Is it better to outsource security?

Is it better for a company to outsource its security needs rather than handling them in-house? There are good arguments on both sides of this issue. Some of the key questions to consider are:

Does the company have the expertise? Handling security in-house requires specialized knowledge and experience. Unless a company already has skilled security professionals on staff, it may be better to outsource to an established security firm.

What are the costs? Outsourcing security can avoid the need to hire, train and retain in-house staff. However, outsourcing does come with fees that need to be weighed against potential cost savings.

How sensitive is the data? For companies with highly sensitive data like financial information or trade secrets, retaining control in-house may be preferable. Outsourcing always entails some risks around data protection.

How customized do the security solutions need to be? In-house security may be better if a company requires specialized solutions tailored to its unique needs. Generic outsourced security may not meet specific requirements.

Benefits of Outsourcing Security

There are some key potential advantages to outsourcing a company’s security needs rather than trying to handle them in-house:

Cost Savings

Outsourcing security may reduce costs by avoiding the need to hire, train and retain expert in-house security staff. Costs are fixed and predictable based on the contract terms with the outsourced provider. Outsourcing converts what would be large fixed costs into more manageable variable costs.

Focus on Core Competencies

Handling security in-house requires time and focus from company management. Outsourcing allows a company to focus on its core business competencies rather than trying to oversee security itself.

Access to Experts

Outsourced security firms employ dedicated experts focused solely on security. An outsourced provider has extensive experience handling security for many clients in many industries. Their expertise is difficult for an in-house team to match.

Scalability

Security needs can fluctuate over time as a company grows or changes directions. In-house staff may not be able to scale up or down cost effectively. Outsourced security can be scaled up or down as needed. The outsourced provider handles staffing needs.

Accountability

When security is outsourced, the provider assumes responsibility for protecting the client’s assets and data. If standards are not met, the client can hold the provider accountable. Internally managed security lacks this clear accountability.

Risks of Outsourcing Security

While outsourcing security does have some clear benefits, there are also notable risks a company needs to consider:

Loss of Control

When security is handled by an external provider, the company loses control and oversight. Sensitive data is entrusted to others. Response times to emerging issues may be slower.

Hidden Costs

An outsourcing contract may have unseen costs like training fees, premiums on outside vendor services, or lack of flexibility to change requirements. Carefully vetting the agreement is essential.

Compromised Data

No security solution is impenetrable. But when a breach occurs, customers will still hold the company responsible, not the outsourced security provider. Reputation damage will affect the company, not the vendor.

Disgruntled Employees

If the outsourced provider underpays or mistreats its security staff, this increases risks of malicious insiders compromising company data. Screening and oversight is still needed.

Lack of Customization

Outsourced security solutions tend to be “one size fits all.” This can result in a poor fit for a company’s specific needs and vulnerabilities. Customization options may be limited.

Factors to Consider

When deciding whether outsourcing security makes sense, some key factors for a company to consider include:

Data Sensitivity

If data protection is paramount, keeping security functions in-house may make more sense. For less sensitive data, outsourcing may be acceptable. Assess your data sensitivity levels.

Staff Capabilities

Does your company already employ security engineers and analysts? Leverage their expertise if so. Lacking robust in-house skills? Outsourcing may fill the gaps.

Cost Tradeoffs

Do a thorough accounting of in-house security costs versus outsourced solutions. Weigh the benefits versus the risks and hidden costs.

Security Strategy

Take time to define your company’s security strategy and objectives. Outsource functions that align with your strategy, keep mission critical ones in-house.

Evaluate Providers

Research options thoroughly. Vet provider experience, reputation, services, reliability and costs before outsourcing security tasks.

Start Small

Try outsourcing a small non-critical security function first. Gauge provider performance before assigning more responsibility.

Best Practices for Outsourcing Security

If outsourcing some or all security functions makes sense, be sure to follow these best practices:

– Do thorough due diligence on potential providers. Check backgrounds, reputations and client references.

– Clearly define duties and expectations in a legal contract. Spell out required service levels.

– Implement controls like encryption for valuable data handled by vendors. Don’t give away the keys.

– Conduct periodic reviews of vendor performance and compliance with contract terms.

– Require vendors to undergo independent security audits and provide results.

– Establish procedures for regular communication and reporting from the vendor.

– Build change management and termination provisions into contracts to switch vendors if needed.

