In the year 2000, people dreaded the “Y2K Bug” and believed that it would wreak havoc on the world’s technological infrastructure. These fears were founded off the belief that the applications and hardware would not be able to handle the date format change from 1999 to 2000. People believed that machines would simply crash when the clock struck midnight. Midnight came, the ball dropped, and everything was (mostly) fine due to enough preparation and awareness of the issue.
What is often overlooked during this time of technological transition is one of the most significant computer viruses in history. The ILOVEYOU virus is malware that falls under the classification of a worm, which basically means that it spreads itself when run. This worm spread via email attachments and took the world by storm. The virus devastated companies and caused over $15 billion dollars in damages throughout its lifespan. Companies were totally unprepared for this kind of event. The year 2000 was (shockingly) a long time ago and technology today dwarfs that of almost two decades ago.
Yet the Y2K incident has too many parallels to modern cybersecurity: there is hysteria surrounding the topic, many people have no idea what it means, and adequate preparation/awareness can prevent potential disaster.
What is Cybersecurity and what does it mean to be Secure?
Cybersecurity is a catchall term for the tools, procedures, people, and infrastructure needed to defend against a malicious actor. These malicious actors can be anyone from a nation-state (referred to as an APT – Advanced Persistent Threat) to your own employees looking to cause trouble. Regardless of the threat, there needs to be proper measures taken to defend a company from attack.
The current atmosphere in security is an arms race of sorts, where new methods of attack are countered by new defensive techniques and vice-versa. This arms race can leave many smaller business (and even large ones) woefully unsecure. To be “secure” is to ensure that a business has taken the necessary steps to prevent catastrophic breaches, and to have business continuity and recovery plans in place should disaster occur. Truthfully, no company can say they are fully secure.
The best anyone can hope for in the IT industry is to be as prepared as possible and have a quick response plan for worst-case scenarios.
How do I Secure My Business?
The first thing many clients want to know is simply how to secure their business in the most cost-effective way possible. Security is rightfully viewed as a cost center for most businesses. There is a balancing act in the world of cybersecurity between IT directors and company leadership where cybersecurity teams are relentlessly demanding a higher budget but with obscure or non-existent metrics to assist with the decision.
This lack of information can cause many to feel as if they are wasting funds on a service that provides no benefit. On the other end of the spectrum is when a company has what they believe to be a secure solution but experience an incident regardless. Recall the previous definition of being “secure” – taking the necessary steps to prevent catastrophic breaches but being prepared for anything. This raises the question – How can our company afford security?
Most organizations are painfully aware that cybersecurity is a highly in-demand field. Starting your own Security Operations Center, feeding all your logs into a SIEM, deploying timely patches and ensuring coverage on all endpoints and servers is a nearly impossible task for a small team. On the other hand, midsized businesses face the grim prospect of hiring a full security team and cutting heavily into their bottom line with a hungry cost-center. This is where it can be advantageous to use an outsourced solution instead of relying on in-house IT for cyber security.
What are the Pros and Cons of Outsourcing Security?
Pros of Outsourcing Security
The cost of running an entire cybersecurity stack along with the talent required to properly use it is currently unsustainable for many SMBs. Financially, many businesses are left with a tough choice when deciding if a security team is right for them. In-house personnel and equipment are hard to come by and expensive to boot. The real financial benefit of an outsourced IT/Security firm is the scalability of services.
Creating an efficient and dedicated cybersecurity team is a difficult task that relatively few corporations have accomplished. Due to the reactive nature of most teams, many are left without work to do until there is an incident. When this incident does occur, the spike in work may overstress the team and a third-party responder may be brought in anyway. Organizing a proactive team takes massive amounts of time and money in a very competitive market. Outsourcing the cybersecurity needs to a third party can alleviate this issue and allow the funds to be spent more effectively.
This point can be both a pro or con depending on perspective. An outsourced security team obviously deals with many clients, but since they are a dedicated team of professionals that utilize 24/7 shifts, there is always full coverage for any potential issue. Sure, this may mean that your company is one of many. However, the nature of security alerting allows an organized approach to resolving alerts so there is minimal difference from the security provider’s perspective. A corporation with 100 endpoints can require nearly the same man-hours as 10 companies with 10 endpoints each after initial proper configuration and security policy.
