Identify search plan

Once the workforce requirements are understood, the enterprise must have a plan for how to source these roles. This process includes both outsourcing, in which external parties are the providers, and insourcing, in which necessary goods and services are deliberately purchased or hired within the organization. In deploying the cybersecurity workforce , each enterprise must determine which roles are better filled by their own existing employees or hired on, and which will be provided by external parties (such as security service providers).

Outsourcing is a common business practice across a broad range of functions. In many cases, outsourcing IT provides benefits which include lower costs, additional expertise, operational efficiencies and lower burden on management.

For all of its advantages, however, outsourcing does not relieve an organization of its responsibility to secure data and protect systems, especially where regulatory compliance is a factor [1]. Although an IT provider may have the ability to deliver an IT infrastructure of sufficient size and availability, this does not mean that the provider has the capability to fully understand the company’s unique needs and requirements, including critical information assets and regulatory requirements. By delineating the knowledge, skills, and abilities associated with key IT security functions, enterprises can clearly articulate workforce requirements for outsourced IT, before contracts are signed and‒more importantly‒before problems arise.

For many large enterprises and federal government agencies, the primary drivers for sourcing are expertise and organizational flexibility Outsourcing makes it possible for smaller enterprises to enjoy many of the same capabilities as larger ones, but with more predictable‒and generally lower‒cost than building the capability internally [2].

Sourcing strategy

Sourcing strategy, particularly for the workforce, is not a onedimensional exercise. To make any outsourcing decision, an enterprise must first have a reliable inventory of the types of data it collects, a value assessment of that information, and knowledge of where it is stored. This can be surprisingly difficult, especially if IT management has been done on an ad-hoc basis, or as an ancillary duty within the business. Without this understanding of the type, business value, and location of the information an organization possesses, it is impossible to establish outsourcing requirements. Although outside consultants may be able to assist in this inventory process (itself an outsourcing activity), maintaining the inventory, and ensuring it is used to inform IT outsourcing decisions should in most cases remain the responsibility of a trusted employee [3].

Certain types of data containing payment card information, health information, or other types of very sensitive information are subject to additional regulation . Ultimately, compliance will be the organization’s responsibility, so it is imperative that information storage and processing requirements are clearly articulated, and that the outsourced provider’s employees have the necessary KSAs to ensure compliance [4].

What to look for

In order for IT outsourcing to be successful, both parties must agree in writing to the types of data which will be handled and how the data will be secured. It is also critical that the limits of the provider’s liability be clearly defined. For example, the contract and supporting documentation could include a detailed agreement articulating the “roles and controls” necessary, as well as an accounting of what role or Critical Control is to be implemented by each party. The outsourcing agreement must describe how the security of data will be monitored and audited, including how potential indicators of breach or noncompliance will be communicated to the management. This mechanism for communication should also be tailored to fit into the crisis management and business continuity plans, as gaps between these two processes can lead to damaging incidents, such as the breach which compromised the payment card systems of Target in late 2013. This also indicates another requirement for outsourced IT, namely that the people who serve as the interface between the enterprise and the outsourced IT provider must have the requisite KSAs to understand the severity of a breach, the implications to the business, and any legal disclosure requirements [5].

Managing the outsourcing relationship

As alluded to in the previous sections, management of an IT outsourcing project its includes specific tasks, which may be spread across multiple individuals. These include maintaining an awareness of regulatory and legal compliance issues, understanding the changing business needs of the enterprise, sustaining effective liaison with the provider, and managing a smooth transition to and from outsourced IT systems.

As business needs change, someone must also have the ability to understand those changes and adjust the outsourcing agreement to ensure the enterprise is neither spending too much nor too little for the services being outsourced. This requires a deep understanding of the core business, as well as a current understanding of the offerings of various providers [6].

As the business grows and changes, multiple migrations to and from various outsourced IT systems may become necessary. These employees must make certain that primary business functions are not negatively impacted by the transition, that old systems are decommissioned fully, and that duplicate data is destroyed once it is no longer needed. A failure to perform this function adequately increases the attack surface of an organization significantly. For example, failing to decommission an old version of a front-end web application server might create an alternate, less secure path for intrusion into a back-end database with critical business information [7].

Deploying scarce resources for maximum impact

While it is imperative to define workforce requirements and determine the appropriate sourcing strategy for essential functions, the deployment of these roles within the enterprise is also critical. A successful workforce plan ‒ as defined by greatest positive impact to enterprise cybersecurity‒is a function of where and how these essential roles are placed. In turn, this means the proper organizational placement of specific roles, and the enabling of these roles with proper reporting chains, responsibilities, and authorities [8].

(Дата обращения: 18.09.2016);

(Дата обращения: 20.09.2016);

(Дата обращения: 21.09.2016);

(Дата обращения: 23.09.2016);