Save money, appropriately utilize staff, and meet information security goals by
outsourcing exactly the right functions—and keeping the rest in-house!
As the demand for information security continues to grow in the business landscape, so does the cost. It is more critical than ever for companies to be judicious in how they spend money on security efforts.
Without completely getting on my soapbox, one of the fastest ways undermine a culture of security is to have expenses which yield no return on investment (ROI). I have been fortunate to work with a lot of great CIO/CISOs, and they consistently are able to show a direct correlation between resource expenditure and the business objectives that they support. However, many face the challenge of where and how to source InfoSec services.
While some companies have been able to build in-house security operations centers, most in-house security will be seen in companies that are large global entities with ample financial resources. Monitoring and retaining event data is a basic security need, but it can be quite costly and requires shifts that cover the 24x7x365 environment. For most companies, the best solution is to outsource to a third-party provider.
It is most important to do your homework and find out exactly which InfoSec services would yield ROI by being outsourced. Depending on your specific business needs, there can be major value in augmenting your security staff with a Managed Services Provider (MSP) to handle routine services such as Tier 1 monitoring, triage, and analysis. Typically, the quick and easy wins are predictable costs for clearly defined service, reduction in capital expenditure, and outsourcing costs such as management of teams, benefits, training/continuing education, and little things like utilities and office space.
An MSP can provide tremendous return on investment, but it is important to have appropriate, qualitative metrics of success. In my experience, one of the first questions that a CFO will ask when reviewing InfoSec expenditure is, “Why are we paying this vendor so much?” It is a really good question. Having spent the last few years in the MSP space, it is a part of my job to help clients understand the return on investment. The measure of success naturally varies with the service being provided, but generally a service level agreement (SLA) will detail the vendor’s measurement of success, whether that is uptime, response, or some other data point. When choosing an MSP, make sure their metric of success aligns with yours.
You must also continue to do your due diligence after engagement with an MSP. It is important to remember that they are a business as well and thus have incentives aligned for them to behave in a certain way. It’s important that you find the sweet spot in what is mutually beneficial: the vendors should make money and you should save money; they should be providing a service you cannot reasonably provide for yourself.
My advice is simple: transparency and accountability are key for these engagements to be successful. However, ensure that you are putting forth the proper due diligence on the provider and the technologies that they sponsor/prefer. Ensure that they are providing the SLA-defined metrics on a consistent basis, question how that data is gathered, and analyze whether it is an accurate representation. A colleague of mine had a vendor that included missed calls, wrong calls, and simple items such as password resets in their average time to resolution statistics. This kind of misleading data is exactly what you want to avoid!
Sometimes cost savings can be difficult to quantify, but one rapidly expanding 5000-employee organization I know of was able to save approximately $48K monthly by contracting with a trustworthy MSP for specific InfoSec services. The organization had internal security staff capable of performing the work, but from a financial perspective the CIO and CISO determined that it made more sense for the staff to be utilized for more advanced tasks rather than 24×7 monitoring. During the scoping process, the organization performed their due diligence and ensured that the vendor would be committed to advancing organizational goals. This made it an easy financial decision. In addition to achieving organizational cost savings, internal resources were empowered to focus on projects and other strategic tasks. For reference, the cost savings are detailed below. (Note: internal cost was calculated using a base rate of $75/hour.)
Overall, if you are committed to putting in the effort required for due diligence, outsourcing certain functions of your business makes sense. Just make sure that you understand who it is you are dealing with and what they are doing.