Don't look for plug-and-play employees, or discount all outsourcing
Whether I would be allowed to enroll in a programmer/analyst curriculum at a specialized computer training school in the 1970s, was determined by aptitude tests. Once in the program, I could see that degrees, even advanced degrees, in what's now called STEM, were not reliable indicators of the analytic and logical skills required in this field. This is even more true today.
Is it farfetched to say that the primary reasons companies limit their IT candidate searches, to applicants with CS degrees or other certifications, are to make it easier on HR departments, and to provide cover for hiring the wrong people? Remember the adage: "No one was ever fired for buying IBM". Was IBM always the best choice? No, but it was the safe one, for those who signed off on it.
That there is a talent gap might well be because companies have forgotten where and how to look for it, nurture and protect it.
Regarding "in house": First recognize the distinction between outsourcing and offshoring - the later implies the former, but not the other way round. In both cases, companies must use good and informed judgement as to which tasks are suitable for either, and about who they are taking on as partners - because all IT relationships are intimate.
The concerns particular to offshoring center on jurisdictional control. Look no further than the recent Kaspersky Lab restrictions (justified or not), for an example. Of course, there are compliance requirements; but go beyond the letter of the law, and consider the rationale for them. In most cases, the law comes too late to prevent the damage that lead to the need for the law. [Leave the debate on if a particular law makes matters worse, for another discussion]
The basis for a decision on in-house, outsource, offshore should be data access driven; and that holds true for inside in-house, too. When thinking through that one, remember that all public-cloud is outsource, and may be offshore. That goes for all the public-cloud components for your company, your employees and your partners.
When it comes to outsourcing, the right choice is going to take some careful consideration.
User Rank: Ninja
1/17/2018 | 2:38:44 PM
Too often security is "applied" to the surface, like patching a leaking life raft. Without the means to perceive the components of the business, as a system, you can't come to grips with the circumstances that put you in that life raft in the first place.
That lack of awareness isn't just a problem for the CISO or security departments, or IT, but for all the knowledge workers, from the C-level on down. It's not that knowledge of how the components actually work in an enterprise isn't there; but that the interdependencies haven't been formalized and documented, in a way that would properly inform. The only methodology I know of toward achieving that is fact-based, conceptual modeling.