In house vs. outsourced cyber security management

Office plant

The five critical questions you need to ask

You probably don’t need us to tell you that cyber security attacks and data breaches are on the rise – the numbers speak for themselves. Four in ten businesses (39%) report having suffered a cyber security breach or attack in the 12 months to March 2021, and similar to previous years this is highest amongst midsize organisations (65%)1. Among those identifying cyber attacks, half of businesses (49%) say this happens once a month or more often, and over a quarter state that they experience breaches or attacks at least once a week2.

Whether it’s prompted by a data breach, a customer audit or regulatory requirements, at some point every midsize organisation that does not have a cyber risk strategy in place will decide that it needs to do something to protect itself against cyber threats.

The question is – what?

While on the surface it may seem obvious – invest in the technologies and tools needed to combat the threats, and hire the people you need to manage them – an increasing number of midsize companies are choosing an alternative to the traditional in-house cyber security function. This is prompted by a number of factors, including:

  1. It’s expensive to acquire new technology, hire and keep staff, and implement new processes
  2. It’s difficult to measure the effectiveness of cyber security solutions
  3. It’s a distraction from the core operations of the business

The alternative is to outsource your cyber security operations and opt for a service that gives you access to the most advanced technologies available, managed on a 24×7 basis on your behalf. The most comprehensive Cyber Security as a Service (CSaaS) offerings will also include cyber safety and phishing awareness training for staff, as well as compliance to recognised standards like Cyber Essentials and ISO 27001.

But how do you know which approach is right for you?

Ask yourself these five critical questions to find out.

  1. Can we afford to run an in-house cyber security function?

    The national average salary for an Information Security Manager is £57,448 per year in the United Kingdom3. For a CISO, expect to pay upwards of £100k. That’s before you’ve even begun to procure technologies and invest in training. All in all, UK businesses spend approximately £650k per year on cyber security4. This cost can be reduced by up to 70% by taking a managed service approach instead – that’s a saving of £455k.

  2. How will we measure cyber security effectiveness?

    Success in building a cyber security defence can be as binary as whether or not you’ve been breached – but that doesn’t really tell you how well protected you are or how likely it is that you’ll be breached. Measuring cyber security effectiveness means constantly monitoring people, process and technology controls, tracking risks and progress against key metrics over time, and extracting tangible and actionable information from the measures that have been put in place. You’ll need to consider whether that is something you can accomplish in-house, as the most advanced CSaaS offerings will include near real-time visibility into the strength of your defences and how well protected you are as part of the package.

  3. How will we attract (and keep) the best cyber security talent?

    According to recent Ipsos MORI research into the UK cyber security labour market carried out on behalf of the Department for Digital, Culture, Media & Sport (DCMS), half of all private sector businesses identify a basic technical cyber security skills gap, and a third of businesses (33%) have a more advanced technical skills gap, in areas such as penetration testing, forensic analysis, security architecture or engineering, threat intelligence, interpreting malicious code and user monitoring5.

    Cyber security talent is pretty thin on the ground – especially if you want your technical experts to have the required professional qualifications – such as CISSP and/or CISM. Once recruited, you’ll also need to make sure that they have ongoing training and enough interesting work to keep them motivated. With demand far outstripping supply, holding onto talent is a challenge in itself.

  4. How flexible do we need our cyber security controls to be?

    As organisations expand into new markets, develop new products and services and bring on new partners and suppliers, their cyber risk exposure will increase. It’s almost ironic that some of the very initiatives adopted to help increase efficiencies and promote growth – such as migration to the cloud and digitalisation – are the very things that introduce more risk. Consider whether procuring solutions directly from vendors will give you the flexibility you need to scale up – and potentially down – as the need arises and as quickly as you would like. If your organisation is growing rapidly, or is particularly vulnerable to market shifts and economic pressures, you may benefit from the flexibility a managed cyber security service can provide.

  5. Is managing cyber security measures the best use of our technology team’s talents?

    Whether it’s analysing network traffic, log management or performing system updates, the whole process of managing cyber security tools and controls can be very resource intensive. When done in-house, this can eat away at the time that you would normally devote to core operations – like delivering online experiences for your customers and launching new products and services. If you have an abundance of technology talent and the ability do both then why not, but more often than not technology teams are stretched at best. A managed security service takes this pain away by freeing up internal resources to do what they do best – help to grow the business.

Managed cyber security services – or CSaaS – are not for everyone. Organisations that have already made significant investments in the technologies, people and processes required to effectively manage cyber risk will likely want to continue to do so. Particularly if that approach is working and they are able to satisfy the requirements of the Board, investors, suppliers and customers in proving that they’re achieving the desired results.

For those organisations that know they need to do something, but for whom the barrier to doing what is required is perceived to be too high, a managed cyber security service is a viable option. Not only will it offer advanced protection against known and unknown cyber threats, it will also deliver peace of mind and confidence both internally and externally.

Cyber threats are only going to increase in velocity and volume, and there really is no excuse for doing nothing. Knowing where to start is half the battle, which means making a strategic business decision about whether cyber security is a core business function – or not. And if, like the vast majority of companies out there, it isn’t for your organisation, a managed security service could be the most sensible approach.

If you’d like to find out more about how to manage cyber risk, check out our eBook for practical advice on where to start and how to prioritise what to protect.

For more information on managed security services and how to choose the right provider, read our recent white paper.

1 Source: Cyber Security Breaches Survey 2021, Department for Digital, Culture, Media & Sport
2 Source: Cyber Security Breaches Survey 2021, Department for Digital, Culture, Media & Sport
3 Source: Glassdoor
4 Source: Hiscox
5 Source: Cyber Security Skills in the UK labour market 2021

Peter bowers

Written by Pete Bowers
Pete Bowers is COO at norm. where he is responsible for the overall operational and financial functions of the business. He also oversees customer innovation and success, and plays a pivotal role in the ongoing development of cyber security and data protection services which deliver transparency and tangible value to norm.’s growing client base.