The "Build or Buy" Dilemma When Hiring

Pythia Cyber focuses on behavior as well as classic cybersecurity because a great program manned by mediocre people is not what you want and a great team following mediocre procedures is not what you want. You need both sides of the equation: the right people in the right jobs doing the right things.

Cybersecurity is a branch of risk management, not a branch of computer science. The goal is not technological excellence at any cost, the goal is the most effective security you can afford and you can provide. Risk management is as much about prediction as it is about execution. Again, you need them both: doing a great job stopping the wrong threats is no better than doing a terrible job stopping the right threats.

Human behavior can be very hard to predict unless and until you have a great deal of experience with how that particular person behaves in that particular environment. That person's previous experience in a different environment is a possible proxy for their future experience in your environment, but only a proxy. Ditto for certifications given by other organizations for similar-but-different bodies of knowledge.

When you consider a new hire you predicting their future success in a new role. Hiring is risky. Hiring is difficult. What else is there to help you hire someone new, other than previous work experience and certifications? There is talent. Talent is a good predictor of future performance. A talent assessment is not a perfect predictor of future performance. It is not a substitute for determining minimal competence. It does replace your hiring process. But it does significantly strengthen your hiring process when incorporated at the right point and used correctly.

Hiring cybersecurity candidates can be especially risky because the field is not mature enough that you can simply hire people who have almost exactly the right experience. I know system reliability engineers who have moved freely and easily between AWS, Google Cloud, Facebook and Azure. Devops is well-defined. People tasked with hiring these engineers are comfortable assessing the candidate's prior experience and credentials. This is not the case with cybersecurity engineers. Every organization seems to implement cybersecurity differently. There are not enough experienced cybersecurity personnel to go around and training programs and degree programs have not yet settled into any kind of standard. It is not clear that this will happen anytime soon, as the threat environments change so quickly.

The immaturity of the field means that when hiring cybersecurity candidates you face the additional problem is trying to guess which cybersecurity-adjacent work experience is worth paying for. By "worth paying for" I mean "will accurately predict this candidate's future performance." Do you want a solid Devops career from someone looking for a change? Do you want a burnt out developer who doesn't want to crank out code but knows an awful lot about how networks should be configured? Do you want an operations star who is looking for a better career? How about a smart, mature, detail-oriented person who is fed up with being a high school teacher? Is that former teacher worth training?

In the technology sector, the Build or Buy dilemma is the choice between building a subsystem that you need or buying the technology ready-made from someone else. The pros and cons are pretty well understood: if you build it, you control the cost and the implementation and the trade-offs are all ones that you made for yourself. If you buy it, you know the cost upfront, you have a firm implementation on which to stand and while you have to live with someone's trade-offs, you hope that the vendor had expertise and knowledge that you lack.

In the cybersecurity sector, the Build or Buy dilemma is the choice between training a talented-but-inexperienced candidate or hiring a trained-but-not-by-you candidate. If you pay for experience, are you paying for relevant experience? If you pay for training, are you wasting your money on someone without the required talent?

Train A Newbie or Bet On Experience is not an easy decision. There are good reasons to go in either direction. Here are some good reasons to Bet On Experience:

• You need someone to be effective immediately.
• You don't have any kind of training/upskilling program.
• You are confident that the previous experience is highly relevant.

Here are some good reasons to Train a newbie:

• The newbie is far more talented than the other candidates.
• You have a solid training/upskilling program.
• You have found that prior experience rarely predicts success in your environment.

Build or Buy is a bit of a misnomer: it is almost certain that any candidate will require some kind of support, so simply hiring an experienced candidate and assuming that there will be no training or support needed is unrealistic. But the basic concept holds: you can hire someone to grow into the job or you can hire someone to hit the ground running. We like to say that you can hire whoever you like, but with our support you have a better idea of what you are getting for your money.

What Pythia Cyber aims to do is help our clients go into these choices with their eyes open. Train the talented-but-inexperienced. Pay a premium for the talented-and-experienced. But know which is which.