– Confirm vendors carry adequate cyber insurance in case of data breaches.

– Ask vendors to disclose their cybersecurity preparedness, such as incident response plans.

Key Considerations by Function

Different security functions have different considerations when it comes to outsourcing. Some key examples:

Network Security

Monitoring network traffic and managing firewalls require real-time change management. Slow vendor response times can create vulnerabilities.

Endpoint Security

Protecting user devices and apps is key. If outsourcing this, require the ability to set and enforce device policies remotely.

Data Encryption

Encryption should ideally be controlled in-house, not by vendors, wherever feasible. Limit vendor access to keys.

Identity Management

Controlling employee access centrally is critical. Vet vendor ability to integrate with internal company directories/HR systems.

Security Operations

Outsourcing monitoring, alerting and threat intelligence gathering may supplement overstretched in-house teams. Maintain internal incident response staff.

Compliance Audits

Independent audits are essential for compliance. Reputable auditing firms specialize in security assessments.

Testing & Vulnerability Management

Vendors can effectively simulate attacks to probe defenses. Ensure testing tools integrate with in-house systems.

Questions to Ask Potential Providers

If considering outsourcing security functions, be sure to ask potential providers key questions like:

– How long have you been in business? Can you provide references?

– What is your experience in our industry? Do you have other similar clients?

– How do you vet and monitor your employees? What controls protect client data?

– What are your hiring practices? How do you train and manage security staff?

– How do you stay on top of the latest threats and vulnerabilities?

– What technologies and tools will you use to secure our environment?

– How will you customize your offering to fit our specific needs?

– How will you communicate, provide reporting and ensure accountability?

– How can we integrate our internal systems with your security platforms?

– What assistance will you provide during a breach or incident response?

– What insurance coverage do you carry to cover losses and legal liabilities?

When to Keep Security In-House

While outsourcing security functions can make sense in many scenarios, there are instances when keeping security in-house is the wiser choice:

– Handling highly sensitive data like trade secrets, IP, or customer information requiring privacy protections.

– Environments subject to stringent regulatory compliance requirements.

– Functions requiring real-time support like network monitoring and incident response. Delayed vendor response time creates vulnerabilities.

– New companies lacking established security processes that require focused re-tooling.

– Mergers/acquisitions where integrating different security platforms is strategically important.

– Organization-specific contexts where outside vendors lack sufficient visibility or expertise.

Creating an Effective Hybrid Model

Rather than taking an all-or-nothing approach, many companies opt for a hybrid model that combines internal security staff with external vendors/providers:

– Handle the most sensitive functions and data in-house while outsourcing secondary tasks.

– Use managed security services to augment monitoring and intelligence gathering by existing staff.

– Outsource ad hoc services like compliance audits and penetration testing to avoid having to hire specialized expertise full-time.

– Maintain specialized in-house security engineers for critical functions while outsourcing security administration and operations roles.

– Keep leadership security roles like the CISO in-house for centralized oversight but outsource operational execution.

– Have in-house staff manage relationships with and oversee the performance of external security vendors.

Key Takeaways and Recommendations

Here are some key high-level recommendations on navigating the build versus buy decision for security:

– Do not make an all-or-nothing decision for the entire company. Evaluate each security function separately on its merits.

– Seek the right balance between in-house strategic guidance and outsourced operational execution tailored to your risk profile.

– Consider the culture and philosophy of your company. Is retaining control in security a priority?

– Analyze the costs but avoid decisions based purely on price. The lowest cost outsourced solution may lack key protections.

– Vet potential providers thoroughly and implement controls to manage outsourced risks. Visit their facilities if possible.

– Focus in-house personnel on the most critical security needs while outsourcing specialized functions requiring niche expertise.

– Continuously monitor and review performance of outsourced security. Maintain clear paths to switch vendors if needed.

– Carefully check provider agreements for hidden costs, intellectual property rights, indemnification, and termination provisions.

– Require vendors to prove security controls equal or exceed those within your own company for equivalent data classification levels.

– Institute detailed ongoing reporting procedures for external vendors to ensure visibility and accountability.

Conclusion

Outsourcing security can provide valuable expertise and cost savings. But it also comes with notable risks around control, visibility, customization and accountability. Wise companies make nuanced build versus buy decisions for each security function based on strategic and operational considerations. Following best practices for vendor evaluation, due diligence and contract protections is essential.