The cybersecurity talent shortage is something that we repeatedly hear about and see firsthand in our consulting work. According to some sources, there are currently up to 200,000 unfilled security positions in the United States and an estimated one million open positions globally. By 2019, experts say there could be 1.5 million unfilled cybersecurity jobs.
Given this scarcity in the cybersecurity market, combined with the daunting task of staffing a diversely skilled security team, a prudent question is which security functions can be effectively outsourced for the short-, medium-, or long-term.
Below are five of the most logical security areas to outsource. All of the following are areas that require minimal business context to gain consistent and effective results.
1. Security Monitoring
Many organizations lack the budget or bandwidth to set up their own security operations center to handle comprehensive monitoring and alerting services. Even large organizations with security teams in the double digits are often tackling other high-priority staffing and transformation projects that put dedicated security monitoring on the back burner. Fortunately, security monitoring services are one of the commonly provided services by a managed security services provider (MSSP). There is an MSSP for just about every size and budget, but you get what you pay for. The onus falls on you as the customer to define what you need and to hold your provider accountable.
2. Incident Response
If you have security monitoring up and running, whether in-house or outsourced, the next thing to think about is what you will do in the case of a real security incident. While there is a lot of preparation your company can do itself in terms of teeing up all the right people internally to help navigate how to triage and communicate a security incident internally and externally, it can sometimes be challenging to find the right on-demand internal expertise at your fingertips when you are in the thick of an incident. This is why establishing a relationship (either on retainer or simply going through a selection process in advance) with a firm that specializes in incident response and forensics is a shrewd move.
3. Security Testing
If you have teams who do custom development (i.e., for a product or service you provide to customers), security testing is both a best practice and often a requirement for customer contractual agreements and compliance frameworks. There are several types of security testing you should (if you can) do internally, including static code analysis and regular vulnerability scanning. But even if you have security-savvy developers and an internal team to run these tools, there is no replacement for the objectivity and expertise that an external firm can provide for network penetration testing (both internal and external), application security testing and product security testing. Many of your compliance and contractual obligations will even require that you have an external party conduct these tests, so establishing a relationship with one or more trusted firms for these specialized services is an outsourcing no-brainer.
4. Third-Party Assessments
Whether the third party in question is a vendor whose services you will use, another entity you are hoping to acquire or even a partner you will somehow connect with, third-party security assessments are another common compliance and contractual requirement. It can be easy to see these assessments as a “check the box and move on with it” type of task, but they are an opportunity to identify the real risks these third parties pose to your organization. Third-party assessments are ideal candidates for outsourcing because it can be difficult to predict when they are going to occur, and therefore they may cause unwanted impact to your security team’s daily operations. Also, as long as you have a predefined framework and desired reporting outcomes, less business context is required to discover valuable findings and security risks.
Security training takes a variety of forms, and there are several products on the market that provide off-the-shelf security awareness content for your organization’s customization. However, targeted training for specialized functions (such as secure development) is a prime opportunity to leverage external expertise. With minimal input from your internal teams – on issues like identifying coding languages and typical vulnerabilities discovered in past penetration tests – a specialized training provider can deliver customized training to your developers about how to write more secure code and how to introduce less risk into your products.
While your company may shy away from permanently outsourcing certain functions of your security program, sometimes the best option is to lean on a knowledgeable outside expert in an interim or long-term capacity.