Sometimes customers need extra security expertise for a short time – either for a special project, or to cover a staffing shortage. Security solution providers may offer short-term IT security staff as a service to their customers. Security staff augmentation, as it’s called, can be a profitable extension of your business plan.
In this Patrolling the Channel podcast, SearchSecurityChannel.com spoke to Gordon Shevlin, executive vice president of vendor relations at Kansas City, Missouri-based Fishnet Security Inc. Fishnet has been offering security staff augmentation for a few years now, and they recently added an executive-level security staff augmentation offering. Shevlin shared details about his company’s security staff augmentations, and talked about the lessons Fishnet has learned from the experience.
Download for later:
- Internet Explorer: Right Click > Save Target As
- Firefox: Right Click > Save Link As
A customer might need a security staff augmentation to fill a gap while recruiting a new CISO or to cover for extended training or vacation time. But are there other reasons that may not be so obvious?
Shevlin: Many things in the industry are changing so fast, a company may not have security expertise in a particular area yet. In many cases, the solution provider can provide expertise in certain areas where the customer just doesn’t have that expertise. A staff augmentation can fill in those gaps. We have people that understand those areas; a company will hire us to give them our expertise in those areas.
Tell us about your security staff augmentation engagements. How many do you usually have each year and how long do they last?
Shevlin: We have 60 to 80 engagements per year, and they’ll last two weeks to two years. Our staff person becomes part of the customer’s company.
When you’re going into a customer under a staff augmentation, you learn everything about that customer. And you learn
the inside, which
valuable knowledge about how to help that customer.
Has a customer ever hired away one of your staff augmentation people? It seems to me that the more successful the engagement is, the more risk you have of losing a key member of your own team.
Shevlin: We do have contracts in place for that. Every once in a while a customer will ask to hire an individual and in some cases I have relented.
It seems like it would be difficult to manage an IT staff augmentation service, because you don’t know how many people you’re going to need at any time in the future. How do you handle the unpredictable ups and downs of the number of staff you will need to fulfill these engagements?
Shevlin: We have a large enough bench of people, so those folks that are not on a staff augmentation can be delivering professional services to our other customers. When a staff augmentation does come up, we can take an individual and put them in, and they can do multiple things. What we’re trying to effectively do is to minimize the amount of staff we have on the bench and cross train them.
What are the legal implications for a solution provider offering a security staff augmentation? For example, what if there is a serious data breach during the time that your staff augmentation person is in charge?
Shevlin: Usually that is covered under a contractual agreement put in place for such an event. We’re doing the best we possibly can for that customer. If something did take place, we’ll have security forensics from our company find out what’s going on, to shut it down as quickly as possible. For (solution providers) as a whole, there are contracts put in place that hold us accountable in some ways, but also we’re protected by the contracts themselves.
What is the sweet spot of security staff augmentation? That is, what is the easiest and most profitable engagement for you to take on?
Shevlin: I always like the longer ones where they’re in there for six months to a year. The benefit that comes from those is, we’re helping the customer, but we’re also gaining the information about that customer and about the vertical market the customer is in. We’re gaining so much information, and that is an advantage for us also.
Do you have any final words of advice for security solution providers who are considering getting into the staff augmentation business?
Shevlin: When you’re going into a customer under a staff augmentation, you learn everything about that customer. And you learn it from the inside, which gives you valuable knowledge about how to help that customer. That in itself is a huge benefit of staff augmentation.