Page Loader Logo
Loading...
833-847-3280
Schedule a Call
Partner With Us

Should I In-Source or Out-Source Cyber Security?

It is the current bane of many small and midsize businesses to determine whether to in- or out-source their cyber security measures. With all the news in 2014 regarding retail and financial hacking, (unofficially dubbed “the year of the hack”), businesses are reaching deeper into their pockets to ensure that they are protected. Cyber Security can now be reasonably described as a critical business function given the fact that the business risk of a breach is high and that no other threat (financial, competitive, regulatory) can exact so much punishment from a company relative to the ease of creating a breach.

The decision to in- or out-source Cyber Security is not just a financial one, but a business decision designed to best protect corporate data and should be supported by an analysis just like all major business decisions. The analysis should be supported not only by internal counsel (CTO/CIO, IT Director/Manager, Security) but also through outside cyber security experts that can bring an experienced, objective perspective to the decision making process. The analysis should focus on the following key factors:

  1. Corporate “Crown Jewels”: Identify the actual data that you should or are required to protect. What is the data on your system that, if divulged, would cause the business financial or regulatory pain? Do you store employee healthcare data? Sensitive email subjects, Intellectual Property? Classified or sensitive contracts with the government? All these data sets and more should be identified and their risk to the company analyzed as well as the cost to properly protect them.
  2. Current state of Cyber Security: Request a cyber-security gap analysis (also known as a risk assessment to demonstrate the technological gaps that should be addressed to improve cyber security. Also, get an assessment of your corporate IT architecture, called a Vulnerability Scan, by an outside vendor, such as a trusted cyber security firm and / or a Managed Security Services Provider (MSSP). Do not allow your internal IT shop to conduct internal or external assessments as if they identify gaps or vulnerabilities they may not be fully disclosed to management, or be qualified to completely identify those gaps. Ask for an original copy of report from the vendor. Or for a more thorough evaluation of gaps in current systems and threats against your networks, request a penetration test in which your vendor will ethically hack your systems to uncover all risks.
  3. Estimating the Fallout of a Hack: Identify what the release of sensitive corporate data can do to the company and the cost of mitigating that damage. For example, intellectual property, trade secrets or critical process information can be apocalyptic if released while disrespectful emails could cause minor pain. Other data, such as Protected HealthCare Information (PHI) or Personally Identifiable Information (PII), can result in fines if released.
  4. Impact on Staff: Usually the IT staff controls cyber security for a company when its insourced (though it should be separated and that is a subject of another blog). What is the bandwidth of the IT shop – can they handle the additional load and the cost of purchasing the technology and human capital to analyze the data? Does this need to be monitored 24/7? Remember that technology needs to be licensed and updated and that retention in the cyber security world is very low.
  5. Risk Transfer: What is the ability of the company to transfer cyber security risk? Conduct an analysis of insurance coverage (sometimes technical errors and omissions on corporate general liability insurance will suffice). The use of a third party vendor also provides some risk transfer in case of a breach as well as having legal counsel on retainer to respond.
  6. Cost/Benefit Analysis: This is where the rubber meets the road. Based on the information collected, identify cyber security courses of action that provide different levels of protection as well as business risk, and have that validated by an outside vendor. Evaulate a cost estimate for that analysis and identify those factors (impact of breach, cost, ease of implementation, etc) that are reflective of the corporation’s concerns to identify the area where cost, benefit and risk are comfortable to the company.

The decision to in- or out-source cyber security is dependent on the information available to the C-Suite, the cost of implementation and finally, the level of business risk that a company is comfortable with. Although a third party vendor offers cyber security solutions at more reasonable costs, there are reasons (IP, complexity, sensitivity) that some companies choose to in-source their cyber security. If that is the case, ensure that a cyber-security professional is involved in order to make an informed selection that is beneficial to the company and takes a long term approach to cyber security.

Latest Posts

A transparent image used for creating empty spaces in columns
Welcome to today’s briefing on a crucial topic in the realm of cybersecurity: internal network penetration testing. Now, I know that the term might sound a bit intimidating but fear not. By the end of this discussion, you’ll have a solid understanding of what it…
A transparent image used for creating empty spaces in columns
 In the world of cybersecurity, there’s a misconception that a clean pen testing report means something was missed or the test wasn’t thorough enough. But here’s the truth: receiving a clean report from your penetration test is not only a positive outcome—it’s a testament…
A transparent image used for creating empty spaces in columns
Hey there, folks! Let’s get one thing straight: when MainNerve talks about penetration testing, we’re diving deep into the world of cybersecurity. But hey, we know what people think when we say “penetration testing.” So, buckle up because we’re about to compare pen testing to…
A transparent image used for creating empty spaces in columns
 In the fast-paced world of managed IT services, we know that time is money. Your clients rely on you to keep their systems secure, and you need partners who can deliver top-notch services without slowing you down. If you’re a Managed Service Provider (MSP)…
A transparent image used for creating empty spaces in columns
The primary purpose of performing a penetration test is to simulate real-world attacks on a computer system, network, or application. This is done by skilled cybersecurity professionals, who are tasked with identifying vulnerabilities and weaknesses that malicious actors could exploit. Their role is crucial in…
A transparent image used for creating empty spaces in columns
 If your business relies on older technology, you’ll want to listen up. We’re highlighting a critical weakness in many organizations’ defenses: legacy systems. What Are Legacy Systems? Legacy systems are outdated technologies that are no longer supported with updates or patches from their creators.…
contact

Our Team

Name(Required)
This field is for validation purposes and should be left unchanged.
quick links to

Our Services

On Load
Where? .serviceMM
What? Mega Menu: Services
201 E Pikes Peak Ave Suite 2025
Colorado Springs, CO 80903