How to Decide Which Security Functions to Outsource and Which Ones to Keep In-House

These days it seems possible to outsource just about everything imaginable. No time to run errands? Can’t find a good dentist? Want your dog to get more exercise? You can easily outsource all those things.

But what about the security of your company’s IT functions and resources? Is it a good idea to outsource those? A lot of small and medium-sized businesses are asking that very question, especially as the number and severity of today’s cyber threats continues to grow. And as you might expect, there are no definitive rules to guide the decision-making process in this area. Just as no two companies are exactly alike, neither are their security needs.

That said, there are some considerations to take into account. Here’s a “checklist” to help you determine whether it’s better to buy or build your own solutions for preventing, detecting and responding to today’s attacks.

Let’s start with some basic qualifications. How many of the following baseline security measures do you already have in place?

• Firewall
• Anti-virus software
• Software patching policies
• Access control policies
• Logging and review procedures
• At least one or two dedicated security personnel

These six security measures are considered the absolute minimum for most small and medium-sized companies. So, if you’re not there yet, it’s probably wise to avoid outsourcing until you can check those boxes — and check them quickly. Why? Because you’ll likely need both key personnel and the necessary groundwork in place before you can establish a successful relationship with an outsourced security partner that can bring your security posture to where it should be.

Generally speaking, however, there are some security functions that make more sense to outsource than others. Here are a few examples:

Threat detection and response is a high-volume operation that’s pretty far removed from most IT teams’ core competency, making it a good candidate for outsourcing. Security information and event management (SIEM)-as-a-Service provides for subscription-based use of a SIEM that’s owned and maintained by a third party, while you take responsibility for driving it. Since cloud access lets you run the SIEM as if it were on-premises, many of the platform components become much more manageable. On the plus side, you’ll no longer have to worry about things like perpetual software license updates and staying up-to-date with threat intelligence, while you’ll still be the one who determines which threats fall within your risk tolerance, how they’re prioritized and analyzed, and how they’re remediated. However, you’ll still be responsible for finding, hiring, training and retaining skilled security experts, and making sure they remain effective over time and avoid threat fatigue, which can occur when there’s a constant barrage of alerts coming from multiple technologies. You’ll also need to make sure your processes for detecting, analyzing, prioritizing and remediating threats are comprehensive, documented and — if possible — certified.

At the same time, a growing number of businesses have learned that the job of establishing, staffing and maintaining a reliable security operations center (SOC) can be overwhelming. And that’s proving to be especially true among those organizations strapped for resources. Instead, many of them are deciding to take advantage of SOC-as-a-Service offerings to ensure their networks are being monitored by an outside team of security specialists on a full-time basis. Alternatively, a co-managed SOC lets you combine your internal staff — and your organization-specific goals and tolerances — with an outsourced SOC team that delivers all the essential security monitoring technologies, including SIEM, on a single platform. It’s a SOC that's managed jointly by you and the outsourced team.

Vulnerability Management: The job of finding and resolving critical flaws in your network and endpoints is a great one to hand off, especially because it often takes a higher level of knowledge and skills to do the job than you’re likely to have in-house. An outside partner can also help take advantage of the synergies of combining a SIEM and endpoint detection and response (EDR) solution.

Application Security: Now that DevSecOps is transforming the application development process to a state where it’s continuously driving releases (as many as 400 per year), we’re seeing changes on a more incremental and continuous level. It would be both difficult and impractical for an in-house security team to keep pace.

Several experts also recommend that you outsource forensics, litigation, and identity governance.

Of course, there are also a few security tasks that experts say you probably shouldn’t outsource. For example, while it makes sense to consult outside resources for incident response, you probably don’t want to fully outsource breach remediation. That’s because it’s impractical for outside resources to have the same knowledge and familiarity with your business as your own staff. Although it can be a good idea to consult with outside experts where business risk, security strategy and policy are concerned. After all, those are things you need to handle internally.

You can learn more about the real requirements for a SOC and discover the most practical way to get the targeted, tailored advanced threat protection you need without breaking the bank here.

Aaron Branson is the vice president of Netsurion, a company that provides enterprise-strength managed network security, SIEM solutions, and compliance support monitored 24/7/365 for merchants.