Cloud and security go hand in hand. Both have become an inseparable part of business discussions today, and the synergies and overlap between the two IT practices continue to rise. With cloud having an increasing role in corporate infrastructure, it also brings a host of new concerns for the provider community. From increased vulnerabilities and client anxieties to a growing number of unsupported devices on the network, someone needs to make it work.
As those who attended this week's joint meeting of the Cloud and IT Security Communities at ChannelCon in Austin, TX learned, channel firms are increasingly responsible for managing those concerns. The session touched on several high-interest problems both groups experience and the CompTIA team leveraged their collective expertise to brainstorm ideas for updating the association's cloud standard.
As one would expect, security was a central theme. Network and data protection typically presents the greatest challenge for community members' customers ‒especially those undergoing digital transformations ‒ and many of the latest regulatory compliance requirements leave no room for error. IT security expertise has also become a top "value-add" and a real differentiator for the managed and cloud services provider communities.
Demand Growing for Good Talent
How much should you pay for quality security expertise? Quite a bit more than standard technical experience, according to Eric Pinto, Director of Business Development & Client Services for VAR Staffing and Executive Council Member of the IT Security Community. "Increasing demand is pushing people into specialized sectors, so your company has to be willing and able to pay the price to get certified talent." You can't cut corners.
For example, IT services firms that are looking to hire a quality IT security professional in New York City typically compete with heavy hitters for that talent, including financial institutions, deep-pocket corporations, and government agencies. Where demand is hot for those skills and supply is low, those costs are substantially higher. In New York, for example, the average salary of a certified IT security professional is $119,000 per year.
Investments in this area are never cheap. Nor should they be when trying to bring in the right person with the proper level of expertise. With a national average salary of $93,000 (which equates to more than $44.00 per hour), channel firms need to proceed with some caution in this area and carefully execute on their IT security recruiting strategy. It's easy to get into a bidding war with multiple suitors, which usually leads to over paying for someone they hadn't had time to properly investigate and screen ‒ a risky and potentially costly venture properly.
Pinto points out that MSPs and MSSPs need to know what we're looking for before building a job description or talking to prospective employees. "What are your clients' specific security needs? Create a baseline of technical needs and requirements, then focus on finding individuals with those skills."
Can you groom existing personnel and help them acquire the needed certifications? HR specialists suggest that's the best approach, but there are downsides. Providers often end up investing their limited training dollars in team members with little or no commitment to the company, who then use their newly acquired skills to earn more money elsewhere. Watch out for resume builders who seek certifications just to improve their marketability.
On the flip side, all employees enjoy incentives. Have you budgeted bonus cash for those who complete the needed certification and training programs? Money is still a major motivator, but younger team members may prefer extra vacation days or a more flexible work schedule as a reward. Employers need to be incredibly creative today if they wish to motivate their employees.
Smaller IT services firms are typically reluctant to promote from within when building out a security practice. Backfilling key positions can be difficult, suggests Pinto. "Can you afford to lose an employee from their current position?" Of course, when the best-qualified individuals are passed over based on their value in current roles, they may feel limited and end up leaving anyway. Good companies nurture ambition and reward success.
When it comes to IT security, there are no simple answers when it comes to hiring. The first objective should always involve building a long-term IT security strategy, followed by a complete skills gap assessment to identify areas of need. With the right lead time and goals, the recruiting and training process should be a lot easier.