Should Cybersecurity Be Outsourced?

Cybercrime is growing at an unprecedented rate and unfortunately only a small number of companies can afford an internal security team including the tools and expertise required to defend against cybercrime. When does it make sense for a company to hire internally or outsource when it comes to cybersecurity? The article below will examine some of the myths surrounding outsourcing and the truth about hiring internally.

Myth: Outsourcing Cybersecurity Costs a Fortune.

Fact: The costs of outsourcing are typically determined by the number of computers and devices within the organization. For example, the outsourcing cost for an organization with a 250-user network would be an average of $75K/annually. If this cost is compared to hiring an internal team of 4-5 experts along with the necessary tools to manage the same 250-user network, the cost would be well over $250K, that is if the security expert(s) can be located. According to Michael Brown, former CEO of Symantec, a leading security software vendor, “The demand for the {cybersecurity} workforce is expected to rise to 6 million {globally} by 2019, with a projected shortfall of 1.5 million.” If a business is able to successfully recruit a security specialist, the cost can be prohibitive. With outsourcing, the costs associated to obtaining and retaining security talent becomes their sole responsibility.

Myth: Outsourcing Cybersecurity Replaces Our IT Team.

Fact: A MSSP (Managed Security Service Provider) works to compliment a business’ IT Department, not replace it. Cybercriminals don’t typically work 9-5 business hours, but rather are looking for vulnerabilities in business systems, which are typically after hours, or during weekends and holidays. Most MSSPs offer 24 hours a day, 7 days a week, 365 days a year “eyes on glass” to monitor any suspicious activity on the network, allowing the IT Department to rest easy after working business hours.

Myth: Outsourcing Cybersecurity Puts Sensitive Data At Risk.

Fact: In a managed security deal, the organization shares information security risk and business risk with the MSSP. Such deals provide access to a range of security services and to skilled staff whose full-time job is security ( According to Richard Hollis of the ISACA government and regulatory advocacy subcommittee, he would not hesitate to outsource the most sensitive of IT security functions with solid service level agreements in place that clearly detail legal liability responsibilities along with consequences. “The key is to implement effective quality control measures on the service provider’s deliverables,” he stated.

Outsourcing may not be the best solution for all businesses, however careful consideration of the advantages of outsourcing some or all of IT Security activities could play a role in decreasing not only the costs to an organization, but also the risks.

Copyright © 2019 Freedom Security Alliance. All rights reserved.