back to article I know what you're thinking: Outsource or in-source IT security? I've worked both sides, so here's my advice...

You’re a small or mid-sized business and have a growing sense of unease that you aren’t doing enough on cyber security. Must be all those headlines about ransomware infections and databases ransacked. Or – perhaps – you’re experiencing an upsurge in phishing attempts. Congratulations – you’ve woken up to something that a …

  1. Anonymous Coward
    Anonymous Coward

    As long as you don't offshore security

    Anon because my usual handle uses my surname and er, I'm in a role where the reasons why not to are copious and self evident.

    The problems with outsourcing are even more pronounced with offshoring but I'll take any chance I can get to kick that practice that's never about anything other than money.

    Infosec though. I guess. I could idealise it. The reality isn't as pat.

    1. HmmmYes

      Re: As long as you don't offshore security

      Well, at its base, business is about money.

      Saying outsurcing/offshoring is about money is not enough.

      However ....

      If you make a casr that outsourcing/offhsoring exposes the business to operational risk or, worse, large fianncial costs, then you are on the right line.

      Me peroanlly, utsorucing/offhsoring would need to save me a lot of money and cost save me 50% before Id consider it worthwhile.

      As it stands, each time Ie gone thru the initial figures, the saving from outsroucing have been pretty marginal - less than 20%. And the riskspretty high.

      Whne I've gone thru actual figures, Ive found the outsourcing of my kinda work is actually more expensive.

  2. tiggity Silver badge

    vicious circle

    "But what do you expect the outside specialist to do? Monthly firmware updates? Weekly failover tests? Monitor the logs and respond to certain types of activity?

    You need to be absolutely, 100 per cent specific in the wording of your contract what’s expected: if something’s not in there as part of the service, you have no right to expect them to do it."

    .. But a customer with low IT knowledge (& so most in need of getting some external help) could well lack the knowledge to specify what the third party service should cover, reliant on security firm walking customer through the service offerings (and truthfully! giving cost / benefits analysis of the options)

    1. GnuTzu

      Re: Vicious Circle -- Hierarchy

      I've seen IT security outsourced because a CIO didn't like the infosec team's complaining that certain PCI DSS security controls were missing or inadequate. That was a place that was too small to have a CISO, so the infosec team didn't have the clout to establish and enforce reasonable policy.

      I've also witnessed an IT manager bargaining with and browbeating PCI auditors, which I suspect is common--as under PCI there is a conflict of interest created by the requirement that a company gets to choose who they pay to audit them. And, if infosec is under the IT department, you can expect to see the infosec team seriously hamstringed by conflicting expenditure choices. So, hierarchy is also important.

      I personally am predicting that the insurance industry will eventually have a role in this, as insurance companies would surely have an interest in the selection of auditors for the companies they insure--and thus also have an interest in whether the infosec team has the clout needed to do their job. Unfortunately, it will take time and many successful class-action lawsuits before we'll see this.

  3. Pete 2 Silver badge

    One size does not fit all

    > You’re a small or mid-sized business.

    The problem is that the term SME is applied to all companies of 250 employees or fewer. That is a huge range. From a small accountancy outfit up to a decent-sized manufacturing operation. And the set of requirements changes accordingly.

    Most of those at the smaller end (for example: a garage, or shop) won't even have a full-time IT person. Even for the "large" SMBs such as those listed here with turnover (not profit) of £10million a year, a full time expert is out of the question.

    SMBs account for 99% of UK companies and employ about half the workforce. I would suggest that what they need is something far cheaper, more streamlined and integrated. Since most small businesses will have largely similar IT requirements: website, payroll, back office, sales, VAT, stock control / inventory - and largely similar hardware and software (either a cloud or server - PC, plus third-party software), there would be a ready market for something that simply "does" all their security for them. Whether that would fully automate the work or simply list out what the IT person/people should do, would depend.

    But I doubt many of the 5 million SMEs would be looking for a professional.

  4. Anonymous Coward
    Anonymous Coward

    Outsource but actually manage your outsourcer?

    You'd be surprised at the lack of dialogue and management clients of outsourcers actually bother with.

    They seem to believe that its genuinely possible to just let it all go and just write the cheques and moan about the service rather than building a proper relationship.

    You might have outsourced the bodies and the technical skills, but you need to stay on top of what is happening just like you would with your own employee team. Have a regular constructive dialogue, set expectations and demand results, tweak the direction.

    If you do this, then outsourcing can be effective.... if you don't.... well you will be taken to the cleaners.

    If your outsourcer isn't prepared to have a genuine relationship, kick them into the gutter and try another.

  5. Sixtysix
    IT Angle

    Came for enlightenment...

    ..left wanting.

    The "article" seem to mix up Enterpirse, SME, and SoHo terms, concerns, concepts and costs/wages at random, and the only point universal value was talking about the Cyber Essentials/Plus programme which is a reasonable starting point... but only to a point (I have issues with CE+ in an enterprise making rulings about how/what/when we should patch...).

    Knowing Cyber is an issue: great start.

    Making someone interal responsible: bare minimum.

    Getting a competent assessment: Contract it out unless you have lots of in-house cyber sec skills

    Fixing the holes you found: pick the best way you can afford

    Ongoing: Make *sure* it's being maintained - internal/external/mix doesn't matter, but do re-assess regularly.

  6. Anonymous Coward
    Anonymous Coward

    Security is always "Your" responsibility. Outsourcing only helps you accomplish that goal. There always need to be at least one person in every company assigned to own this mission. Accountability cannot be outsourced.

