Insights

Security: In-house or Outsource?

Written by Matthew Wheeler | March 26, 2015

Security has always been a great interest of mine and I thoroughly enjoy talking to security professionals, from Junior BA’s through to VP’s and Heads of Practice about their opinion on the market, trends and perceptions both from an industry and consultative viewpoint.

One of the questions I’ve been recently discussing with both clients and candidates is whether Security will be something that companies will keep and grow in-house or whether they will outsource it? 

The initial answer most come to is that companies should indeed keep it in-house. Securing your IP, content or data is paramount to all companies irrelevant of the industry they work in. Attacks are increasing and all data has a value on the black market and thus to have people within your company managing this data does indeed make sense.

So why should a company consider outsourcing their first, second or even third line of defence to a third party?

It would appear to come down to cost.

Building a proficient Security team is not cheap. Looking at even a simple list of “to-do’s” the figures start in the £100’s thousands even for a SME. Adding up not only the Technology costs of purchase but then the resources required to implement, maintain, manage and the time invested in doing this from different areas of the business and they can soon spiral out of control. 

When a CTO/CISO looks to implement or increase their Security capability the business justification for actually doing it is very clear and obvious in most instances. The next question is the cost over benefit and this is where the CFO’s expect precise costs and outlays. The challenge with this, is that the security environment is evolving so quickly that threats identified today are very likely to change within a matter of months if not weeks. This means that additional technology or skills are required by the business to keep up, let alone future proof (if that’s even possible in today “internet connected” world). Surely it would make sense to consider one of the MSSP’s services where costs can at least be controlled to an extent?

The challenge is that a company should, or rather needs, to keep as much control of the Security layers as possible within their business from a liability perspective. No matter what assurances a MSSP or outsourcing company can provide, the markets/consumers/clients of the company will still look at that companies Directors for assurance that their information/data is secure.

So where is the “happy” medium? Can it be found? 

For what it’s worth, I think companies will build a core Security team in house (CISO and key management team). They have to just from an ownership perspective. However, much of the technology services and maintenance could be outsourced. From a cost standpoint it would make far more financial sense and from a corporate stand point it would allow a high level of control and monitoring with the internal Security team.

Thanks for taking the time to read my blog, if you would like to find out more please contact Matt Wheeler on matthew.wheeler@bps-world.com or 01628 857333