Outsourcing cybersecurity: What services to outsource, what to keep in-house
The growing need for outsourced cybersecurity
The growing number and sophistication of threats that organizations face daily puts a bigger demand on cybersecurity. With roaming users accessing the network and data from everywhere, the challenges of protecting assets are even greater and require an increasing number of resources. To help solve some of these challenges, organizations are turning to managed security services providers (MSSPs) and other vendors for outsourcing a variety of security functions.
Various forecasts show the market for managed security services growing at double-digit rates. One report from Allied Market Research estimates the market to reach nearly $41 billion by 2022, based on a 16.6% compound annual growth rate between 2016 and 2022.
The evolving threat landscape is only one driver behind these trends. The shortage of security talent — estimated currently at more than 4 million by (ISC)2 — is also making it more challenging to both recruit and retain talent. Outsourcing allows an organization to shift the burden of providing security analysts and other workers to the managed services providers, while using the in-house staff for more strategic work.
Trends in outsourcing
A 2019 Deloitte survey of 500 C-level executives found that 99% of organizations outsourced some portion of cybersecurity operations. The most common percentage of outsourced services was 21-30% (identified by 44% of the execs). The survey also identified that the top four outsourced categories were security operations, vulnerability management, physical security and awareness and training.
Cisco also found that outsourcing has increased significantly in 2019, compared to the previous year. Based on a survey of 2,800 IT decision makers, the company’s 2020 CISO Benchmark Study found that cost-efficiency is the top reason for outsourcing (identified by 55% of respondents), followed closely by the need for more timely response to incidents (53%).
Cybersecurity services you should consider outsourcing
Based on some of these trends and views from cybersecurity practitioners, these are some of the top services you should consider:
Threat actors don’t keep office hours — you need to monitor your environment 24/7. One best practice is to unify your security team, technology and processes under the umbrella of a security operations center (SOC). Running a SOC around the clock, however, is not feasible for many businesses, especially smaller ones.
Outsourcing either some of the security operations, such as network monitoring, or the entire SOC to a vendor that provides managed security services could provide cost efficiencies. Another advantage of using managed security services provider (MSSP) or managed detection and response (MDR) vendors is that you can leverage their expertise, as well as not having to worry about employing a large cadre of security analysts and other specialists.
As we saw with cyberattacks like WannaCry, legacy and unpatched systems pose a major risk because bad actors are constantly finding ways to exploit vulnerabilities in software and hardware. But managing vulnerabilities is a constant battle for many organizations.
In a survey of nearly 3,000 IT security professionals, Ponemon Institute found that despite putting more resources toward vulnerability management, organizations are still not able to minimize the risks of an attack. Only half of the respondents said they could quickly detect vulnerabilities and respond to attacks, and only 44% said they could patch quickly.
One of the realities of cybersecurity is that even with a full contingent of security personnel, you’re not going to be able to patch everything. Outsourcing functions like vulnerability assessments (which may also include penetration testing) can help you prioritize your risks so you can address the most critical vulnerabilities first.
Employee education and training
Cybersecurity education and training involves several layers. You need to train both your end users and your security personnel. There are benefits to outsourcing each of these programs.
Security staff training
The threat landscape is evolving so quickly that you always need to stay on top of the latest threats and best practices. Vendors whose core function is training are constantly updating their knowledge and training, which would be a lot more difficult to do in-house.
End user training
Your security awareness and training program for employees and other end users needs to be ongoing, starting with new employee onboarding. Don’t rely solely on self-learning tools like training modules; also conducting regular simulated phishing exercises. Many education providers offer both these services.
Cybersecurity functions to keep in-house
Should you outsource your incident response? There’s a debate among security practitioners and both sides of the discussion have merits. The other aspects that may be best retained in-house are security strategy and security architecture.
Creating a security strategy requires an in-depth knowledge of your particular business, and consideration of factors ranging from the industry and company size to your business model and practices. It’s one of those areas where you’d want to be hands-on rather than completely turning over to a third party.
If you can’t have a full-time, in-house chief information security officer (CISO), hiring a consultant may be a better option than outsourcing the entire strategic function. Many security companies and professionals also offer virtual CISO (often called vCISO) services, which helps you build a consistent relationship with an expert who gets to know your business and needs.
Building your security architecture is another core function that involves critical decisions and has overarching impacts on your organization’s cybersecurity. Similarly to the security strategy, it’s best to hire a consultant rather than outsourcing entirely, so you maintain complete control over the decisions.
Conclusion: Considering the pros and cons
Before you decide whether to outsource your cybersecurity — or which aspects — consider the implications of trusting an outside party with your critical data and assets. Handing over the proverbial keys to the kingdom has its own risks, and you need to ensure you’re mitigating those risks.
Choosing a trustworthy provider takes a lot of homework. Before proceeding, organizations need to have a strategy, understand the risks, ask lots of questions and set the right expectations.
- Managed Security Services Market Outlook: 2022, Allied Market Research
- (ISC)² Finds the Cybersecurity Workforce Needs to Grow 145% to Close Skills Gap and Better Defend Organizations Worldwide”, (ISC)²
- The Future of Cyber Survey 2019, Deloitte
- Security What’s Now and What’s Next: 20 Cybersecurity Considerations for 2020, Cisco
- The Top 5 Security Functions to Outsource, Forbes
- Best and Worst Security Functions to Outsource, Dark Reading
- Costs and Consequences of Gaps in Vulnerability Response (2019), Ponemon/ServiceNow