Of course...the concept of outsourcing "due diligence" or "external supervision" is nothing new to a company. CEO's are being supervised by a board of independent directors. Financials are being compiled and analysed by independent auditors. A lot of companies are externally supervised by a regulatory organization.
As such the concept of hiring an outside party to develop and implement a coherent cyber security strategy should be appealing.
To gain a better understanding why companies should consider outsourcing their Cyber Security strategy it is helpful to review what a good security strategy encompasses.
Cyber security means a lot of different things. Most commonly though it is understood that the following areas fall into the category:
- Application Security Testing
- Vulnerability Management
- Secure Web Gateway Services
- Secure Email Services
- End Point Protection
- Employee Code Of Conduct Testing and Training
The challenge faced by corporations is that cyber security is a highly specialized skill set. It also requires a constant need to stay up to date with the latest technologies.
These skills are not easy to come by and as any hiring manager knows...finding the requisite skill sets at the right price is exceedingly difficult.
Just from a pure cost perspective it might seem attractive to outsource the service.
More importantly though, apart from the cost, qualification and knowledge issue there is another key point why Cyber Security should be outsourced.
Any time cyber security is done In-House companies risk that they effectively put the fox in charge to guard the hen house.
A key component of a good cyber security team is that they look for vulnerabilities and weaknesses in areas the existing IT team has no idea such weakness exist. Turning over rocks which hadn't been turned over before is what yields the best preemptive security review.
In House staff might simply not realize that a vulnerability exists until an outside party succeeds in exposing it.
The expertise and depth of knowledge an outsourced cyber team should have will yield much better results in a shorter period of time.