Despite the existence of a mass of myths, the answer to this question is relatively unambiguous. With some amendments, it boils down to the thesis: outsourcing in cyber security, especially managed detection and response services, is much more efficient and economical for businesses than ensuring the entire process in general by the forces of a specialized internal structure.
The Main Task is to Minimize Costs
The most persistent myth in cyber security is associated with the concept of costs, the most pressing and urgent issue for top management: outsourcing is always more expensive than having in-house specialists. Dispelling this myth is not so difficult. Let us proceed.
It is worth beginning with the fact that cyber security works as efficiently as possible exclusively in connecting people, technology, and processes. Only in this way, and not otherwise, is it possible to ensure a complete cycle of protection of the company against external and insider cyberspace threats.
When deciding to allocate a budget for cyber security, the company’s management is often guided by outdated and fundamentally incorrect concepts. Only clear and priority capital investments in technology are taken into account. After all, as it seems at first glance, the most expensive link in this chain is technology. You can feel them and at least visually assess the result of financial expenditures. Even now, for many, the concept of a cyber security project is associated with the purchase of specific protection systems, which, roughly speaking, must be bought, installed, and put into action. This is the first and foremost delusion.
Buying technology is a one-time investment. In other words, a reasonable and understandable investment. A bit inconvenient but constant, and, as a result, volume costs are hidden deeper.
The Right People are the Essential Investment
People are the most expensive and, at the same time, the most valuable business asset. To ensure the process, it is crucial to understand: whether it makes sense to form a multidisciplinary, highly specialized team within the company (which is precisely what it should be in today’s conditions of a highly complex variety of technologies and threats) or whether it makes sense to entrust this process in whole or in part to an external competent executor who from A to Z is built and focused on solving such issues. In plain language, outsource, and in professional terms, sign up for managed security DR (detection and response) services.
That is why it is important to calculate costs comprehensively and correctly at the stage of planning investments in cyber security. You should take into account, first of all, not one-time investments in fixed assets but future operational costs for their maintenance. It mainly results in additional investments in personnel and their training. By considering only the former, the company fails to strike the right balance but instead creates an illusory security efficiency through the accumulation of technologies. At the same time, the underlying process is counterproductive, and the result is worthless.
Many companies have come to the same situation – they are overgrown with expensive technological security complexes. They cannot cope with the operational workload of their maintenance. It’s not just about service, but it’s not only about service, but it’s not just about service. The point is to analyze and apply the results of such systems to improve the operational process. There are many technologies, but efficiency is heading towards zero.
Is it Safe to Hand Security into Someone Else’s Hands?
The second persistent myth, which is logical, and perhaps, on the contrary, illogical, arises in the situation of information security and most often sounds in the form of a rhetorical question: “How can we outsource security if it is security?” But wait, don’t you outsource your health care at the polyclinic? Don’t you outsource the care of your children to babysitters? For some reason, these areas do not cause such violent debates, disputes, doubts, or profound thoughts. It is worth it because a doctor is a specialist, and you will not always make a diagnosis yourself, and you will not remove appendicitis. Although, at first glance, it is enough to buy just a scalpel, cotton wool, and a bandage, but what next?
Outsourcing in cyber security is not a pretty classic example of outsourcing in the form of the complete transfer of processes to an external contractor. It is always a synergy of the customer’s efforts together with the actions of the security provider. In addition to everything, the entire process is strictly regulated and recorded in the SLA (service level agreement), the guarantees of which are in no way comparable to the level of responsibility of a specific employee from the company’s staff.
Most often, we observe a situation where there are “multiple operators” in the company, which both serve the systems and generate reports on the efficiency of the processes. In other words, a specialist who sets tasks for themselves then performs them themselves. Not every organization, even a large one, can afford to maintain a large team of specialists and process managers. At the same time, it is simply impossible to objectively evaluate the results of a single “multi-processor” on which all processes are based. After all, most often, the management is far from competent in cyber security matters. No one assesses the risks that arise in this case, and the consequences can be deplorable.
A company to which security is outsourced cannot do a priori harm to the client’s business, as this is a matter of reputation. Moreover, in fact, security services do not directly concern commercial information.
At the same time, the customer company receives full-scale protection against threats 24/7, the best technologies to date, and a staffed team of professionals. The latter is recruited precisely in that proportion and in that amount corresponding to the scope and specificity of the technologies required for a particular business.
The urgency of choice is especially relevant in light of recent events. The collapse of fragile protection systems made it realize how important it is to form multi-level and professional security. Homemade patches do not work. Thousands of companies had the opportunity to see this. The question of outsourcing disappeared itself. The answer is clear: attracting experienced specialists and acting here and now is necessary.