I got a request from a friend recently who is working on her Master in Information Services. As part of one of their projects, she needs to analyze the pros and cons of outsourcing, in sourcing, and of course, consulting. In trying to get to exactly what she was looking for the core question seemed to be, are the fees that consultants charge worth it.
I hesitated. Not because I doubt for a second that the good ones are, but because of the complexity of the question. However, speaking specifically for the type of work I do the argument goes something like this.
While security work is commonly considered highly specialized, there are a number of activities that can be done by someone internally. Vulnerability scanning, running MSBA against a host, etc.
However, you still need someone who can interpret the results, prioritize them, level set them against business risks and goals, fit solutions into operations, and overall, be a trusted advisor in the process of keeping up your security posture.
Add to this the relationships in the modern enterprise between compliance requirements, security best practices, PII, governance, and IT efficiency, and well, things get complex.
We're still in scope for an in-house resource, but we're probably talking about someone that has a full time job related to these tasks. If they're going to be in house, you may have a training program in place. If you do, starting salary around 65-70K a year in metro areas is reasonable. If you don't, you're looking at 100K - 150K for an experienced person, or a bit less if you have significant work/life benefits. Figure the average employee costs the company 150% to 200% of salary including health, stock, insurance, etc.
Unfortunately, you might not have 40 hours of work queued up if you're a smaller organization. So, you're paying a lot for some part time work. Even at 150$ to 250$ an hour, it may be more cost effective to hire a contractor for point engagements.
But what if you are a larger company. You do have in house training. You have way more than 40 hours a week of work. Occasionally you may want to double check. Especially in security, occasional validation that you're as good as you think you are isn't just prudent, it's necessary. In these cases bringing a group in for point engagements is still a good idea.
In the end it's the trade off between paying to keep an expert on staff versus renting an expert's time when you need it. Also keep in mind that security experts have a large body of knowledge that needs to be refreshed continuously. If you have someone work on the same problems continuously their skills may need refreshing.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment