Should I In-Source or Out-Source Cyber Security?

It is the current bane of many small and midsize businesses to determine whether to in- or out-source their cyber security measures. With all the news in 2014 regarding retail and financial hacking, (unofficially dubbed “the year of the hack”), businesses are reaching deeper into their pockets to ensure that they are protected. Cyber Security can now be reasonably described as a critical business function given the fact that the business risk of a breach is high and that no other threat (financial, competitive, regulatory) can exact so much punishment from a company relative to the ease of creating a breach.

The decision to in- or out-source Cyber Security is not just a financial one, but a business decision designed to best protect corporate data and should be supported by an analysis just like all major business decisions. The analysis should be supported not only by internal counsel (CTO/CIO, IT Director/Manager, Security) but also through outside cyber security experts that can bring an experienced, objective perspective to the decision making process. The analysis should focus on the following key factors:

  1. Corporate “Crown Jewels”: Identify the actual data that you should or are required to protect. What is the data on your system that, if divulged, would cause the business financial or regulatory pain? Do you store employee healthcare data? Sensitive email subjects, Intellectual Property? Classified or sensitive contracts with the government? All these data sets and more should be identified and their risk to the company analyzed as well as the cost to properly protect them.
  2. Current state of Cyber Security: Request a cyber-security gap analysis (also known as a risk assessment to demonstrate the technological gaps that should be addressed to improve cyber security. Also, get an assessment of your corporate IT architecture, called a Vulnerability Scan, by an outside vendor, such as a trusted cyber security firm and / or a Managed Security Services Provider (MSSP). Do not allow your internal IT shop to conduct internal or external assessments as if they identify gaps or vulnerabilities they may not be fully disclosed to management, or be qualified to completely identify those gaps. Ask for an original copy of report from the vendor. Or for a more thorough evaluation of gaps in current systems and threats against your networks, request a penetration test in which your vendor will ethically hack your systems to uncover all risks.
  3. Estimating the Fallout of a Hack: Identify what the release of sensitive corporate data can do to the company and the cost of mitigating that damage. For example, intellectual property, trade secrets or critical process information can be apocalyptic if released while disrespectful emails could cause minor pain. Other data, such as Protected HealthCare Information (PHI) or Personally Identifiable Information (PII), can result in fines if released.
  4. Impact on Staff: Usually the IT staff controls cyber security for a company when its insourced (though it should be separated and that is a subject of another blog). What is the bandwidth of the IT shop – can they handle the additional load and the cost of purchasing the technology and human capital to analyze the data? Does this need to be monitored 24/7? Remember that technology needs to be licensed and updated and that retention in the cyber security world is very low.
  5. Risk Transfer: What is the ability of the company to transfer cyber security risk? Conduct an analysis of insurance coverage (sometimes technical errors and omissions on corporate general liability insurance will suffice). The use of a third party vendor also provides some risk transfer in case of a breach as well as having legal counsel on retainer to respond.
  6. Cost/Benefit Analysis: This is where the rubber meets the road. Based on the information collected, identify cyber security courses of action that provide different levels of protection as well as business risk, and have that validated by an outside vendor. Evaulate a cost estimate for that analysis and identify those factors (impact of breach, cost, ease of implementation, etc) that are reflective of the corporation’s concerns to identify the area where cost, benefit and risk are comfortable to the company.

The decision to in- or out-source cyber security is dependent on the information available to the C-Suite, the cost of implementation and finally, the level of business risk that a company is comfortable with. Although a third party vendor offers cyber security solutions at more reasonable costs, there are reasons (IP, complexity, sensitivity) that some companies choose to in-source their cyber security. If that is the case, ensure that a cyber-security professional is involved in order to make an informed selection that is beneficial to the company and takes a long term approach to cyber security.