Analysis: There’s a looming skills crisis, and companies have to decide whether to outsource cyber security or keep it in-house.
The IT skills gap is a problem with many possible solutions, and for the individual business it is unclear what the best path forward is.
What is clear is that in the eyes of most businesses there is a problem. According to a report from recruitment firm Robert Half, 77 percent of UK CIOs think that they will face more security threats due to a shortage of IT security staff.
The report found 34 percent of respondents planning to hire extra permanent security staff.
The debate tends to focus on what organisations can do to make sure that they are the ones who acquire and retain the staff they need.
Yet a more sustainable solution might be to focus not on bringing staff into the business but outsourcing the cyber security function altogether.
“The problem is real,” says Andrew Rgoyski, Head of Cyber Security at CGI.
“It is global, not just in the UK,” he explains, saying that the lack of staff manifests as “incredible” competition.
CGI, a consultancy firm with an extensive cyber security wing, feels this at a working level not just in the difficulty in finding the staff but in recruiters actively targeting its existing workforce, according to Rgoyski.
Rgoyski says that the company manages to hold onto staff by offering security experts a “career”. Many companies that struggle to hold onto cyber security experts are simply bringing in people to do a job that they need doing rather than giving them a chance to expand their role.
In this sense, a consultancy offering cyber security services may be in a better position to meet the cyber security worker’s demands, since the role may differ according to the requirements of each individual customer.
In this context, where staff are hard to come by and consultancies have some advantage in hiring staff, the cyber security consultancy industry is booming.
According to Gartner's 2015 Forecast Analysis on Information Security, cyber security consulting is currently a $16.5 billion annual global business and is forecast to grow to $23 billion per annum by 2019.
The appeal for organisations is clear: the outsourced security team can start protecting the organisation instantly and does not require the same investment in training or technology.
According to Node 4’s report ‘IT Security: The Evolving Threat Landscape’, only 69 percent of businesses believe they have the right skills internally for today’s security environment. 26 percent currently relying on external partners for their security, while 5 percent do not have access to the skills at all.
Capgemini has just announced the launch of new Managed Security Operations Center (SOC) services, housed in India, in collaboration with IBM Security. These combine threat intelligence services with detection and reaction capabilities, using IBM QRadar’s analytics and Capgemini cyber attack scenarios and detection and reaction services.
The consultancy space has such an appeal that other established players are investing heavily in it.
Launched in May 2016, BT's consultancy programme Cyber Roadmap Consulting aims to help large organisations in determining the level of risks they face, while in February BlackBerry launched Professional Cybersecurity Services.
The supply is there, and yet few vendors are advocating that every company rushes out and finds someone to outsource their cyber security to.
Simon Kouttis, cybersecurity manager at executive search firm, Stott and May, claims that there is a strong case against outsourcing, since 64 percent of data breaches occur because of bad outsourcing decisions.
Kouttis says that if done correctly, building an on-premise security centre is an “essential step towards cyber security maturity.
“Your company will own the data, and be able to monitor it; it will have macroscopic control over how that information is handled; and it will offer huge potential for optimisation and improvement.”
Is there is an all-encompassing rule for when and what to outsource? According to CGI’s Rgoyski, there is a key distinction to be made.
“If your IT is part of your competitive advantage and core to your business and you are creating products , you should think of building security into that,” he says.
“When IT is part of the business but not core they should look at working with a partner.”
In other words, a Dropbox or an Uber is going to want to ensure that it has the cyber security expertise on hand to make sure that the actual products it is building are secure.
For a company that simply needs to keep its own systems secure, and security is not one of the areas of competition, outsourcing might be the best bet.
Rgoyski highlights this with the example of online retailers.
"In fact, companies are interested in their sector having a good reputation for security. Online retailers don’t benefit from other online retailers being attacked.”
If the staff shortages in cyber security persist, outsourcing may be the only choice for many companies. But for the right businesses this will fit their needs perfectly.