In today's climate, every company needs to worry about cybersecurity. Even small businesses can be targeted. 43% of all data breaches involve small to medium-sized businesses and 40% of the small businesses that faced a severe attack experienced at least eight hours of complete downtime. You have to assume that your company will be a target, regardless of size or industry.
New and small companies cannot often afford to hire a full cybersecurity team, but they can take steps from the start to help keep security front in mind.
One of those steps is to hire a Chief Information Security Officer as soon as possible. Admittedly, this can be a "hat" being worn by a CIO or similar, but you need somebody who's task it is to ensure that security is built into your business from the ground up.
So, when should you hire a full team?
When Should You Hire Your Team?
Carnegie recommends that 3 to 6 of every 100 IT staff are information security experts. The obvious answer, then, is "as soon as you have an IT department." Make sure that one of the first people you hire for IT has information security experience. You do have the alternative of using outsourcing, but it's still a good idea to make sure that you have at least one person on your in-house team who knows at least the basics.
Unfortunately, there is often a shortage of good cybersecurity personnel. The growing need for that expertise means that the workforce is likely to be short in the future. This is another thing which points towards outsourcing; you also outsource having to find these people.
The other answer is "When your IT team can't handle it anymore." That is to say, if you hire an IT team with some cybersecurity knowledge, the time to get an actual information security team in place is when they are spending so much time on security issues that they don't have time for anything else. This is a clear sign that you need to do something.
Should You Keep Things In-House or Outsource?
The biggest question you need to ask yourself is whether you need to keep things in-house or whether you should outsource to a security vendor. The answer to this question depends a lot on the size of your company, your budget, and your security needs.
Building an in-house team might be better for your peace of mind, but it comes with a lot of expenses. However, your in-house team is possibly more aligned with your culture and you can ensure everyone is a good fit.
Pros of an In-House Team
There are advantages to keeping your security in house, and here are some of them:
An in-house team, made up of people you have carefully chosen and trained in your organizational norms, will naturally better support your overall company culture. This option keeps your security team well-aligned with your company's vision and mission. For some niche companies that have very specific values, keeping as much as possible in-house can be a good way to ensure that those values are sustained.
Improved Control Over Personnel
Security vendors often expect you to stick to a contract. And they may not allow you to remove somebody from your team who is performing poorly or not meeting your goals. In the worst case scenario, you could be bound to a contract you can no longer afford or obliged to continue to work with an individual (or even entire company) that doesn't match your ethics. Always make sure you read the termination clause in your contract.
Meanwhile, you can always control hiring, firing, and discipline of internal staff. If you happen to live in an "at will" state you can fire people as you see fit. More importantly, you have the full ability to talk to staff members, to give bonuses and commendations as wanted, and to hire the people you need. Your staffing decisions remain yours.
Because your team is on site (or at least on your network), controlling day to day operations and focused entirely on you and your environment. communication speed is generally considerably higher with an in-house team. You may get a faster response, and you can completely control the communications methods you use, rather than having to compromise with a vendor.
Understanding of Niche Needs
A cybersecurity vendor will understand a lot about cybersecurity, but they may not understand all of the ins and outs of your industry, particularly if you are in a niche.
Vendors tend to focus their attention on larger industries or those with specific, known needs and compliance issues, such as finance and healthcare. It can sometimes be a challenge to find a vendor who can handle things if you are in a field that is less well known.
So, there are advantages to keeping things in house, but there are also significant advantages to outsourcing.
Pros of Outsourcing
Outsourcing cybersecurity is particularly valuable for small companies that can't yet afford (or need) a large IT department. There are a number of solid advantages to choosing this route.
A single security analyst costs between $53,000 and $116,000 a year. If you keep things in-house, then you are on the hook for the full-time salary of your analysts, as well as their benefits, bonuses, paid time off, etc. Salary can be a huge part of your costs.
When you work with a vendor, you pay only for the time their employees are spending on your contract. This allows greater coverage and an improved spread of expertise for a much lower cost.
Cybersecurity requires 24/7 coverage. Even with modern automation tools, somebody has to be on duty all the time and able to react to a breach. While some of this can be handled by having people "on call," your team needs to be large enough to provide full coverage without overworking your people. The last thing you need is for your information security team to start making mistakes because they are tired.
