It may be a terrible idea to do your security in-house.
Recently we were speaking with a city government in a town with a population of about 50,000 people. Their plans were to manage all of their IT in-house. While the general IT needs of the city may or may not be able to be handled well by the couple of city employees tasked to it, we asked about their security posture to look into offering a Managed Security program. As you may have guessed already, they had decided to do their security in-house as well.
That's a terrible idea.
No, it's not always a terrible idea for organizations to handle their own security. In fact, there are legitimate reasons to develop your own program. For instance, larger organizations are likely to find that an in-house SOC team (when the right talent is employed) performs threat-hunting in the environment more effectively than most Managed SOC providers are capable of doing. When the budget is present and the talent is available, you may find that in-house is the way to go for your organization.
However, most businesses are not going to build out a complete security team. Those that seek to keep security under the "general IT" heading are going to end up with a far less mature security program than their budget could allow if they were to have security managed. Here are a few reasons it may be a terrible idea to do your security in-house.
1. Thinking that general IT is the same as cybersecurity.
There is a reason that enterprises have a CISO (Chief Information Security Officer) separate from the CIO (Chief Information Officer). Cybersecurity has become its own "thing." The threats have evolved quickly and the good guys are always racing to keep up. Meanwhile, the IT director is thinking about the network health, efficiency of communications, and the thousand other things under their domain. It isn't any different in smaller organizations from a few people to a few thousand. Even still, we sometimes find general IT people that believe they "know security" along with the 50 other "specialties" they have. That isn't how it works! You can't know everything. Even within the cybersecurity field there are many specialties. Just here at Tuearis we don't expect a specialist in firewall engineering to be a specialist in threat hunting... and all we do is security. If you think general IT can handle security, that's a good sign that you should not be handling security in-house.
2. No security specialists / talent / experience.
Staffing is a good reason to consider a managed security program. If you can't staff your SOC with the right people, the tools you spend money on will likely be poorly chosen and/or poorly managed. Staff turnover will also mean that this issue is a reoccurring one. If your organization isn't prepared to take on the staffing challenges of having a mature cyber program in-house, then working with a Managed Security Service Provider may be the best solution.
3. Limited exposure to security technologies.
New security technologies are constantly hitting the market. My inbox is flooded every day with pitches from new AV, Threat Hunting, Data Storage, and various other cybersecurity related technologies. It can be a full time job just keeping up with what the leading technologies in the security space are. We at Tuearis are constantly considering new technologies, how they interact with other security tools, and testing their effectiveness in order to keep on the cutting edge of the industry. SOC teams in well-funded organizations are doing the same thing. When new technologies emerge that fill a gap we implement those tools to better secure our clients. If your organization can't devote the time to regularly review and experiment with the latest security tools, it's probably better to let a professional cybersecurity company manage your program.
4. Limited budget dedicated to cybersecurity.
Every organization has a limited budget. Money is finite for all of us. But if your organization does not have the money to support a robust cybersecurity program, you can likely get far more bang for your buck by working with an MSSP like Tuearis. "But cybersecurity is expensive!" Yes, there is a cost to security, but they aren't all net-new costs for organizations despite how it may feel when a proposal is set in front of you. Many of the things we offer you are already paying for. For instance, if we lay down a quote that includes firewall management you may want to consider that you already pay someone to manage those firewalls. Or, worse still, maybe they aren't being managed at all... and those risk have a very real cost that will be realized at some point. The time of the employee doing firewall management can now be spent on other tasks, thus recouping some of the cost.
The point is that a reputable MSSP can provide far more value than small to mid-size businesses can get bringing the same services in-house. One recent proposal for another city government provided all of the technologies and management for FWaaS, endpoint and email security, and a TVM program for about the price of one full-time employee before they were given any tools to manage! That, plus the expert experience provided is a value that they could never get by bringing security in-house.
5. A lack of Threat Intelligence capabilities.
Threat Intelligence concerning real-world attacks is essential to an effective security program. At Tuearis, we combine Threat Intelligence from several sources (and our own client environments) to bolster the defenses of all of our clients. A new attack vector is being utilized in the financial industry? That Threat Intelligence is passed on to proactively secure our financial clients. And so on it goes. Mature SOC teams are using Threat Intelligence in the same way within enterprise environments. Security is a moving target and the game is constantly evolving. Are you able to gather and make changes by utilizing Threat Intelligence? If not, it's probably better to leave it to professionals who love that sort of thing.
6. Accountability when something goes wrong.
Let's be real; People get fired when security incidents occur. As an example, the recent ransomware attack in Lake City, Florida resulted in the IT Director being fired, and that is the norm when it comes to these events. It doesn't matter if the IT Manager is begging for more tools or more staff beforehand, someone has to be the scapegoat to appease the stockholders / citizens / customers. Bringing in a professional security service doesn't just give the organization someone else to blame, but it also increases security so that an event is less likely to occur, and our managed security includes remediation of any events that do occur. In other words, if we are handling the program we perform remediation in the event of an incident without any additional costs. That's built in incentive for us to keep threats out and to minimize the impact of anything that does get through. Who will be held accountable in your organization when an incident occurs?
It may or may not be a terrible idea for your specific organization to bring security in-house, but it is certainly worth considering.
If you'd like to set a time to talk to a Tuearis representative, email us at firstname.lastname@example.org.