Cyber security: an in-house responsibility or one for the outsourcers? asks Maciej Dziergwa, CEO, of the web development and machine learning consultancy STX Next.
As widespread home working continues and with many businesses set to operate using hybrid models after lockdown is lifted, deciding on a long-term approach to cybersecurity is a pressing issue.
In recent research we carried out on 250 global chief technology officers (CTOs) late last year, we found that only 20pc of companies have a dedicated cybersecurity team in place, with 40pc outsourcing at least some of these capabilities to external providers. While this figure varies depending on company size, it raises some interesting questions about how businesses are approaching cybersecurity, and whether their current setup is adequate.
Differing perspectives
The research shows that larger companies are much more likely to invest in a dedicated cyber team than smaller ones. Half of firms of between 300 and 1,000 employees have such a team in place, while this figure increases to 80 per cent in firms of over 1,000 people. The general picture emerging from this data is that many organisations still consider security as a cost rather than an investment. For smaller businesses, this is understandable to an extent, as hiring and maintaining a dedicated security team can be a significant cost relative to the size of the entire company.
Coupled with limited awareness of potential security issues and their emphasis on fast time to market, this could be pushing smaller firms to postpone important work on security. Given the persistent danger of data breaches, this is something for leaders at smaller companies to think about.
Bigger companies, bigger outsourcers
A lack of in-house expertise might lead one to assume that outsourcing of cyber capabilities is more common at smaller businesses. However, our research found that this also tends to be more common in larger organisations, with the majority of those with a headcount of 100 or more using an external company’s services to help protect their digital space. This figure rises as high as 75pc in organisations of between 300 and 1,000 people, dropping slightly to 60pc in firms of more than 1,000 employees.
In contrast, only a third of the smallest firms (30 employees or fewer) are making use of security outsourcers.
Bigger companies, while tending to invest in internal security teams, also recognise what outsourcers bring to the table. Engaging with an external firm is cost-effective for a start, but it’s also worth noting that cybersecurity covers a diverse range of areas: for specific security tasks, it might be better to hire an external company that specialises in one particular discipline. Further, outsourcing helps separate cyber security concerns from the wider company structure, as an external team can advise without being bogged down by internal processes or bureaucracy.
Smaller companies are less likely to have a dedicated security team, but they’re the least likely to engage in outsourcing these capabilities as well. This adds further weight to the argument that leaders at small businesses should think closely about their approach to cyber security, and work out whether their current approach offers sufficient protection.
Deciding on the right cyber security strategy can be an ordeal, but it is important to remember that there is no hard-and-fast method that suits every firm. Financial clout and company structures vary considerably depending on the size and nature of the organisation, so leaders should work hard to find the right approach for their own business.
Hiring an internal team can be hugely effective if budgets allow, while outsourcing brings focused expertise that can ensure your security never falls short. Most crucially, however, is to make sure that security is never neglected.