Furthermore, your analysts may get sick or need a vacation, and then you have to bring in extra coverage or delegate duties. You might have to take steps such as vacation blackouts or asking people not to take time off at the same time, which can reduce morale.
With a vendor, they are responsible for ensuring you always get that 24/7 coverage. They can shift personnel around as needed to cover for people being out and have people who routinely work the "anti-social" shifts.
9-5 employees are only watching your network 23.8% of the time, and that is not enough.
You can take all the steps you want to prevent employees from leaving, but life will eventually happen. A small in-house team is particularly vulnerable to turnover. Even one member leaving can cause major headaches and can potentially leave a large vulnerability open. Because your small team probably only has one person in each specialty, a departure can leave a hole which might take months to fill.
When you outsource, the headaches related to turnover are outsourced as well. It is your vendor who deals with hiring and retention. (Pro tip: When choosing a vendor find out how long people have been there. Low turnover in a vendor indicates they treat their staff well, and that's a good thing for everyone).
Admit it. When there's an IT issue, you call IT and somebody does something. Sometimes that somebody might be a member of your security team. They're not doing anything but monitoring, so they might as well help.
This means they're turning their back on security. With a smaller team this might even be a "feature." You can't hire all the specialists you need, so you hire generalists and expect them to do everything. In fact, 52% of small businesses don't have an IT security expert in-house, and some of them are no doubt expecting IT generalists to do the job.
A cybersecurity vendor just does security. The people they will assign to your team will be specialists who love doing cybersecurity and focus entirely on it.
Not only will a cybersecurity vendor know exactly what software and tools to use, but they will have all of their people properly trained in how to use them.
Your in-house team might not know how to use the tools you give them right away, resulting in lost productivity. You need your team to be able to use the tools to their full extent. For example, if you use SIEM tools, you need certified experts. Vendors can also often get you a better price on the software you need, because they can leverage economies of scale.
On top of that, your vendor will already have licenses for these tools, which removes another cost for you.
Expert Analysis and Evaluation
Do you even know where your security problems are? Another advantage to hiring an experienced cybersecurity provider is that they can start by doing a full evaluation of your existing security protocols. They can assess software, hardware, physical security, and your training and polices.
This expert evaluation will tell you what you need to do to create a more secure environment, which they can then work with you on doing. They can help you find issues such as cloud-based assets not being monitored, holes in your cyberhygiene training, or legacy software that has back doors into it.
Knowing where to start can help you improve and optimize your information security so that it becomes as tight as possible.
Up-to-Date Knowledge of Issues
Do you know what other companies are experiencing? It takes time to keep up with the news and issues that might affect you, such as if there is a new exploit in one of the tools you use.
It is part of an information security provider's job to stay absolutely on top of what is changing in cybersecurity, across multiple industries. If there is a zero day exploit, they will know about it. If there is a new ransomware version circling, they will be keeping an eye on it and watching for the development of decryption tools (or even helping).
You can rely on the vendor to keep up with these things and there is no need for your in-house team to worry about them. Service providers often have a more accurate idea of what the threats are than business owners.
IT Doesn't Have to Worry About Security
Last, but not least, outsourcing security, especially security monitoring, can free your IT team up to provide support to end users, improve the software you use, etc. For this reason, some companies choose to outsource just security monitoring so that they have 24/7 coverage and have a tedious task taken away from in-house staff.
It also means everyone spends less time worrying about a data breach and more time doing their job.
Overall, as you can see, most companies are better off outsourcing cybersecurity to a reputable vendor. There are a few exceptions, such as niche industries. Larger companies may find that they need enough full time people to warrant having an indoor team. But most small to medium-sized businesses gain a lot from outsourcing all or part of their security.
The Vendor Helps Support Compliance
The hardware and software side of compliance with privacy and other regulations can be a tangled mess. A good cybersecurity vendor will work with you to ensure you comply with all of the rules for your industry, including HIPAA and such things as the GDPR (for people doing business in the EU). This means you only have to worry about the policy side, taking away a major compliance burden.
While you remain responsible for your own compliance issues, a good vendor will ensure that your information security systems meet the best practices recommended to remain fully compliant.
