The pace of change in information technology is now impacting on businesses of all sizes. IT consulting professionals are being brought in to help with all manner of issues from helping to set up hybrid in-house and cloud architectures to choosing whether AWS or Azure is the better fit for cloud service provision.
Many CIOs worry about the security implications of this rapid evolution. As a result, Managed Service Providers (MSPs) are commonly replacing the in-house security team for businesses of all sizes but not all business owners are convinced.
In most cases, outsourcing security is going to be the smart option but there are advantages and disadvantages to both in-house and outsourced InfoSec provision.
Keeping InfoSec in-house: The Benefits
- Controlling costs: A business will often have been paying the same employees the same salaries for many years and the budget will be fully costed. If they have an experienced and reliable employee in charge of InfoSec they might not see the need to change.
- Physical point of contact. If anything goes wrong, they know exactly who to go to. There's no calling a remote number and hoping someone is on the other end.
- System familiarity. No one knows their IT systems better than their in-house IT support team. If anything goes wrong, they will know how to fix it.
Keeping InfoSec in-house: The Costs
- Higher costs: In-house InfoSec might be fully costed and predictable but those costs will always be higher than outsourcing. This is especially the case in states, like California, where employers have to pay a high salary for in-house IT services. LA, Sacramento, San Diego and, of course, Silicon Valley are among the highest paying cities in the country.
- Recruitment issues: If a business owner intends to recruit for the InfoSec role they should know that the field is very competitive. Even if adequately skilled personnel are available, they are likely to demand an attractive compensation and benefits package.
- Unreliability: Are InfoSec staff regularly off sick? Is there adequate cover for vacations? Cybercriminals are always looking for ways to breach a system's defenses. What happens if they succeed on a day the InfoSec guy or girl is in bed with a fever or traveling Europe?
- Training investment: The cyber security landscape is constantly evolving with new tools, technologies, threats and regulations coming into the industry all the time. That's a lot of training which will all come at a cost to the business.
- Power and control. When an in-house team has control over information security that is a lot of power. While a business owner will trust their employees to keep their system secure, a breach of that trust could destroy the business.
An IT consulting firm should provide a rounded picture of the benefits and costs of in-house information security before introducing them to the pros and cons of outsourcing to an MSP.
Outsourcing InfoSec: The Benefits
- Lower costs: MSPs tend to offer various tiers of service level. IT consultants should have some details and costings of reputable vendors to hand. The cost savings over paying a salary will always be considerable.
- Availability: Whatever the day of the week or time of day or night, there should always be someone there to answer a call. MSPs are designed to operate on a 24/7/365 basis and the best will ensure there is a human on the other end of the line, especially in the case of an emergency.
- Experience and skill: Reputable MSPs always employ high level engineers (at least Network Level II). They will work with multiple clients and many different types of system every day. This gives them adaptability and flexibility that an in-house team just can't match.
- Competition: Having a guaranteed salary can affect an employee's motivation levels. In contrast, MSPs know that failing to meet an SLA can mean compensation and even the loss of a contract. This pressure ensures a consistently high level of service across the industry.
- Industry-leading tools and standards: MSPs can leverage economies of scale to access the best security technologies. They will also follow industry-standard security practices including preventing employees from accessing your passwords.
Outsourcing InfoSec: The Costs
- Less control: Delegating to a third party does mean an owner letting go of the need to control every aspect of their business's security. They need to know that they can really trust their MSP which is why it is critical they do their due diligence and check out references and industry accreditations.
- Limited physical presence: When a business suffers a security breach, it can be disconcerting not to have someone in the office to run to for help. In an emergency, most MSPs will be able to dispatch someone to the affected site but it can take some time.
- Complicated contracts: Some MSPs hide behind technical jargon and add hidden costs or service exclusions in the small print. Business owners (and their IT consultants) should favor SLAs that are in plain language and should read through all details carefully before signing.
IT consultants have an important role in helping their clients choose the right IT infrastructure and partners for their needs in order to maximize performance and keep costs to a minimum. They should also ask about InfoSec management because in nearly all cases, it will be better for a business to outsource to an MSP rather than try to manage it alone.
IT consulting professionals have a duty to talk to their clients about their InfoSec provision. In most cases, outsourcing security to an MSP is going to be the smart option but there are advantages and disadvantages to both in-house and outsourced InfoSec provision. This article highlights both to enable IT consultants to give the best advice possible.
Brent Whitfield, CEO of DCG Technical Solutions Inc.
Image Credit: Wright Studio / Shutterstock