Someone recently asked me a rather thought-provoking question: Is it better to handle your IT security in-house, or is it more effective to outsource security operations? In all honesty, there are advantages and disadvantages to both approaches. Neither option is perfect, but either one can be effective under the right circumstances. So let’s take a look at the pros and cons of both approaches.
If I had to choose between the two approaches, I would probably opt for using in-house security over the option to outsource security. The main reason is that when you handle security in-house, you have complete visibility into all processes (assuming that you have the necessary tools).
As much as I may like the do-it-yourself approach, however, there are at least a couple of disadvantages. First, for in-house security to be effective, you have to have the proper resources--not just tools, but also staffing resources. In fact, staffing is often one of the biggest issues when it comes to do-it-yourself security.
One of the biggest staffing-related problems comes from reluctance to hire dedicated security staff. Instead, IT staff members who are already busy doing many other things are also tasked with keeping the network secure. While I firmly believe that security is everyone’s job, I also believe that it is important to have dedicated security staff members. Otherwise, security will inevitably give way to more pressing matters and may ultimately be treated as something of an afterthought.
The other big consideration with regard to security staffing is that if security professionals are to be effective, they need to receive the appropriate training. While training is important for every IT job, IT security tends to evolve much more quickly than other IT functions. Security staff members therefore will require much more frequent training than other members of the IT staff
Tool selection is also important for organizations that choose to handle security in-house rather than outsource security. There is no such thing as a tool that provides comprehensive security. Therefore, organizations that choose to tackle security on their own will need to use a collection of complementary tools. These tools must be selected carefully so as to avoid the creation of security silos.
As previously noted, the choice to outsource security can be an effective way of keeping an organization secure. Because cloud-based security providers focus solely on security, they likely have more resources at their disposal than most organizations would be able to provide in-house. Additionally, providers are commonly able insulate their customers by intercepting and dealing with malware and various other security threats before they can reach the customer’s network perimeter.
If you’re thinking about using security outsourcing, then one potential disadvantage to consider is that outsourced security by its very nature is a black box. To be effective, security companies have to hide their internal processes from view. As a subscriber, it can be extremely difficult to figure out the specific details of how a provider is actually protecting you. Granted, some organizations probably are not bothered by the security black box, but organizations in regulated industries or those organizations that have very exacting security requirements may need to know more than what the provider is willing to tell them.
Yet another disadvantage to using outsourced security is that a security provider is essentially a one-size-fits-all solution. When you handle security in-house, you get to architect your own security solution based on your organization’s own unique needs. Conversely, a security provider uses the same approach to security for all of its customers.
One more potential disadvantage to using a security provider is that doing so may make you more of a target than you otherwise would be. Just as well-known organizations are attacked with alarming frequency, so, too, are most of the cloud-based security companies. And if an attacker manages to compromise a security provider, then the customers that the provider represents will almost certainly be breached, as well. Smaller organizations that want to outsource security must consider whether the ongoing attacks against their provider of choice will be a threat to their own security. This is not to say that attacks against a security provider will be successful, but rather that organizations must consider whether security outsourcing is worth the risks.
Ultimately, there is no such thing as a perfect security solution--whether you host it yourself or whether you outsource security. Many organizations have found that the best way to keep themselves secure is to use a combination of both types of solutions. Look for a technical explainer focusing on how to establish such a mix in the very near future.