The demand is incredibly high. The talent pool is troublingly small. Hiring cybersecurity specialists is not for the faint of heart.
For government organizations, developing in-house resources is challenging without the bonus structure, culture and perks of private industry to lure top candidates. A near-term solution is to team up with those private industry partners who already have the talent resources while developing expertise within as a longer goal.
Here’s when to outsource for cybersecurity:
- If your organization is considered high-risk.
- If you’ve had a significant cyberattack.
- If you don’t have any IT security pros on your payroll.
- If you want to upskill in-house IT staff or developing cyber personnel.
- If you are aware of outstanding security gaps.
Large and small organizations can successfully outsource their IT security. For a primer on how to make it work, they need only to look to the business world. Many of the largest, multi-national companies have outsourced some or all of their IT security processes to third parties. They know that the specialized and high-level knowledge, and innovative solutions, needed to respond to a rapidly evolving threat landscape don’t have to be built from scratch.
Does outsourcing make sense for your organization? Consider:
- Outsourcing gives you immediate access to talent with mature skills and field experience. Firms that specialize in the most sophisticated cybercrime-fighting solutions maintain a cadre of experts who are afforded the time and resources needed to keep their skills on the cutting edge, to experiment with ideas not tied to a specific problem or solution, and to protect against burnout. Additionally, the cybersecurity field encompasses subdomains such as malware analysis, penetration testing, code review, forensics, threat intelligence, risk assessment, compliance, cryptography, network monitoring and incident response. Each of those specialties requires understanding other domains, from software development to information architecture, and data visualization to cyber law, as well as knowledge in other fields including geopolitics, economics, counterterrorism and behavioral psychology.
- Outsourced teams can focus on just one aspect of cybersecurity or all of it. The scope of outsourced security help can be as broad or narrow as your organization needs. Outsourcing can provide the time your internal staff need for training, reduce risks from spreading staff too thin, or get initiatives started and then transition over to internal staff. Understanding and sharing your specific needs can help you select the right cybersecurity service partner. Many will even provide an assessment or score card to establish a common baseline with clients.
- You’ll have to spend to save. Hiring and maintaining in-house cyber talent is costly. Outsourcing provides access to top expertise, as well as niche specialty services, without incurring the costs associated with hiring, training, and housing in-house teams. Cybersecurity specialists now average over $110,000 a year, so building a staff represents a significant investment in addition to the specialized support that nearly all organizations require. True savings can only be realized by upskilling existing staff or hiring less experienced talent and providing them the time and support needed to grow into their role.
- Don’t discount the value of flexibility and scalability. Outsourcing support provides the flexibility of having talent on an as-needed basis – and being able to scale up for additional “boots on the ground” in response to a threat. Having a layer of support will provide peace of mind while developing your internal resources.
- We’ve all got to keep one eye on the future. Cybersecurity never stops. To stay ahead of threats, it’s vital to apply new technologies and solutions that anticipate future needs as well as those the address current needs. Few organizations have the budgets to allow for ground-breaking cybersecurity solutions to be developed in-house on a continual basis. Outsourcing firms do, and can shoulder development costs by selling or sharing new technology with many clients.
Outsourcing may seem like a better solution than developing internal resources. But if applied long-term, outsourcing will fail to solve the root problem: the sector needs to have cyber expertise itself. Therefore, the solution requires a hybrid approach that combines heavy outsourcing and hiring now, and a transition to either dedicated internal resources or shared federal resources over time.
The public sector has made huge headway in the last decade in terms of hiring IT and cybersecurity professionals to provide strong leadership. However, organizations wanting to hire their own staff to implement policies and controls are faced with the same roadblock as the private sector—a lack of skilled applicants. As we wait for upskilling to backfill the need, outsourced support serves as an effective blueprint for future plans.
Edward Tuorinsky, Managing Principal at DTS, a government consultant business, is a service-disabled veteran who brings nearly two decades of experience to DTS in the areas of leadership, management consulting and information technology services.