Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

833-847-3280
Schedule a Call

Should I In-Source or Out-Source Cyber Security?

It is the current bane of many small and midsize businesses to determine whether to in- or out-source their cyber security measures. With all the news in 2014 regarding retail and financial hacking, (unofficially dubbed “the year of the hack”), businesses are reaching deeper into their pockets to ensure that they are protected. Cyber Security can now be reasonably described as a critical business function given the fact that the business risk of a breach is high and that no other threat (financial, competitive, regulatory) can exact so much punishment from a company relative to the ease of creating a breach.

The decision to in- or out-source Cyber Security is not just a financial one, but a business decision designed to best protect corporate data and should be supported by an analysis just like all major business decisions. The analysis should be supported not only by internal counsel (CTO/CIO, IT Director/Manager, Security) but also through outside cyber security experts that can bring an experienced, objective perspective to the decision making process. The analysis should focus on the following key factors:

  1. Corporate “Crown Jewels”: Identify the actual data that you should or are required to protect. What is the data on your system that, if divulged, would cause the business financial or regulatory pain? Do you store employee healthcare data? Sensitive email subjects, Intellectual Property? Classified or sensitive contracts with the government? All these data sets and more should be identified and their risk to the company analyzed as well as the cost to properly protect them.
  2. Current state of Cyber Security: Request a cyber-security gap analysis (also known as a risk assessment to demonstrate the technological gaps that should be addressed to improve cyber security. Also, get an assessment of your corporate IT architecture, called a Vulnerability Scan, by an outside vendor, such as a trusted cyber security firm and / or a Managed Security Services Provider (MSSP). Do not allow your internal IT shop to conduct internal or external assessments as if they identify gaps or vulnerabilities they may not be fully disclosed to management, or be qualified to completely identify those gaps. Ask for an original copy of report from the vendor. Or for a more thorough evaluation of gaps in current systems and threats against your networks, request a penetration test in which your vendor will ethically hack your systems to uncover all risks.
  3. Estimating the Fallout of a Hack: Identify what the release of sensitive corporate data can do to the company and the cost of mitigating that damage. For example, intellectual property, trade secrets or critical process information can be apocalyptic if released while disrespectful emails could cause minor pain. Other data, such as Protected HealthCare Information (PHI) or Personally Identifiable Information (PII), can result in fines if released.
  4. Impact on Staff: Usually the IT staff controls cyber security for a company when its insourced (though it should be separated and that is a subject of another blog). What is the bandwidth of the IT shop – can they handle the additional load and the cost of purchasing the technology and human capital to analyze the data? Does this need to be monitored 24/7? Remember that technology needs to be licensed and updated and that retention in the cyber security world is very low.
  5. Risk Transfer: What is the ability of the company to transfer cyber security risk? Conduct an analysis of insurance coverage (sometimes technical errors and omissions on corporate general liability insurance will suffice). The use of a third party vendor also provides some risk transfer in case of a breach as well as having legal counsel on retainer to respond.
  6. Cost/Benefit Analysis: This is where the rubber meets the road. Based on the information collected, identify cyber security courses of action that provide different levels of protection as well as business risk, and have that validated by an outside vendor. Evaulate a cost estimate for that analysis and identify those factors (impact of breach, cost, ease of implementation, etc) that are reflective of the corporation’s concerns to identify the area where cost, benefit and risk are comfortable to the company.

The decision to in- or out-source cyber security is dependent on the information available to the C-Suite, the cost of implementation and finally, the level of business risk that a company is comfortable with. Although a third party vendor offers cyber security solutions at more reasonable costs, there are reasons (IP, complexity, sensitivity) that some companies choose to in-source their cyber security. If that is the case, ensure that a cyber-security professional is involved in order to make an informed selection that is beneficial to the company and takes a long term approach to cyber security.

Latest Posts

A transparent image used for creating empty spaces in columns
With the release of PCI DSS 4.0, penetration testing is no longer viewed as just a once-a-year checkbox item. Instead, the standard takes a dynamic, risk-based approach that aligns testing with real-world threats, changes in system environments, and evolving business operations. Rather than applying a…
A transparent image used for creating empty spaces in columns
Penetration testing is one of the most powerful tools in an organization’s cybersecurity arsenal. But a test is only as valuable as the action it inspires. Too often, penetration test reports are treated as one-off exercises or compliance checkboxes. The real value comes when those…
A transparent image used for creating empty spaces in columns
As cyber threats grow more complex and persistent, regulatory frameworks like PCI DSS 4.0 have evolved to demand more rigorous and transparent security practices. One of the key updates in PCI DSS 4.0 is the enhanced requirement for penetration testing reports, pushing organizations to go…
A transparent image used for creating empty spaces in columns
A penetration test, also known as a pen test, is a crucial cybersecurity measure that enables organizations to identify vulnerabilities in their networks, applications, and security controls. However, the real value of a penetration test lies in how well an organization can interpret the findings…
A transparent image used for creating empty spaces in columns
The release of PCI DSS 4.0 introduces significant enhancements to the security landscape, particularly in the area of security controls and penetration testing. While penetration testing has always been a critical component in identifying vulnerabilities within a network or system, the updated PCI DSS standards…
A transparent image used for creating empty spaces in columns
Social engineering attacks remain one of the most effective ways cybercriminals gain access to sensitive information, systems, and financial assets. Phishing, pretexting, baiting, and other manipulative tactics exploit human psychology, making it difficult to defend against using technical measures alone. Organizations often use social engineering…
contact

Our Team

Name(Required)
This field is for validation purposes and should be left unchanged.
On Load
Where? .serviceMM
What? Mega Menu: Services