I have worked with cybersecurity for the last 18 years and have had the opportunity to see it grow from simple firewalls and anti-virus to the complex mechanism it is today. Managing cybersecurity fully is one of the most challenging tasks today. With a growing number of specialists, the need for security grows every day and with the cost of cybercrime rising to €400B annually, security has become one of the key factors to staying alive in the business. With the emergence of DDOS attacks using IoT devices, we are back to the mob placing a henchman in front of your business: pay up or your customers won’t be able to enter your store.
As most of you know, security professionals are in a short supply globally, even if there is a lot of training going on. Furthermore, the budget is limited and you need to make sure you get competence that covers as much as possible making the selection of employees narrow even further. Still, even if you find the perfect match and get to keep them, there are areas where you need to hire consultants making the cost rather high.
Is it possible to outsource your security?
That answers the first question I have: ‘Is it possible to outsource your security?’ Most possibly you are doing it already to some extent. I have seen different companies hire different roles, everything from CISO to computer forensic specialists. All roles are possible to outsource.
Following this: Is it then possible to outsource a whole security department? Yes, I know that for a fact as I´m leading two such engagements right now. The rational to do this from my clients´ side is the following:
We need someone who understands the complexity of security in conjunction with our business, someone that can steer and deliver all aspects of security without having different security solutions conflicting. We also want to include all licenses and make sure that everything from compliance to technical security is matched in a cost efficient way.
Is It Advisable?
So the real question comes down to: Is it advisable? Isn´t it better to outsource the technical parts and keep the information security in-house?
Let’s look at what´s outsourced today: In different engagements, we act as CSO, CISO, technical experts, deliver services, conduct investigations, provide SOC services etc. All in all, almost everything is outsourced in different ways today. Everything but one: responsibility. The responsibility for security could never, and should never be outsourced.
When we look deeper into the question if it’s advisable to outsource we have to look at the most important part of security: responsibility. Any company or organization has a responsibility to protect its assets and they make sure that it could fulfill its mission. If it's not possible to recruit staff that could manage the security, then it must find the competence in other ways. It still doesn't answer the question is it advisable, but the responsibility to protect themselves is only possible by outsourcing it and then procuring the security service will be the best way to make sure that the assets are protected.
Security today requires a broad skillset and needs to be updated at a very fast pace generating quite substantial costs. This means that from an employer’s perspective it will be costly to keep the staff´s competence updated. As events are fast paced, to discuss in general with colleagues is also imperative. This means that having your own staff with only access to the internal incidents will lead to skills deteriorating for the security staff. From that point of view, it would be advisable to hire the competence instead, as they will most probably be better updated with faster access to new information.
To answer the main question, it would both be possible and advisable, to outsource security to third-party, as long as you understand that the responsibility still stays within the organization no matter what.