The Decision to Build or Buy a Cyber Security Capability

By September 17, 2018 Blog

This is part 2 of a series to teach small-to-mid-sized organizations how to navigate the complex world of cyber security, how to budget, plan for, and implement a cyber security program. This series will give you the tools to make the decisions needed that protects your reputation and your ability to do what you do best – whether it’s treat patients, help customers achieve their financial goals, run a state agency, county or city, educate children, or any other business. We will take you through the process of deciding whether you do it yourself or hire a service provider to handle it for you. We know this is daunting, but we’re here to help you navigate through the process using plain English. And do you want to know something? It can be done so that the cost is within the financial reach of most of those small-to-mid-sized organizations just like yours.

Hi again, everyone! I know it’s been quite awhile since I’ve posted about this topic. I’m going to admit that the reason for this is I took some time off this summer to unplug and do some travel. You can see a couple of pictures from that vacation on Instagram here and here. Then it was time to buckle down and go back to school for a one-week certificate program at the Tuck School of Business at Dartmouth. You can see an Instagram picture of me with my classmates here. Hey, ya gotta feed the ‘Gram if you want to be an influencer! 🙄

While it was wonderful to take a break, I definitely missed blogging about cyber security! So now let’s talk about Part 2: the data points you should consider building a cyber security capability in-house or outsourcing it.

Inevitably, as we’re discussing the cyber security landscape of the 21st century, I’m asked a variation of one of the following two questions:

  • “My IT people tell me that they’re doing the best they can on cyber security, but they need help because they can’t do it all. Where should I start?” or
  • “My IT people tell me that we’re covered on cyber security, but I’m not so sure they can do it all. Where should I start?”

It’s a legitimate question because cyber security is viewed by non-practitioners as lying somewhere between reading Latin and getting  Ph.d. in romance languages. So, here’s what executives need to know about buying cyber security services both when they’re talking with their IT folks and potential service providers. And no, it’s not learning ancient Phoenician.

Fundamentally, cyber security is the function of an organization that provides a checks and balances for the protection of data and systems.  It is more than hardware and software and organizations that focus on finding a magic technical solution, like buying the next greatest firewall or antivirus software without a policy framework, employee training (including at the executive and governance-levels), and a risk management process are missing the boat and are still at great risk for a data breach.

Think of it this way: when you want your organization to be more secure, you are essentially buying a capability. This capability is much like your company’s accounting function in that it handles very sensitive tasks (payroll, general ledger, etc.) However, your company’s accounting function also has processes that ensure checks and balances are in place to prevent or detect fraud. It does, right?

Sometimes these functions are performed internally, but many times people seek the help of external companies to perform these tasks (audits or an outside CPA firm to do month-end close and reconciliation, for example). From a cyber security perspective, it makes the most sense to seek outside assistance when your organization:

  1. Does not have the resources to develop the cyber security capability internally;
  2. Does not have the time available hire, develop, and manage a cyber security specialist and needs to implement this capability quickly; or
  3. Does not want/need to take on the expense of full-time cyber security positions.

Usually Option 3 is the reason that most people utilize outside firms for assistance because the economics are compelling.

According to Salary.com, median annual base pay for an experienced cyber security manager (5+ years of experience as an individual contributor plus 1-3 years supervisory experience) nationwide across all industries is $116,932. Add to that a median fringe cost of $40,087 on top of that and you’re looking at some big dollars. Unfortunately, it’s not going to get better anytime soon.

According to ISC2 (a leading professional organization for cyber security practitioners), the cyber security workforce gap is on pace to hit 1.8 million by 2022 – a 20% increase since 2015.[1] With the increase in demand for trained professionals, the price for on-staff personnel will continue to rise and put the cost of these positions outside of reach for most small-to-mid sized organizations.

A managed services offering such as Assura’s Virtual ISO™ can be the right solution if you want an outside partner organization to:

  • Take on all or part of developing and implementing the Program;
  • Managing the tools or technical activities needed to secure the organization;
  • Providing all or some of the security professionals to augment your information technology team;
  • Handle the hiring, management and career development of information security resources so you don’t have to; and
  • Lower the cost of program implementation and management.

Building an in-house capability is right for organizations that have enough security and compliance work to keep one or more FTE’s busy. Examples of organizations like this include:

  • Community banks with >$5B in assets
  • Hospital systems
  • Businesses with >$50M in annual revenue and subject to cyber security regulations such as HIPAA and PCI DSS
  • Non-K12 public sector organizations with base operating budgets of $100M or more
  • K12 organizations with base operating budget of >$250M

You do not want to hire someone who is responsible for security but you think can also help augment your IT help desk. There are two reasons for this:

  1. Any cyber security practitioner worth their salt is going to want to focus on just that: cyber security. It would be like asking a cardiologist to administer flu shots — it’s not beneath them, it’s just not maximizing their value.
  2. Those help desk tickets will always take priority over building and operating the cyber security program. The result is that you’ll have a highly compensated resource (or resources) not able to do what you hired them to do.

The net result is that you’ll have dissatisfied employees and they’re likely to leave. Remember, it’s a seller’s market for cyber security talent.

There are also hybrid models that can work well. For instance, outsourcing the daily monitoring of your systems is a very common activity to outsource. So too are things like penetration tests. This is a great way to leverage in-house talent for the strategic-value governance, risk, and compliance aspects of a program and have other specialized work done by talented specialists who have an economy of scale that makes their services much more friendly to the wallet.

No matter where you are in the purchasing process, it is easy to get overwhelmed with all of the options.  Just remember that every activity you do to secure your organization makes your more secure than you were before. At the end of the day, cyber security is an ongoing function of an organization that takes time and you will get there with time and effort.  Give yourself a break!

[1] https://www.isc2.org/News-and-Events/Press-Room/Posts/2017/06/07/2017-06-07-Workforce-Shortage