24/7/365 support comes with other perks as well. It is possible for a company to have nearly uninterrupted business during an incident. Data backups, server backups, and even cloud Disaster Recovery services can assure that business continues as usual while the issue is resolved.
It cannot be overstated how valuable it is to have an expert security team. Experience is the differentiating factor for many teams. The tools are only as good as the technicians and analysts utilizing them. Without proper training and support, a secure environment is impossible to achieve. This is where due diligence comes into play when shopping for third-party security firms. One must ensure that the firm being contracted will properly handle your needs and individually care for your environment. With many third-party providers, the experience that comes from having so many clients cannot be emulated in a SMB. With more exposure comes more skill.
Cons of Outsourcing Security
One of the ugly truths of outsourced security is that each company does have a finite limit of the resources it can dedicate. Depending on the size of your company, there may come a point where it is more viable to integrate your own security team instead of outsourcing. This line changes depending on the organization you negotiate with. Be wary of any organization that seems to overpromise.
Perhaps the biggest sticking point for the CIOs and IT directors out there is that third party teams have the tools they use, and these are generally hard to negotiate. If you have a specific product preference that you use in-house, but the third-party firm is unfamiliar with the tool or cannot afford the license, you may have to use their solutions instead. Fortunately, most security tools have many alternatives and the skill of the users makes a much bigger impact than the actual tool itself.
- Divided Attention
This is the classic first question for many professionals when presented with an option to outsource their security: “How can you pay attention to us if you have 6 other clients?” The truth is, most outsourced security providers will not focus as hard on one company since this would come at the expense of other clients. The technical solution to this is the proper tools and procedures used on the provider’s end that helps filter things down to those issues that are especially important or critical.
- Potentially Poor Metrics
Perhaps the biggest issue facing security professionals when reporting to stakeholders is the lack of metrics proving that their solutions work. In-depth defense relies on a layered approach to security that creates a spider-web of defenses that may all catch the same event. Proper reporting is hard to come by and noise needs to be filtered out to find actual results.
- Lack of Specialization
Companies all have differing needs and wants. Sometimes, you may require a specialized tool or skillset that simply isn’t offered in an outsourced solution. It cannot be emphasized enough how important it is to know your needs before searching for a solution.
When Should You Outsource Security?
There is no easy answer to whether a company should outsource their security. In most scenarios, mid-sized companies will be able to save time, money, and effort by outsourcing their security. But there are always exceptions. Perhaps your business requires specialized tools and procedures that do not mesh well with the offered packages.
Regardless of the circumstances, the modern security industry is full of uncertainty. The best thing any stakeholder can do is to review their options and come up with a plan of action that best fits their specific needs. As is common in the business realm, proper quantification of one’s needs is the most vital step in determining whether an outsourced security solution is right for you.
The TL;DR (“Too Long; Didn’t Read”): Outsourcing cybersecurity is usually the most cost-effective, the most efficient, and the most secure solution for small to mid-sized businesses, but all situations are unique. Be sure to know your individual needs before deciding on a course of action.
Haury, Amanda C. “10 Of The Most Costly Computer Viruses Of All Time.” Investopedia, Investopedia, 12 Mar. 2019, www.investopedia.com/financial-edge/0512/10-of-the-most-costly-computer-viruses-of-all-time.aspx.
“Managed Security Service Provider (MSSP).” Gartner IT Glossary, 18 Apr. 2019, www.gartner.com/it-glossary/mssp-managed-security-service-provider/.
Ragan, Steve. “Study Shows Those Responsible for Security Face Mounting Pressures.” CSO Online, CSO, 11 Feb. 2014, www.csoonline.com/article/2134337/study-shows-those-responsible-for-security-face-mounting-pressures.html.
Sorokin, Michael, et al. “When Should You Outsource Cybersecurity?” Technology Solutions That Drive Business, 24 July 2018, biztechmagazine.com/article/2018/07/when-should-you-outsource-cybersecurity.