  7. Dabbb


    "Security professionals are expensive because they’re in short supply. "

    True. So let's save some money and hire instead those working for service providers, who

    1. based in some mostly undeveloped country.

    2. not good enough (yet) to move to developed country and became expensive professional.

    3. does not give a slightest damn about your problems if there's no ticket and won't do anything until last hour of SLA window to process that ticket.

    Good luck, you'll need it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Right

      Or hire a recruiting firm that:

      A) don't give a damn either

      B) have too high margins

      C) can't understand 99% of the CV's they are getting

      D) are trying to get high caliber professionals for monkey rates

      E) are destroying the market

      F) have no idea on what the client actually needs

      G) just copy/paste what the client thinks it requires to multiple job sites and then

      H: say they can't respond personally because of the overwhelming level of responses to the vacancy.

      And yes I'm posting this anonymously as this is what I'm seeing day-in and day-out as a highly trained security professional.

      1. Anonymous Coward
        Anonymous Coward

        Re: Right

        I have also been here and they want to use Magic wand and unicorn horn to fix it all.

        I was interviewed for a job like this and I asked loads of question and found out they lied to me just to get me to start, I left after 3 days

  8. JimC

    The big challenge is - well, catch 22

    By the time you have enough expertise in house to properly manage and monitor the outsourced contract you practically have an in house capability. But you can't divert the in house capability to other work, because if they don't stay active and current they won't retain current expertise.

    1. Drs. Andor Demarteau (ShamrockInfoSec)

      Re: The big challenge is - well, catch 22


      One line in this article graphically illustrates this above all:

      "Let’s take an example. You’re using Cisco ASA firewalls but you don’t have the skills to manage them, so you outsource the job. But what do you expect the outside specialist to do? Monthly firmware updates? Weekly failover tests? Monitor the logs and respond to certain types of activity?"

      1. JimC

        Re: One line in this article graphically illustrates this above all:

        Very much so. And this graphically illustrates the shady practices of the outsourcing industry.

        If you outsource something you want the outsourcer to provide a complete service, doing everything a fully competent in house team would do as and when it becomes necessary. But the outsourcer wants a strictly limited menu of tasks so they can price gouge you on so called extras which were omitted from the contract.

  9. ecofeco Silver badge

    Good article.

    See title.

    Well done and thanks.

  10. Mike 137 Silver badge

    Oh no you're not!

    "You are handing over ... responsibility for your data ... to an outsider."

    Whoever performs the physical actions on your databases or infrastructure, you'll find that in law you remain responsible for your data in pretty much every jurisdiction - e.g. under the GDPR your outsource becomes a data processor for you and can only act under your instructions.

    "Fire and forget" outsourcing is a commonplace based on complete failure to understand the nature of responsibility.

    1. Drs. Andor Demarteau (ShamrockInfoSec)

      Re: Oh no you're not!

      Totally correct, this goes for information security as well as data protection btw.

      Responsibility for a good service is with the outsourcer (processor in data protection), accountability firmly lies with the SME company themselves.

      And no, not even an insurance policy will lift this accountability burden.

  11. Drs. Andor Demarteau (ShamrockInfoSec)

    Handing over responsibility vs. good advice

    Whilst this article seems to focus on cyber security alone (hardware, networks, software etc.) it's missing the broader point on policies, procedures, standars, guidelines and the most important bit awareness and security culture.

    Companies can outsource some of the work fine, but setting up a security program takes more than managing a firewall ruleset or patching systems.

    Where a good mix between internal work and external expertise does have a large benefit is where you can draft in high quality advisory services that can help your business along but don't drain resources for years and years to come.

    And yes, you've guessed it, that's precisely what my business model is.

  12. Drs. Andor Demarteau (ShamrockInfoSec)

    Internal more expansive than external?

    This is one I have seen too many times, both when working internally as well as being outsourced to companies as well.

    Most of the times people compare your daily or hourly rate on a 1:1 basis with their salary levels.

    However, what usually is forgotten is the fact that on top of that salary there are all kinds of additional costs like pension funds, sick leave, holiday payments, buildings, IT facilities, phone costs, management overhead etc. etc.

    And in most freelance contracts, not to forget, travel costs.

    Account for all of these and divide them by the actually worked hours and the trade-off may be less of a problem than you may think.

    Actual worked hours is calculated by taking the maximum workable days, all weekdays in a year, where you subtract:

    - all "bank" holidays

    - all holiday hours given to internal employees

    - a percentage of sick leave prevalent for the company over a year calculated in working hours

    Take the salary plus all extra costs and divide it by the actual working hours and see what you get.

  13. Anonymous Coward
    Anonymous Coward

    Recently found a problem with outsourcing..

    I work in the NHS, I was asked to chat to one of our little local charities after they had a "cyber incident". Having gone through how they worked, mostly remotely and how their backup regime, anti-virus, remote sessions etc were handled I found the problem - a really bad IT support company.

    The charity were reliant on the support company to cover Infosec too and oddly enough they were "certified to 27001" which was true. Although the company were using this to imply that the charity were too which clearly wasn't the case.

    Basics were being missed, not because the charity didn't care but because they lacked the knowledge internally to ensure windows updates were being applied, Java was being updated etc. I don't blame the IT support company entirely, a lot of this is just the gap you have when there's nobody even vaguely IT savvy within a company who then outsources - gaps get bigger over time.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like