heavily in cross-training security talent, even if you don’t bring those people into your team directly. Rather
            than hiring ten new application security analysts, it would be really intelligent to cross-train anyone in the
            development organization who is interested in security and give them opportunities to be an extension of
            your team.




            Outsource sensibly

            To avoid the outsourcing disaster that started this whole mess, be careful when you’re outsourcing your
            security. There are some things that are fairly easy to outsource – such as detection and response work.
            You can’t outsource your entire SOC, but you sure can (and should) be outsourcing key components that
            providers can scale, staff, and equip better than you can.

            With that in mind, a load-sharing model is a brilliant approach if you can manage it well. Even if your
            company has an in-house SOC, off-loading key functions to a third-party SOC provider is a great way to
            keep your team focused on high-value activities like investigating and remediating threats rather than
            chasing alerts in the SIEM. I call this “right-sourcing” because in-house staff focus on mission-critical
            functions such as helping the company design and build security products, partnering with the business
            on projects, or keeping careful watch of your third-party risk program. Meanwhile, an outsourced SOC
            performs detection and response at scale with all of the functions and necessary data you can’t afford to
            buy for yourself. Right-sourcing is the modern answer to running a hybrid security team that is part cross-
            trained staff on other IT teams, part in-house expertise, and part outsourced scalable talent.



            Modernize your technology stack

            It’s a dirty little secret in our industry that one of the things holding us back from having efficient security
            teams is the closet full of ancient security tools in use that take so much time and effort because none of
            them work well together. Modernize your technology stack, throw out things that don’t interoperate well,
            and develop integrations so you can automate and do more advanced functions with fewer humans that
            are laser-focused on high-value activities. I should add here that you should probably think about “as-a-
            Service” as much as possible. Buying technology you install in-house and manage and maintain on your
            own is yesterday. Security technologies need to keep up with the modern paradigms and as-a-Service is
            one modern way to give your company scale and added support without hiring more people.



            Conclusion

            While there is a talent problem today, it’s both our own doing, and not exactly what you’re being led to
            believe. Even if five million new security professionals showed up tomorrow ready for work, we’d still
            have a “talent gap” because we’re thinking about security in 2024 with ideas from the 1990s. This problem
            isn’t going to solve itself, nor will any number of expensive boot camps churn out the talent we need. This
            issue is going to take a decade or more to resolve – and that’s if we start the new strategy now.







                                                                                                            251