In-House vs Outsourced Cybersecurity for SMBs

How Do I Choose Between Outsourced and In-House Cybersecurity?

In this article, we’ll look at outsourcing cybersecurity for small and medium businesses (SMB), and how you can make that tricky calculation that tells you when to do it yourself, and when to call in the cavalry.

We’re not going to pretend there’s a straightforward answer to this question. For each of the 5,358,600 US businesses with fewer than 500 employees counted by the Census Bureau¹, the story is going to be different. What we will do is provide you with a framework that will make decisions about what to buy in—and how much to spend—easier to achieve.

Why Should a Small Business Outsource IT Security?

This year, risk of cyber-attack topped the US Chamber of Commerce’s Small Business Index² for Q1 2024 as the area of most concern. Phishing, malware, and ransomware, along with other cyber-threats, were a concern for 60% of small businesses, ahead of supply chain breakdowns and another pandemic. It’s likely you, and your peers and competitors, are concerned about the impact of an IT security breach.

That second place concern is worth noting, by the way. Supply chain risk, and the compromise of data via a cyber-attack on a supply chain provider, are increasingly in the headlines, from oil pipelines to telephone systems. If your business supplies large organizations, those customers are increasingly likely to take an interest in what you do to protect your data and systems—and by extension, theirs.

Then there’s the need to scale. If your organization grows, scaling your IT security to keep pace comes with its own growing pains. Being able to flex that capability up or down as you need it is valuable—and being able to do that quickly is even better.

Keeping up with rapid changes in the threat environment and the technology and skills needed to do so is costly—and it’s often more economical to bring in specialist providers for two areas: things that need occasional work, and those capabilities that require round-the-clock support.

If your business—or your customers’ business—has some sort of regulatory oversight, then there’s a possibility that includes requirements for information security and, by extension, cybersecurity. In the financial sector, the Securities and Exchange Commission has just updated Regulation S-P, for example, which sets data protection compliance requirements for organizations like crowdfunding platforms, investment advisers, broker-dealers, and transfer agents.

At this point, outsourcing information security to a trusted third party becomes a cost of doing business, as well as good-to-have protection.

What Cybersecurity Capabilities Should I Outsource?

Few organizations, even the biggest multinationals, can provide their own IT security entirely by themselves. For most small and medium businesses, some form of hybrid approach—doing some in house, and outsourcing more complex or expensive elements—is the most pragmatic and effective way to achieve good information security.

Bear in mind, you’re already outsourcing all kinds of other IT services every single day. Cloud computing, for example, has been around for over two decades, and most organizations make at least some use of it. But why do this for something as critical as IT security?

A lot of it comes down to the same reason your business exists: your company excels at doing something that other people will pay money for, because it’s too complicated, time consuming, or difficult to do themselves. Cybersecurity is no different.

One of the biggest costs is talent, and there’s a cybersecurity skills shortage. The National Institute for Standards and Technology (NIST) says that, as of June 2023³, 1,129,659 people were employed in a cyber- or IT security role. In the same period, there were 663,434 cybersecurity job openings. The market for cyber experts is very competitive at the moment.

What IT Security Should I Outsource, and How?

As our blog notes, small businesses now face very similar IT security challenges to bigger companies. By only outsourcing cybersecurity services when needed, rather than hiring people yourself and building costly and complex infrastructure to equip them, it’s possible to take advantage of the flexibility and scalability of hiring out, and affordably protect your business from cyber-attack.

I’ve Heard of an SOC—Should I Have One?

Your SMB will undoubtedly enjoy the benefits of having a Security Operations Center (SOC) look after it, but trying to build or maintain one yourself is likely to be a painful experience. Just like an exotic vintage sports car, an SOC sounds like a glamorous purchase until you understand the running costs and the frustrations of maintaining one as a daily driver. Effectively the scaled-down cybersecurity equivalent of a NASA control center, the SOC is a complex, expensive beast. A regular mantra in SOC circles is “People, Process, Technology”, and an in-house SOC requires significant up-front and ongoing investment to keep all of those things up to date. How much? Well, according to research from Ponemon published in Security Magazine, an in-house SOC costs $2.86m a year to run⁴.

SOCs are staffed by specialists—and you’ll need five of those for the most basic center. There are costs with hiring and retaining such skilled individuals (and as we’ve seen, there’s a shortage, so lots of competition from other employers), and you’ll need to keep their skills and certifications up to date with regular training. Then there’s the cost and complexity of ensuring processes are in place, and buying in the tools and technology to make it happen. Don’t forget the need to update those tools, keep on top of the changing nature of cyber-threats and ensure you keep all those in-demand people trained and incentivized to stay with you—because they’re in demand. Building an SOC from scratch will take time, too, so don’t expect to relax any time soon.

A highly effective SOC tackling a live security incident is impressive to see—and, just like that finicky vintage sports car, it constantly needs a small army of technical experts and a wheelbarrow of cash to keep it running smoothly. For all but the largest and wealthiest organizations, it makes sense to outsource this capability to a specialist.

Conclusion

Many organizations around the world use a hybrid approach to cybersecurity. It pays to have in-house expertise to understand cybersecurity issues in the context of your business, the people that work for it, and the customers that buy from it. But where you need expertise in detecting and responding to threats, outsourcing cybersecurity to a specialist organization has all kinds of benefits. Working through the benefits and challenges of outsourcing and in-house security below to understand what your business needs is an excellent first step.

Checklist: In-House, Outsourced, or Hybrid IT Security— Which Should I Choose?

Benefits of Outsourcing Cybersecurity:

• Reduce the cost of hiring, tooling, and operations
• Bring in expertise across a wide range of specialties as you need it
• Dial your security cost up or down depending on the needs of your business
• Get your security up to speed fast
• Lower management overhead
• Round the clock coverage (most outsourcing providers offer 24/7 coverage)

Drawbacks to Outsourcing Cybersecurity:

• You might be getting a vanilla solution, and your needs might be specific to your business or sector
• You’re one of many customers, so if there’s a systemic issue, you might have to take a ticket and wait

Benefits of Inhouse Cybersecurity:

• Domain knowledge: it’s likely your IT security team and IT manager know a lot more about your business than an outsourcer
• Faster response since your team knows how to spring into immediate action

Drawbacks to Inhouse Cybersecurity:

• Higher costs: SOCs, don’t come cheap, and you’ll spend a huge amount of management time keeping everything running
• Staffing headaches of building, engaging, a retaining a team of competitive talent
• Knowledge gaps: sometimes, only a specialist will do, and you might only need them some of the time
• More haste, less efficiency: your IT security resource might react fast but may not know exactly how best to respond

Protect Your Business Today

SMBs around the globe have turned to SentinelOne Singularity™ Control to proactively resolve modern threats at machine speed. Request a free 30-day trial to see how SentinelOne can help you protect your business against every kind of threat, including ransomware and malware.