Choosing a Good Cybersecurity Provider
If you have decided that you are going to outsource cybersecurity, you need to choose the right provider. This can be a challenge of its own, but here are a few things to consider:
Experience in Your Industry
Different industries have different security and compliance needs. Make sure that the vendor you choose has solid experience working with clients in your industry or a very similar one. Make sure they know your compliance needs, such as if you are handling financial transactions and have to worry about PCI-DSS.
Even better, do they have experience with and understanding of the software and hardware you use? This is also often industry specific. What are their protocols if you are using something niche they aren't familiar with?
The Right Company Culture
Your IT team will need to work very closely with this vendor. Do everything you can to make sure that you and they have compatible company cultures and that they share similar values.
Being able to get on with and work with your vendor is as important as their level of competence in many ways, especially as you are trusting them with your vital data and systems. You need to be comfortable with your vendor and with the personnel they assign to you.
Are They Security Specialists?
Is the vendor you are looking at one which focuses on cybersecurity, or do they offer it as one of a wide range of other services. If the latter, then you are going to have some of the same issues as you have with a small in-house team. A service provider that offers a lot of things is likely hiring people who can handle a lot of things, rather than the specialists you want.
You can defeat a good part of the point of outsourcing by outsourcing to people who are no more focused on security than your own team.
Furthermore, make sure that they and/or their staff have key certifications. Check for CCSP and similar qualifications, and make sure everyone has qualifications. You want the people who are touching your network to be trained and vetted.
Are You Happy With the Contract?
Even if you're paying month-to-month, make sure that you are happy with the termination clause in the contract. If you discover after signing the contract that these are not people you want to work with, you need to be able to get out.
Furthermore, a termination clause that seems to be written to trap you into the contract is a red flag. A company that wants to make sure you can't leave may not being doing all it can to ensure that you don't want to leave. That is to say, a heavily binding contract may indicate subpar performance or high client turnover.
Also, make sure that the contract clearly lays out the services to be provided and doesn't leave any room for non-negotiated "scope creep," where a vendor starts doing more and handing you the bill without checking first.
Do They Have a Good Reputation?
Due to the high level of confidentiality, you may not be able to get traditional references. But you should be able to establish whether the company has a good reputation.
Particularly look at any cases where one of their clients did have a breach. (If they claim their clients never have problems, walk away. No company, no matter how good, has a perfect record). How did they handle it? How long was the downtime? What do they do about ransomware?
Don't be afraid to ask tough questions when evaluating a vendor. A good one will acknowledge that they have had incidents, but also be able to explain how they got their client out of the situation.
Do They Have Compliance Specialists?
Most small businesses can't afford a full-time compliance specialist. A good cybersecurity vendor will have at least one, likely a small team. These people help make sure that the vendor, and by extension their clients, are compliant and up-to-date on best practices. Compliance failures can result in hefty fines and potentially lawsuits.
Make sure your vendor understands the compliance issues in your industry and has the staff to work with you to ensure that everyone remains compliant.
How, and How Often, Do They Communicate With Clients?
Ask your prospective provider how they communicate with clients if monitoring shows an issue that they can't instantly resolve. Ask how often they talk to you.
A good provider understands that this is a partnership and will keep the lines of communication solidly open. While in-house communication is always likely to be slightly faster, the right provider can keep communication seamless. Make sure that your preferred lines of communication are compatible, that you are on the same page about routine meetings, etc.
Do They Provide the Level of Service Right for You and Your Budget?
Lastly, make sure that the vendor you choose provides the right level of service. Not everyone wants to outsource the same aspects of cybersecurity, or to the same degree. Are you looking to replace an in-house cybersecurity team or to complement one? Are you primarily looking for after hours coverage, or do you want them to handle all of the monitoring.
All of this also ties in with your budget. While you should avoid the cheapest provider, who are likely cheap for a reason, you still need to balance your budget and needs.
The answer to when you should hire a cybersecurity team is a little bit complicated. It boils down to "as soon as feasible," or at least when your IT people are spending too much time on security. However, for many companies, this is before they can afford an in-house cybersecurity team.
For those companies, outsourcing is the answer, but for many reasons, including cost, coverage, expertise, and access to high quality tools, outsourcing is suitable for many more organizations.
You need to make the right decision for your company on how best to build your security team and whether to have it be in-house, entirely outsourced, or a mix of the two. However, outsourcing, at least partially, is typically the best option.