So, You Were Thinking About Outsourcing Security

The Problem

Hello Friends,

I feel pretty passionate about outsourcing your security work to third party providers but before I tell you about that, I feel compelled to tell you this. I work for one of those providers and this post is not advocating for that provider nor was it sanctioned by said provider. These are just my opinions and not a reflection of the company for which I work. (Though it’s not really coincidence that I work here.)

It seems to me that there are some major roadblocks to adopting a third party provider for your security needs. For one, I feel like a lot of people might still think of this as a personal failure. “I was unable to build my own team so I had to outsource to that group over there.” Another part of the problem is that the word outsourcing implies that you need to do the same job you would have done for half the cost.

Let’s talk about it… Well, I’ll write about it and you can choose to read it. Whatevs. ¯\_(ツ)_/¯

A Simple Question

Do you still run your own email server?

If not, why not? Are you among the many companies rapidly adopting “the cloud” (rather, other people’s datacenters with fancy APIs and cool names for services)? I bet you are, even if you don’t realize it. Generally speaking, we accept these forms of outsourcing. We accept that these other companies run those services better than we can or maybe we just want to put the burden of risk and uptime on those companies.

You can tell yourself it is cheaper. Sometimes it is. But those cloud services? They add up quick.

Really, though, it’s the cost of doing business. It’s your organization taking advantage of a specialized service in order to speed up your ability to deliver whatever it is your company delivers. Instead of hiring a bunch of people, buying a bunch of servers, and maintaining something that generally has nothing to do with your business – you move that workload to the cloud. Let them deal with finding qualified talent.

And when they fail, let them be accountable for that failure.

Security can work in the exact same way and I would argue that you will be better off if you approach security with this mentality. Ultimately, you’re probably not working for a security company. Is security important to your company? Yes. Just like IT, you need it to survive the modern world and deliver your own business objectives. You’ll still need to hire someone to manage your security posture, risk, and compliance. But… do you need to build out a full security operation center (SOC) and staff it twenty four hours a day, seven days a week? I doubt it.

I don’t want you to think that I’m saying you should pull a Patreon so let’s think on a few things first…

Thinking on Things: Money

First of all, you can’t outsource everything. You just can’t. It’s expensive and, if you do that, who’s going to be left to keep them accountable?

Let me take a moment to dispel the “outsourcing is cheaper” notion. It’s just not true. Let’s assume you can hire ten of the best individual technical contributors to build out your security team. They aren’t going to be cheap resources. Now, what if you go to your favorite security partner and ask them: “What will it take to get ten dedicated resources for my security team?” Honestly, you should expect to pay the cost for 15 resources. That provider is a business too – they need to make a profit. That’s how it works.

If a provider comes back and tells you that they’ll dedicate those resources to you AND it is cheaper, you should walk away from that deal. Period.

I know what you are thinking: “What about shared resources?” Okay, easy, I can put you in a shared resourcing model whereby you will have ten people assigned to your account but those ten people are also assigned to five other accounts. Here, I would expect that you’ll pay less but you’re only getting a portion of the resourcing. Instead of ten dedicated people, you get one-fifth of ten people’s time.

The main point here: stop thinking it’s cheaper to outsource. It isn’t always cheaper and you pay for what you get.

Thinking on Things: Talent

So let me tell you a personal story.

Every company I’ve worked at in the past, I’ve come in and built something amazing (my opinion) and for minimal cost. And in those companies, I tended to last about two to three years before achieving peak burnout and quitting for something else. Over the course of those years, I would accrue so much technical debt and become a single point of failure for the company. It’s always the same story because the work is “critical and needs doing” but “we can’t afford to hire more people” and the people we have are “junior and need mentoring before they can take this on”. Oh, but, “we can’t wait to mentor them.”

I get fed up and leave the company. What typically happens is the company struggles to hire and stuff falls apart. I heard, after leaving one company, they had to remove the Splunk implementation that was built and they hired a third party provider to install ArcSight of all things.

While I call this a personal story, I think it’s the story of any senior security professional that’s been doing this long enough. You’ve got the skills to do so many things and you take the job seriously. You want to protect the company’s assets and user information so you build everything you can… but, still, you’re just one person.

And, honestly, operations is boring. Building all of those cool and amazing things? That part is awesome. Trying to maintain it alone forever? No thanks.

This is one area where a security provider shines. For people like me, bouncing between clients provides fresh challenges. Solving problems is fun. Fun is not boring. But here’s the nice part: since it was built for the client and delivered by the provider, it’s now up to the provider to staff for and maintain said solution. It’s not up to me as the problem solver necessarily – I can sit in the background and solve other problems.

It’s perfect for me but it’s also perfect for businesses that couldn’t afford to hire all those people. It’s the provider’s problem now. And the provider has me on standby in case the client needs more problems solved.

What Was That “Pulling a Patreon” Thing?

If you didn’t read the link above, Patreon apparently fired their entire security team in exchange for a third party provider. This is absolutely not the way you should be doing it. While outsourcing everything might be a viable option for some businesses, I would advise against it at least 99.9% of the time. It’s just… not ideal.

The main thing is that you need someone on your team that can hold your provider accountable. Someone that can set the strategy for the team, explain how things are going to work, and then ensure that vision is delivered. This team of people is responsible for ensuring that organizational specifics (knowledge you only get when you are dedicated in an environment) are not lost. Sure, you can outsource technical functions, but the minute you outsource strategy – well, I’d argue that you’ve lost your mind. I can’t imagine any situation in which I would allow a salesperson to define exactly what I need and how I’m going to have it executed and then, you know, charge me for that.

“I see you want to buy a new car to pick up your children from school. Well, here’s our tank. It’s the most expensive option on the lot but it’s guaranteed to allow you to pick up your kids from school and it’s definitely the best choice.”

It’s such a ridiculous idea.

Your provider needs to be a partner and have a seat at the strategy table but they shouldn’t be allowed to go it alone on your behalf.

Okay, Was This A Sales Pitch?

No. I don’t actually care if you use a provider to facilitate security functions or try to build it yourself. My core belief is that the vast majority of businesses can’t build it themselves and they shouldn’t.

It’s too expensive. The people you need to hire are flaky and prone to burnout. They’ll build cool solutions and then leave you hanging when you need to move to operational support. On top of that, there’s just not enough people to go around – there hasn’t been for a long time.

I also think of it in similar terms as the cloud. You move your workloads to the cloud because you don’t want to deal with running your own hardware. (Simplified, I know. There are other reasons, that is just one.) Ultimately, you’re relying on the “experts” to deliver a service to you that can enable your business to function. Think of your provider the same way. Treat them in much the same way – use their services where it makes sense and only where it makes sense.

Anyway, Wrapping Up

I didn’t want to spend all day writing about why I think you should give your security business to a third party. And there’s a lot of you that I don’t want to fight with either. I’ve heard a lot of the excuses… “I could automate that” or “I could just hire that guy” or whatever. I’m here to tell you that this just isn’t true in most cases.

And if you’re one of those cases, you need to have a strategy to deal with the coming inevitability that you’ll be forced into adopting a provider eventually. The shortage of qualified workers or your inability to recruit top talent will guarantee that.

%d bloggers like this: