Description: Rob Picard
Somebody once gave me the advice that my first hire as a Security Lead shouldn't be an in-house penetration tester, because that's the one part of security you can reliably outsource.
I was biased against this, because I have been that in-house penetration tester before. As I reflected on those jobs, I realized that my role quickly shifted every time. Getting an external penetration test generally covered that need pretty well.
As a company grows, the need to bring certain functions in-house becomes apparent. If a startup is looking to an enterprise as a role model on how to structure their security team, they'll miss out on certain functions that are better suited to being outsourced at the earlier stages of a company.