There is no substitution for in-house security professionals

This post is not about adequate versus inadequate cyber security professionals. Instead, it’s an argument for how critical it is to employ full-time in-house cyber security professionals who are dedicated to the constant needs of one organization, versus outsourcing cyber security to a third-party managed security service provider (MSSP) and/or consulting organization.

I have always been of the opinion that if one wants to gauge an organization’s dedication to the protection of information, they should be asking how many full-time employees are on the payroll that are dedicated to cyber security?

If the answer is none, or if the employees are part-time and have other IT responsibilities, they should look critically at the additional information that this organization provides. This is particularly important for organizations that are highly regulated and/or are common targets of cyber criminals.

In a recent debate that I had with other industry leaders regarding this topic, some argued that their organization could effectively outsource the cyber security function.

As those in IT are more than aware, anything can be outsourced. But we really have to start asking ourselves how effective that would be for such a critical function tasked with protecting the organization’s information? Do you really want to leave that with an outsider?

I have been in this business for over two decades and have worked on both sides of the fence. I know firsthand that there is absolutely no substitute for sitting day in, and day out, with the other functions of an IT organization.

The limitation of a third-party consultant is not knowing or at least not having in depth knowledge of your “unique” and “customized” systems, network, applications, and most importantly the culture.

Even if a third-party dedicates a resource to the organization and they come in on a periodic basis, it just isn’t as effective as having someone there dedicated to the organization, someone who has skin in the game.

This is primarily due to the ever-changing fluid nature of technology and the staggering amount of changes that take place within an organization on a daily basis, whether it is regarding technology, the general direction of IT.

Where the argument for in-house dedicated professionals really pays off is where it counts the most, and that is in the event of an actual breach. In-house professionals are on call and ready to respond in a moment’s notice should something occur.

However, most importantly, the in house staff already understands the environment, the firewalls, switches, and everything about the architecture that’s necessary to quickly and effectively minimize damage to the company. They are always on and are constantly monitoring your systems for suspicious activity. 

Often the difference between a breach and compromise (which can and should be mutually independent of one another) is how quickly and effectively you are able to detect, mitigate, and communicate what is happening. This is absolutely dependent on real-time zero-day knowledge of your technology environment. Now is not the time for a learning curve!

I want to be clear that I am in no way saying that there is not a role for external security help in building an effective cyber security program or responding to incidents.

As a matter of fact, it is imperative that you augment your program with specialists that provide specialized tools, extensive knowledge, different perspectives (fresh eyes often provide extreme value), and expertise that they have learned in working with a variety of companies. Especially in areas such as threat intelligence, incident response, and validation testing, to name just a few examples.

So let’s stop fooling ourselves and take this epidemic of Cyber Security seriously.  Today, Security is a cost of doing business and we cannot effectively protect our organizations from the advanced capabilities of the criminals with just technology controls and consultants.

Contribute to the advancement of the cyber security profession and entrust your program to someone who is going to be thinking about your organization’, and only your organizations, security when they wake up in the morning, throughout the day, and when they go to sleep at night, because you can guarantee that the bad guys are. Invest in the people – it’s important to have a team dedicated to security in order to promote a much lessened risk posture for your organization.