The question below is not a simple one: Is it better to handle physical security in-house or to outsource this function? There are 2 camps involved, those that believe that Security is better served by an inhouse dedicated team of highly motivated professionals and those that see outsourcing to reduce costs and transfer the responsibility to another firm.
Let’s take a quick look at both sides of the coin. In my career, I have how outsourcing the security function has brought highly specialized and effective talent into an organization that the in-house team did not possess and personally I have found may times, consultants to be much more productive than their FT counterparts. Having the Security Team inhouse but with consultants on staff can be very effective in staffing for Cyber Security Roles and help with the heavy workload that security teams often face.
In an ideal situation all companies would have highly trained, efficient, hardworking full-time staff solely dedicated to the wellbeing of the firm. Consultants would not be needed as the inhouse staff was constantly training, sharpening their skills, and very specialized as well as having great generalist skills. Unfortunately, this situation does not exist in any company or at best in very few.
So, the question then is not should Security be outsourced but more precisely what level of outsourcing is ideal. Above I described the typical environment for mid to large sized companies. The FT Information Security Staff has great generalist skills and some specialization but are heavily under resourced in terms of head count, so consultants are brought in with specialist skills and to help carry the burden of the heavy workload and/or work on special projects.
When the entire security team gets outsourced to an MSP or an external security firm it’s where there is a lot of gray area in terms of the actual value and benefit to the organization. You can outsource the responsibility but not the accountability. You can outsource the work but not the risk. The company will still be accountable and still need to assume all risk in terms of its’ Cyber Security Posture.
Many companies that offer these services sell them to clients based on a huge cost savings which in my experience never adds up. It ends up costing the company a lot more. I once worked for a large multinational company that decided to spend half a million dollars to build a SOC in a 3rd world country. At the end of the day the total cost including the fees charged by the MSP were substantially larger than if they had hired 10 extra full-time engineers or even consultants and kept them inhouse.
There is one key exception to this however. There is something known as the CMI Model. The Carnegie Mellon Institute Model for an IT or InfoSec Program states that at a fully mature level a Level 5, where processes are predictable, written, auditable, repeatable, SOP’s are in place, management is stable, the organization is 100% on track, the IT Department and the Information Security Team is no longer part of the core business of the firm. Since it is not one of the company’s core competencies and market competitive advantages, it should be outsourced.
This provides the firm the benefit of focusing on its key strengths and outsourcing all nonessential functions. Very few organizations are the CMI Level of 5 or even 4 for that matter. As an Information Security Professional, I 100% agree that this scenario is a valid one. While you cannot outsource the risk and the ultimate accountability, in a fully mature organization whose key competitive advantage is nonrelated to technology of Cyber Security it would be ideal to outsource the day to day responsibilities for this work.
I am going to make a prediction. A bold one at that. Within the next 20-30 years, which mean within the next generation or generation and a half of Cyber Security Professionals there will be several large MSP Totally dedicated to Cyber Security that will do it cheaper, better, faster, than most inhouse Security Teams. These companies which are few and mostly small now except for maybe Optiv which is probably the largest Pure Cyber Security Consultancy in the US, will dominate the Security Arena and probably control at least 30% to 40% of all cyber jobs. I say within 20-30 years, meaning it could be much sooner, maybe 10 or 15 years’ time.
What does that mean for the profession? To stay current, you must constantly be learning, evolving pushing yourself to the next challenge. Always be your own best competition, keep taking on large projects at work, training, earning certs, writing code, teaching, pushing forward. As the consolidation begins in the Cyber Security field only those with sharp skills will be able to earn and keep the top positions. Never surrender!