With cyber threats becoming increasingly sophisticated, and data breaches costing businesses a fortune, many SMBs are asking the question: ‘Should we handle our security in-house, or should we outsource it?’
As one of Babble’s cyber security experts, I’ve spent years helping businesses like yours make these calls and figure out which approach best suits their unique cyber security needs.
There’s no one-size-fits-all answer, so I’ll take you through the pros and cons of internal and outsourced cyber security and give you some key considerations, to help you make the decision. If you’re still on the fence about which model is best for your business, I’ll also introduce you to the hybrid approach. By the end of this, you’ll know what route to take for your business.
–
Reading Time: 8 minutes
What This Blog Covers:
What Does Internal Cyber Security Look Like?
When we talk about a full in-house cyber security setup, we’re usually talking about the big guys – the larger, more complex, mature organisations with the resources to have a dedicated team. These teams often operate in a Security Operations Centre (SOC), have a bunch of expensive tools and provide 24/7 monitoring.
Having a dedicated in-house team is a massive undertaking. It’s like having your very own private security force. To understand if this kind of commitment and investment is right for you, let’s have a look at the pros and cons of bringing your cyber security inhouse.
The Pros of an In-House Team
- Deep, Specific Knowledge: Your in-house team becomes intimately familiar with your unique business operations and can quickly identify what’s normal, and what isn’t. This allows them to tailor security solutions.
- Complete Dedication: As a part of your organisation, they’re 100% focused on your business. There is no divided attention across multiple clients.
- Direct Access and Easy Communication: Your in-house cyber security team is immediately available, ready to deal with any issue that pops up 24/7, 365. Also, it can be easier to have a conversation with someone in your company, rather than an external provider who usually needs you to give them a bit of context beforehand.
- Greater Control: You have more control over every aspect of your security operations as your team reports directly to you.
The Cons of an In-House Team
- The Cost is Huge: This is the big one. It’s not just about salaries; you have to factor in benefits, training, and those expensive security tools. In reality, it can cost you 3.5 to 5 times more than outsourcing. That’s a massive expense, especially for SMBs.
- Ramp-Up and Turnover: It takes time for new hires to become effective, and they might leave for another company. You could lose an employee overnight, and that could put your business at risk.
- The Massive Skills Shortage: There are simply more cyber security jobs than there are people to fill them. According to the 2021 (ISC)² Cybersecurity Workforce Study, the global shortfall of skilled cyber security workers was 2.72 million in 2021. It’s a premium market, and it’s hard to find and keep good talent. Recruiters are always trying to poach people for 1.5 or 2 times their current salary.
- Keeping Up with Threats: Cyber crime is growing faster than people can learn how to combat it. This speaks to the skills shortage point above – which will likely be an ongoing problem.
Key Considerations When Building an In-House Cyber Security Team
If you choose to build an in-house team, I recommend looking for candidates with the Certified Information Systems Security Professional (CISSP) certification. This is what we consider the gold standard qualification in the industry. It includes an incredibly hard exam that has a 5 to 10% pass rate, and the certification needs to be reviewed and renewed every 18 months. This is a rare find so also look out for candidates with the Certified Cloud Security Professional (CCSP) or Certified Ethical Hacker (CEH) certifications.
What is Cyber Security as a Service (CSaaS)?
In a nutshell, Cyber Security as a Service (CSaaS) involves outsourcing your security operations to a Managed Security Service Provider (MSSP). In my experience, hiring a third party to take care of their cyber security needs is the way to go for most businesses – especially SMBs. With CSaaS, you’re getting the same protection as a massive in-house team, but without all the headaches of hiring, training, and staff retention. You’re just paying for the outcome you need.
The Pros of CSaaS
- Budget-Friendly: This is the biggest advantage and the key difference between in-house and outsourced cyber security. With outsourcing, you avoid the huge costs of an in-house team and purchasing security tools. It also provides a predictable pricing structure outlined by the vendor.
- Instant Expertise: You get access to a team of experienced cyber security experts with diverse skills and knowledge, without having to go through the hiring process.
- Flexibility and Scalability: Outsourcing makes it easy to scale your security up or down as your business needs change.
- 24/7 Protection: Many providers offer continuous security monitoring, ensuring that your systems are protected around the clock.
- Compliance Assistance: Compliance is a big factor, no matter how you approach cyber It really depends on what your business does, and where you’re located. Compliance is more about having visibility into what you’re doing, and an MSSP can help with that.
- Quick Setup: You can quickly implement security solutions without the delays associated with building and training an in-house team. This allows you to focus on the outcomes without worrying about the nitty-gritty aspects of cyber security.
The Cons of CSaaS
- Less Control: By outsourcing your cyber security, you are handing over some control to the vendor. This means that you might not have a deep understanding of the tools that are being used, which can be challenging if you prefer to be hands-on.
- Potential for Standardised Solutions: Some providers may offer cookie-cutter solutions that don’t meet the specific needs of your business.
- Finding the Right Provider: Finding the right MSSP can be difficult especially if you don’t have a solid understanding of your cyber security needs.
- Varied Response Times: Because you can’t walk down the hall and visit the cyber security department, the response times of an MSSP can vary depending on the severity of the issue and the provider’s workload.
- Contract Flexibility: Some vendors want to lock you down for the long haul and sometimes require big upfront costs.
- Hidden Costs: It is crucial to be aware of potential hidden costs for extra services or increased usage.
Key Considerations When Choosing a CSaaS Provider
-
Make sure you work with a CSaaS provider that has experience with the problems you’re trying to address. When talking with providers, ask about their experience in your specific area, their vendor relationships, and their service
- Develop an ongoing relationship with your vendor to keep comms open. Don’t be afraid to ask technical questions so that you have peace of
- Work with a vendor that offers flexibility in their billing options. In a previous blog, I mentioned that anything that can be done on an OpEx monthly basis rather than a big CapEx investment is the best way to go. Look for a provider that offers monthly billing and is flexible with multiple services.
- Stay informed and be clear on the specific services you’re signed up for, especially if they offer add-ons, extra users or bandwidth.
The Hybrid Approach
Many businesses are looking at a hybrid approach: a combination of in-house and outsourced security. In a hybrid model, a business might have a small, in-house team to handle daily security operations and manage the security tools that the company already uses. They also might also be responsible for tasks that require a high level of familiarity with the organisation’s specific systems. The business may then outsource other functions to a third-party provider – like 24/7 monitoring and incident response – which is often difficult and costly for an in-house team to manage.
In a nutshell, a hybrid model allows you to tailor your approach to cyber security. You’re able to use your in-house resources where possible, while outsourcing to fill in the gaps or get the expertise you need without worrying about building that internally.
As you can tell, this model is extremely nuanced and depends on things like your organisation’s capacity, budget, the tools you already have, your specific security needs and risk tolerance – more on that later.
Which Model is Right for Your Business?
The best approach for your business depends on your unique security needs, resources, and how much risk you’re comfortable with. If you’re a big company with a big budget, then an in-house team may make sense. But for most SMBs, outsourcing is a practical way to get the security you need without overspending.
Don’t forget that you can always go for a hybrid approach if you want to keep some level of control. The most important takeaway is that your security needs are likely to change and grow, so you should not be afraid to change your approach as needed.
I understand that making these decisions can be complex. As one of Babble’s cyber security experts, I’m dedicated to helping businesses like yours find the right fit.