Insourcing vs. Outsourcing Security Resources
I was recently having coffee with a person that could best be described as a mentor, consultant and investor in me. During breakfast, he asked me a simple question that has been burning in my brain ever since. He said “You spend a lot of time educating people on how to build effective programs, but have you ever considered explaining to them why they may want you to run those programs for them rather than them running those programs themselves?” Sheepishly I must admit that the answer was “no”, but I am seeking to change that answer with this post.
A major initiative for me is to demystify cybersecurity. It’s not some nebulous concept that is difficult to understand, in fact, for almost every cyber security challenge, there is a corollary to everyday life. In this case, it is akin to deciding whether to do your own home improvement or to contract with a professional.
I have done a variety of work in my past and consider myself pretty handy and mechanically inclined, so I do a lot of work around the house myself, but there is other work that I contract out. For example, I have no interest in doing electrical or plumbing work because I don’t have the skill set, don’t have the tools, and have no desire to learn. There’s other work, like tree trimming, that I am perfectly capable of doing, but the tree trimming companies can do it much faster and have much better equipment. Essentially, I value my time on an hourly basis and compare what it would take for me to do the work vs. hiring someone else based on the value I place on my time. As I become more established in my career and earn more money, , my own time value goes up and the equation changes. There should be a similar evaluation for organizations.
There is a decision matrix I am using in my internal calculation. On one axis, the question is around expertise. Can I do this as well as a professional and do I care? Is it something where the quality of the work is very important to me, or is it something where I don’t care just as long as it’s done. In business there are things that fall into both categories as well. The other axis revolves around how much longer would it take me vs. a professional? A good example of this is when I bought my house. My wife and I wanted to change the paint throughout the house. We finished two bedrooms and a bathroom in two weekends working long hours. We hired professional painters who finished the rest of the house in a day. Although we paid them more per hour than we valued our own time, the professionals were far more efficient, so the outsourcing cost was favorable to the insourcing cost.
Much has been written about the cybersecurity skills gap and how difficult it is to find cybersecurity talent. While that gap is real, and it is big, you can find information about it in many different places. Regurgitating those statistics constitutes neither unique insight nor a good use of your time in reading my blog. My unique perspective, as someone who has dedicated a good portion of his career to providing outsourced services to organizations, is what advantages I have over an organization who wishes to staff internally. I will share those advantages with you.
It should be noted that when I speak of outsourcing, I am simply speaking about whether or not the resources performing the work are on an organization’s payroll.
Cybersecurity professionals are in short supply and consequently they experience salary growth at a higher rate than many other professions. That hurts organizations who would like to staff internally in two ways. First, cybersecurity professionals can often meet their salary requirements in a variety of roles for a variety of organizations. This means that they’re likely to find opportunities that give them maximum growth opportunity. No matter how good your company is at what you do, if what you do isn’t closely related to cybersecurity, working for InteliSecure looks better on a resume than working for your organization. Second, those people are more valuable to an MSSP like InteliSecure, because we can apply their expertise to a variety of clients, where you can only focus them on a single environment. Therefore paying them at market rate makes a lot of business sense for me, while it may be a budgetary stretch for you.
Additionally, the cybersecurity skills gap is so large that prestige tends to matter more than money, since these people can generally command the salaries they want from a variety of employers. As one Bay Area law firm told me “I’m a law firm in Silicon Valley. Even if I pay double the market rate, what high end cybersecurity professional wants to work for a law firm when they can go down the street and work for Apple, Tesla, or Google?”
Exposure is closely related to expertise. I was successful in recruiting a very talented individual from a very prestigious company at a reasonable salary because of exposure. He told me “If I am responsible for one environment, no matter how large, how does that skill set growth compare to being exposed to hundreds of environments working for a Managed Security Services Provider?” The answer is it doesn’t, and many security professionals are moving to security providers in recognition of this fact.
Similar to professional athletes, cybersecurity professionals improve with practice, practical experience, and level of competition. Unlike athletes, their skills don’t diminish with age. They continue to grow from their first day on the job, until the day they retire. Every exposure makes them better. They get more exposure from a service provider which gives providers the advantage of not only recruiting better talent, but also growing talent at a faster rate.
The majority of cybersecurity tasks by volume are low-level. High level and more valuable tasks can’t be done without the low level tasks being done first, so you can’t simply skip them. The truth is, low level tasks cost me less than they cost you.
Why? Because I can hire junior employees to complete those tasks due to a high enough volume to justify full time employees and a support structure of experts and leadership who allow me to sufficiently support junior employees to perform low level tasks well. Most organizations that are self-staffing their programs have only a handful of people that perform both complex and simple tasks, meaning they lack the flexibility in the program to drive low level tasks to low cost employees. Often, they don’t have the support structure necessary to have low cost employees at all, which means low level tasks are completed by high cost resources. Worse, since those low level tasks are often prerequisites to completing the high value and high impact work, those high cost resources often spend the majority of their time doing low level tasks. Outsourcing the low level tasks to a third party is a good strategy to focus highly skilled resources on high value work. It also makes high value tasks much more likely to be completed, increasing the value of the security program.
Every business faces disruption from time to time. When those things happen, many times people are laid off. If you are internally staffed for security, it’s easy for the business to ask you to do more with less and cut headcount in your department. You may or may not get that headcount back when the financial outlook of the company improves.
When you outsource at least a portion of your security program, there is likely a contract that cannot be broken without penalty, which means cost cutting forces must look elsewhere when things get tight from a budgetary perspective. In the eyes of the business there is a big difference between having your spending be locked in and contractually obligated and having your spending be an uncommitted ongoing operational expense.
In order for a Managed Security Service to work well, it must be thoroughly documented. The Managed Security Services Provider must be able to share information between team members and also prepare information for you, as the client, to approve. Internal programs are not likely to be documented nearly as thoroughly, which often means if a key team member were to leave, the result would be a security program that would take several steps backward. With the volume of opportunities available to cybersecurity professionals and the generational comfort with millennials to frequently switching organizations, the lack of documentation can result in great difficulty in maturing a program.
Related to documentation, continuity is very important to a security program. Simply put, scale breeds continuity. It is not that I don’t face similar generational and opportunity factors that make retention difficult as a service provider, I certainly do. However, if you have 3 full time security people and one leaves, you lost 33% of your program. It would take an MSSP losing substantially more employees to experience even a fraction of the same continuity impact. Turnover is a fact of life. Unless you plan on having a very large cybersecurity staff, turnover will inescapably breed continuity problems that hinder your efficacy.
Insourcing vs. outsourcing in IT and cybersecurity is a dilemma many organizations face. Like many other business dilemmas that seem to be addressing abstract concepts, drawing a correlation to everyday life is helpful. Evaluating the ability of your internal staff vs. external staff requires a cost and efficacy analysis. However, that analysis is not unlike the analysis a homeowner performs when deciding whether to finish their own basement or hire a contractor.