One of the quotes often attributed to Albert Einstein is “Insanity is doing the same thing over and over again and expecting different results”. Whilst there’s debate if this was something Einstein actually said, the sentiment definitely rings true.
Several decades ago I was extremely privileged to work with the government to review the education curriculum to both modernize and expand the number of people that had cybersecurity skills. Since then, the number of centers of excellence in the UK teaching cybersecurity has dramatically grown, and so has the demand. Many are now looking outside the conventional realms of those traditionally trained in cybersecurity to help fill the void - for example the great work Jane Frankland has been driving for years in getting more females into the cyber workforce.
According to ISC2 “While we celebrate the record number of new cybersecurity professionals entering the field, the pressing reality is that we must double this workforce to adequately protect organizations and their critical assets, said ISC2 CEO Clar Rosso.” and of those they had surveyed “41% believed it was due to a lack of qualified talent, 34% mentioned budgetary constraints, and 27% mentioned challenges with turnover and staff attrition” .
Those that know me know I talk about the cyber time paradox regularly. On one hand, we are providing more educated staff into the industry, yet on the flip side businesses are digitizing more and more processes, which means more cybersecurity telemetry to be analyzed. At the same time, the volume of threats continues to rise, meaning more telemetry and of course, just about every year the cybersecurity industry comes up with new methods of threat detection and response which again means even more telemetry. All of this suggests the workload is growing much faster than the skilled staff available and to compound this, businesses expect much faster results. As businesses become more digitally dependent the acceptable time to be without these resources is shrinking.
Today, all of this begs the question: what should your own cybersecurity staff do and what should be taken as an outcome based service? This is not by any means a new phenomenon, as in the late 90’s many businesses began outsourcing their email content filtering due to it being such a time consuming process. At the time, many were concerned about data privacy and despite data privacy laws growing, most businesses today continue to outsource this requirement.
In more recent years we have seen the sharp growth of SASE (Secure Access Service Edge) driven by the shift to work from anywhere as well as cloud based collaboration and cloud computing shifts. In fact, many businesses have moved out all edge security needs and networking capabilities to a service. Indeed Gartner sees that by 2027 most companies will make this shift “By 2027, network and security vendors that are unable to deliver a compelling SASE offering will be mired in niche opportunities.”
So the key question is, what else should businesses be looking to take as an outsourced cybersecurity service?
To answer this question, it requires looking at three key elements: skills, capabilities and costs.
SKILLS
With most organizations having finite staffing budgets the question becomes where do I really need to have the skills inhouse, versus where would it make sense to outsource? Let’s take business knowledge as an example. Understanding how IT resources impact the business requires inside knowledge. Yet having deep, technical knowledge on either security technologies or cyberattacks is more a generic knowledge that can be supplied externally. At the same time, some skill sets can simply be out of reach for many organizations. For example, deep Incident Response and Forensics skills are something you hopefully only need access to occasionally and with it being an area of very high expertise, having this skill inhouse full-time can be extremely costly. As such, businesses may need to make a trade off - perhaps taking on a lesser experienced but cheaper candidates or more often than not they simply can’t find the required skills at a cost they can afford, as supply and demand has pushed the salary ranges outside of their affordable budgeting.
You may consider the answer is to bring in junior talent and train them up in-house, which many choose to do. One challenge with skills shortages is that there will always be another organization willing to overpay for a quick hire once the skills and expertise have been gained. Whilst this isn’t the only motivator for staff, big pay jumps can be difficult to turn down for many.
However the flip side is also true for simple cybersecurity tasks. With most organizations facing staff constraints, many straightforward and repetitive tasks in cybersecurity are not the best use of your team's time. As such, it makes sense to outsource these types of tasks like, gateway content filtering, and for many tier 1 SoC filtering for example. With staff retention also being a challenge, ensuring your staff are working on meaningful rather than repetitive mundane tasks can make all the difference to morale and therefore retention.
COSTS
Outsourcing can provide access to the most highly talented skills at a much lower cost. The simple logic is these people can scale across multiple organizations, based both on their skills levels but also in many instances such as threat hunting or Incident Response (IR). When I worked at FireEye, who acquired Maniant - an IR services company, we would often get called in as a second line of expertise. Why? Well either their internal skills or regular services team simply didn’t have the cutting edge, advanced knowledge to truly find and eradicate the breach, but also access to the tools required to achieve this. As such, pulling in these services and capabilities on a as per needed basis was the logical outcome when an attack went beyond their own ability to manage it.
CAPABILITIES
Innovation always comes with a cost. The longer a capability is in the market the more it typically becomes commoditised. What you’ll commonly find however, is that many threat hunters and IT experts use an array of bespoke built tools, developed as a result of specific needs. As such, there will be times when either the tools can only be accessed through expert services, or where purchasing the tools in-house is prohibitively expensive. Sharing the costs of the tools under a services umbrella can help reduce these. One such simple example is through the economies of scale with SIEMs. A service provider offering a managed Security Operations Centre (SoC) service can buy and share the both costs of the SIEM and surrounding costs across all of their customers. Because their storage requirements are so much greater due to servicing multiple clients, they have the ability to negotiate volume discounts on the storage costs.
At the same time, when any individual company makes a significant change in cybersecurity, there will typically be a write down period of the associated costs (i.e hardware required, the software licenses, the deployment costs and staff skills training). The challenge with these multi-year commitments is that they limit the ability for the business to adapt to the ever-changing capabilities in the market. The advantage of taking on a service is that it takes away these big capex investments and allows the business to change as the degree of lock-in financially is much lower. I always remember meeting with a CIO of a very large organization about 5 years ago. They had worked on plans to build a new data center for several years, and it took nearly as long to get signed off by the business. The challenge was that by the time they had it deployed, the world was moving to cloud and agile, so they were (by his own words) now challenged by their own technology lock-in.
TAKEAWAYS
If we accept that simply hiring more staff isn’t going to solve this challenge, and that our digital world and the threats against it are only growing more complex. Likewise capabilities such as AI, automation have a key role, we must then consider the two key questions:
1. What capabilities should you consider outsourcing next in your cybersecurity strategy?
- Where are either the skills, capabilities or costs prohibitive to do this in-house?
- Is this something that MUST be done in-house?
- Does outsourcing free up your internal resources and does it increase the job satisfaction of those in your organization?
- Is this a period or full-time requirement?
- Does outsourcing allow you to remain more agile to the changing cyber security demands?
- Is this capability being commoditised, does it make sense to move it to an outcome based service?
2. How do I decide which is the right outsourcing partnership, and what are the metrics of success I should be applying?
The answer to this is a whole separate blog, watch out for this followup blog coming soon! But as a final thought as we head towards 2025 be deliberate about where you want to outsource versus insource, it's always easier and in the main more cost efficient when you have the time to plan and execute. Sadly, I have seen too many instances especially when dealing with a business critical Incident Response (IR) that such things as contract negotiation slow down the ability to execute at pace and decisions are rushed due to the compressed time pressures.
Sources:
https://www.linkedin.com/in/janefrankland/
ISC2 Cybersecurity Workforce Study: Looking Deeper into the Workforce Gap
Gartner Research - Forecast Analysis: Secure Access Service Edge, Worldwide
