August 5th, 2021
IT Staff Augmentation
I was recently asked by a client how to keep his IT team's workload at an acceptable level as their institution is ramping up for additional growth. I’ve experienced a similar quandary when just needing additional staff for continued growth of defensive capabilities. It's an excellent question, and one I'd struggled with in the past, but after several attempts I finally got to a point where I felt I had a pretty good formula
Let's start with a scenario that may describe a small to medium IT team. The average help desk answers phone calls and/or emails, opens and assigns tickets, attempts tier 1 support over the phone, etc. If you have the right person(s) on your help desk they may knock out a pretty significant portion of your break/fix issues: resetting passwords, unlocking accounts, rebooting PCs, documenting what they've done, and so on. This frees up your other IT employee(s) to spend more time on projects and tier 2/3 support issues. But what happens if you add two or three (or more) branches in a year? And what if those branches are obtained via mergers, where there may be disparate core banking and other systems? Suddenly the help desk is going to be flooded with calls and emails, tier 1 support is going to get pushed off to other IT staff, projects are going to get put on hold, and for a few weeks (or longer) they will do nothing but support those new branches.
As we all know, that simply isn't going to work at most financial institutions. There's always some initiative in motion, be it something from a business unit or a project that IT initiated in an effort to provide better efficiency, security, or both. With that in mind, here are some considerations.
Keep the lights on vs. new initiatives
One way to consider this question is to sit down and figure out how many hours are spent doing the things your team is already doing. That sounds fairly simple, but are you really considering every aspect that goes into "keeping the lights on?" Think of the scenario we just ran through and account for all of the things that each person on your IT staff does. Maybe you don't have a good handle on this, so you need your staff to provide you some data. Depending on how you phrase this, nothing will agitate your IT staff more than saying, "I need you to start keeping track of your hours." Gaskets will blow, tears will be shed, epithets about your ancestry may be hurled. But somehow you need to get a measure of the amount of time they already spend on daily tasks so you can estimate how much of that will go by the wayside. Also take into account that you started with “x” number of branches, and now you've just added three more, so that will lead to additional workload even if everything is running smoothly.
One additional note here: while it may seem obvious, don’t let the pressure of executing these new initiatives get between you and the things that need to be done, like patching, managing spam and content filtering, monitoring of antivirus, etc.
FTE vs. Outsource
Do you look for another full-time employee (FTE), or do you outsource? There are several considerations:
- Cost - For execs this might be the number one consideration. They want more for less, but you get what you pay for. And this is not going to be a temporary augmentation, with the additional workload that the new branches will likely produce. Consider which position(s) you need to shore up, then determine the potential cost of an FTE, including health/dental/vision/life insurance, 401K, and any other perks you may provide as part of your compensation, and then compare that to what it would cost you to outsource.
- Talent pool - Depending on your region, finding the level of expertise you require may not be feasible, which will leave you no choice but to outsource.
- Area of coverage - Another consideration: will these new branches be close enough to your current IT operations center for someone to feasibly drive to them on short notice? Let's say, for example, a check printer fails, or someone gets malware on their PC. Those need to be attended to quickly, and if it takes someone from operations five hours to drive there it's probably a better fit to hire staff in the area of those new branches and have them work out of one of them. Or outsource, provided they have someone close.
Leverage the CAT
One tool at your disposal, and hopefully already completed annually, is the Cybersecurity Assessment Tool (CAT) or the Automated Cybersecurity Examination Tool (ACET) for credit unions. Uh, how’s that going to help? Consider this: you’ve already reached Baseline in all of the domains and now you want to improve to Evolving. In four of the domains you’ve achieved your goal, but then there’s this:
To fully realize your goal is going to take some additional tools, which cost money. Unfortunately, the addition of these tools is going to require someone to spend more time looking at them than you have available hours. An option here is to pay for a service that includes the technology required as well as personnel to manage it, and there are several reputable solutions out there providing managed security services.
Making it happenOnce you have all of your ducks in a row you might be tempted to run it up the chain. However, a good idea would be to talk to someone who’s already familiar with what it takes to get budget approved for staff, and have them look at what you’ve done. It also helps to have an ally, whether it’s someone from Risk Management, Compliance, or your CIO/CISO, who understands the benefit of what you’re trying to accomplish. Once you have that in place it’s time to pitch your proposal. If they accept, great! If not, ask what is missing, add whatever that is, then try again. They can’t tell you no forever. Happy Hiring!
Authored By: Rich Whyrick, ITIL, Security