size of the organization can make doing so a nonstarter, despite the benefits. For example, an organization with one employee obviously wouldn’t be able to allocate its sole employee to a full-time security role. If it did, it probably wouldn’t stay in business very long.
On the other hand, it would be ludicrous to imagine a large, multinational bank without someone assigned to security. But when is that transition appropriate? It’s not always clear-cut.
That said, there are situations that can make the decision easier — for example, when there is a regulatory, legal or contractual requirement to assign someone. HIPAA, for example, specifically requires that organizations designate a named security officer.
Likewise, the PCI DSS contains language about assignment of security duties. While in both cases the regulation doesn’t specifically state that these individuals do only security and nothing else, the fact that the regulation contains this language can help reduce ambiguity.
Beyond regulatory requirements, though, customer expectations can help drive the decision. If you’re an organization that services security-conscious clients, for example, having an accountable individual assigned to security can help address customer expectations, provide a central point of contact for customer security-related questions, and otherwise streamline the sales and service delivery process.
Ultimately, the decision as to when to hire specialized staff will vary, based on a number of organization-specific factors. That said, one useful measure to consider in evaluating this decision is as a function of two factors: staff time and organizational risk.
From a time-utilization standpoint, a useful time to consider allocation of specialized staff comes when organizations reach the point that employees are having to defer urgent or high-imperative security tasks because of other commitments or deadlines. Meaning, if you’re postponing something that is important to keeping your organization protected because of other things on staff members’ plates, this should be a warning sign that it might be time to shift responsibilities.
This, of course, implies that you know what security-relevant tasks exist in the first place. If you don’t, this is also a potential warning sign. You might consider a short-term exercise of assessing your organization’s security pain points — either by making time for existing staff to evaluate it, if they have the skills, or working with a trusted advisor to help you find out how many tasks are being overlooked, and the potential impact as a result.
Either way, bear in mind that hiring cybersecurity specialists can be more difficult than hiring for other technology-forward positions. It can be time consuming to find the right fit, and it sometimes can take six months or more to find the right blend of skills in the right areas.
This means that, ideally, you’ll begin the search process a few months ahead of when you actually need that resource. This is helpful to keep in mind so that you don’t get caught out when the time to fill that position becomes urgent.
Ed Moyle is general manager and chief content officer at Prelude Institute. He has been an ECT News Network columnist since 2007. His extensive background in computer security includes experience in forensics, application penetration testing, information security audit and secure solutions development. Ed is co-author of Cryptographic Libraries for Developers and a frequent contributor to the information security industry as author, public speaker and analyst.This post was originally published here