Choosing the right partner when outsourcing cybersecurity

In this Help Net Security interview, Anya Shpilman, Senior Executive, Cyber Security Services at WDigital, discusses the benefits and potential risks of outsourcing cybersecurity services.

She compares the cost-effectiveness of outsourcing to maintaining an in-house team, noting the challenges of recruitment, training, and the constant need for external expertise. Additionally, she predicts a future trend toward increased automation in cybersecurity outsourcing.

Can you elaborate on the benefits and potential risks of outsourcing cybersecurity services?

Benefits

There are a lot of forms a cyberattack can take, protecting against all of these methods, understanding the threats, and the tools that help to protect us, and knowing how to act during an incident requires an array of skills and knowledge. Instead of building a team, buying the tools, and keeping them up to date you can:

• Leverage the knowledge and expertise of individuals worldwide. Service providers usually have dedicated experts in their field that can be utilized when needed.
• Benefit from the best systems for monitoring, threat detection, and forensic analysis.
• Have incident management experts ready to advise and assist if the worst happens.
• Unless it’s a large organization, there probably won’t be enough resources to provide active monitoring 24/7. As we know, bad actors don’t have office hours, so having someone qualified to watch around the clock is preferable.
• Reduce cost. It’s usually more cost-effective to outsource your cybersecurity which I’ll discuss in more detail below.

Potential risks

There are few real risks, however, outsourcing cybersecurity will mean handing over a certain amount of control. It is vital to have a security partner that you trust. Most vendors allow you to choose the level of help, access you are comfortable with and work with you to develop playbooks that work to satisfy both your security and ownership needs.

What key factors should businesses consider when outsourcing their cybersecurity needs?

A business needs to understand what it is that they are looking to achieve with the partnership. They must clearly define their own and their partners’ responsibilities. They need to decide who is allowed to take what action in the event of an incident and who needs to be informed, updated, or consulted. There is a lot of trust required for a successful partnership and a business will need to carefully evaluate:

• Expertise and qualifications: Assess the qualifications, certifications, and expertise of the outsourcing team
• Client portfolio: Inquire about the current clients they are working with to gauge the experience and reputation
• Compliance: Ensure the provider complies with existing laws and regulations governing cybersecurity
• Market coverage: Understand the markets the provider is serving to align with your business needs
• Cost consideration: Evaluate the cost of outsourcing cybersecurity services and ensure transparency in pricing
• Client recommendations: Request recommendations from clients the provider is currently working with

How does outsourcing cybersecurity impact a company’s compliance with data protection and privacy regulations?

While outsourcing can provide audits, guidance, and training, the ultimate responsibility for adherence to local laws and regulations rests with the company. Outsourcing cybersecurity does not absolve the company from ensuring regulatory compliance, it rather leverages external expertise to guide the company in meeting these obligations.

Is outsourcing cybersecurity more cost-effective than maintaining an in-house team? Can you provide some insights or examples?

I’ve experienced both perspectives: creating an effective in-house cybersecurity team and offering outsourced cybersecurity solutions. Hiring and maintaining an in-house security team can become costly very quickly. The recruitment process can be very lengthy, from my experience, it can take 3-6 months to hire internally.

Apart from the salary, you’ll need to think about visas, flights, insurance, schooling, gratuity, etc. It will then take time to train the new employee as well as them familiarizing with the company, systems, and procedures.

Even if you manage to get the best security team together, the turnover for security professionals is very high, and repeating the process above is costly.

You also need to keep in mind, that in most cases you still need to spend more on tools and products as well as additional training required to keep up with new threats and trends. Even with a great and effective internal team, there will always be a need to call upon external expertise for auditing, training, and any skills that are not cost-effective to bring in-house such as forensics and – teaming.

What is your outlook on the future of cybersecurity outsourcing? Are there any upcoming innovations or shifts that businesses should be aware of?

The future of security is automation. We utilize various categories of automation, including solutions where alerts are fully investigated without human intervention. Even then, there will always be a need to have a person or people with the correct expertise making decisions.

I see a future where it will only make sense to have a security partner who can utilize the latest in technology and expertise across what can only be an ever-increasing security landscape, it will become impossible or at least uneconomical to maintain the spectrum of skills and tools required to secure sensitive data and infrastructure yourself.