Written by Dwayne Robinson
Organizations often mull over the idea of outsourcing specialized tasks to third-party vendors. Outsourcing tasks do not have to be limited to technical aspects of the industry and can include sales, product development, change management, information systems, information technology (IT) restoration, digital forensics & incident response (DFIR), penetration testing, and more.
The benefits that may accrue to the organization include access to a larger talent pool, lower labor costs, and scalability.
While organizations may entertain the idea of outsourcing, Cybersecurity firms must consider the drawbacks of such:
- Quality Assurance
- Control Impact
- Culture Impact
In-house expertise ensures work produced is up to a standard, outlined by the organization. Most organizations will have Quality Assurance processes defined to ensure work is adequately completed to client and stakeholder expectations. Employees of the organization generally understand the objectives of the business, whereas sub-contractors often have their own quality controls, tools, and documents that may not align or directly contradict with the firms.
Even if the outsourcing fulfills Quality Assurance obligations outlined by the organization, they will be less engaged than an employee. Organizations must consider outsourcers have multiple clients of their own, have different priorities, and may not always be interested in the goals of the organization.
Cybersecurity Incidents often demand legal counsel(s), insurance carrier(s), monitoring counsel(s), and other stakeholders that require immediate attention and due care; reliable outsourcers may not be able to respond to an incident if their own clients have incidents of their own, which may impose not only a risk to the firm but a risk to all stakeholders by not being able to respond to a potential breach. One would hope to call 911 and not expect to be put on hold. In-house expertise ensures all stakeholders can be met with due care in times of need.
Organizations often provide corporate-owned devices to their employees; this is a boon to the firm by providing secured assets, aiding in limiting any potential leakage of the organization’s Intellectual Property or other sensitive information. Bring Your Own Device (BYOD) is a popular trend that comes with many drawbacks, including a lack of security control and asset management. While this may benefit outsourcers to act quickly on a task and tap into the organization on a whim, the caveats that may accrue merge personal and corporate, which impose legal and liability ramifications.
By outsourcing an incident or task to a third party, the firm is entrusting the outsource with sensitive information, not knowing the security controls employed (if any). Regardless of reliable outsourcing, agreements tend to be less binding. Employing in-house expertise and providing corporate devices will ensure necessary safeguards are implemented.
Some outsourcers may not or choose not to adapt to the culture or operations that are set out by the organization. In high-stake incidents, communication is essential to succeed. Does the outsourcer prefer phone calls, emails, or direct messages? Does the firm that is outsourcing the task allow for the outsource to tap into the unified communications platform? Do the employees understand the outsource relationship and does the relationship jeopardize the culture?
Outsourcing highly skilled tasks are quick ways to capsize a firm by demoralizing employees. Many highly skilled tasks can be achieved by assigning a task to an individual who may not have the experience but is more than capable of addressing the incident. Once experience has been gained, the same experience can be put into practice with table-top exercises amongst other skillful workers, promoting growth, reliability, and culture. Cybersecurity encompasses a realm of ever-evolving and ever-challenging incidents. Assigning challenging tasks will equip the internal culture to innovate, collaborate, and grow the organization.
Organizations willing to grow and expand operations require more hands-on deck; this typically means hiring full-time, in-house expertise. Businesses that rely heavily on outsourced help can rarely achieve growth. Organizations should give employees the opportunity to take on sophisticated tasks, keeping them interested and allowing them to demonstrate the talent that they were hired for. By engaging multiple individuals on a sophisticated task, collaboration is promoted, and knowledge gaps can often be filled.
Outsourcing sophisticated tasks can be a great way to keep the lights on for an organization, however, will not provide a competitive advantage. Organizations should encourage employees to take on difficult challenges and limit outsourcing for those mundane tasks that face no value to the organization’s competitive advantage. Commit individuals to be a part of the organization’s success and create a community of talent. Companies may face financial challenges by having full-time employees, however, by assigning daily challenges and keeping employees engaged, businesses will reap and sow.