Cybersecurity professionals Colin Henderson and Ray Espinoza share their take on in-house versus outsourced threat detection and response.
Your in-house team has the context necessary to recognize true security threats, but they’ll only perform effectively if you properly educate them about the environment and establish an escalation protocol.
Outsourcing can serve as a value-add augmentation or an operationalized partnership. Both require trust and time.
It’s the classic operational decision point: Do we move forward with a complex undertaking internally or seek help from specialists?
Each time you come up against this question could feel unique — and challenging. Your mix of in-house versus outsourced security services will likely evolve as your organization adapts and grows, so understanding the pros and cons of both options is non-negotiable as a leader.
A hot issue in the cybersecurity field, this inevitable choice requires scrutiny. We picked the brains of two top security professionals to explore the nuances of such a critical decision.
Colin Henderson, VP of Security at OneTrust, calls himself a “passionate cyber executive” and loves to develop leaders. Ray Espinoza, VP of Cloud Security at Medallia, is a business security strategist who values a “security-aware workforce.” I sat down with them both to discuss this common conundrum.
The case for in-house cybersecurity
If you like the feeling of complete control, chances are you’ll lean towards keeping things internal. And there are lots of great reasons to do so if you know how to hire wisely and set up efficient, realistic systems.
Choosing to manage your organization’s security in-house offers:
Familiarity: There’s something to be said for sticking with what you know. The more familiar your team is with your business’s purpose, goals, and needs, the more equipped they’ll be to make informed decisions.
“You’re going to get better context and response by people who live in the environment day in and day out,” Colin points out.
Decision-making power:When you don’t have to consider an outsider’s opinion — or their communication protocol — your day-to-day is, theoretically, simple. There’s no need to consult with anyone beyond the four walls of your office about an escalation. You and the people you’ve chosen to work with can decide what needs a response.
Quick response time: If you dedicate upfront effort to delineating effective workflows, finding quality tools, and offering leading-edge training, your own team will be the fastest choice.
When this is a success and your people are “masters of all,” as Ray puts it, the result is unparalleled efficiency.
Bottom line? If you have the resources to establish systems that prevent your team from working beyond their capacity and assemble a team you can trust, keeping things “in the family” may be your best bet.
Why outsource to a managed detection and response (MDR) service?
There is, of course, another side to the coin. Using your own team comes with expenses: labor costs, equipment, and training, to name a few. It’s also associated with risks, most significantly the chance that you’ll overlook a big threat and have to face the fallout without any help.
Even if you can withstand these elements, there might still be logical reasons to find an experienced partner.
1. When your team needs support for menial tasks
Colin prefers to leverage third-party security management as an augmentation, rather than a comprehensive solution. A best-of-both-worlds scenario is achievable if you know exactly what you need.
Many companies benefit from handing over data-sifting responsibilities to an experienced, tech-forward MDR vendor and keeping a small team in-house to handle environment-specific responses.
Ray describes what this looks like for his team.
“If the signal or the fidelity is so high, I don't necessarily need to do something about it actively if we have the ability to automate some of that remediation workflow,” he says. “I would love to see that in a report and know that it happened, but I don't need to do something about it if we know that it meets that specific threshold.”
Automation of lower priority tasks is a mega-timesaver and especially valuable in a talent shortage, but it doesn’t have to replace your team entirely.
Because your business needs are dynamic, outsourcing to automate only some tasks works best when you understand the managed provider’s metrics and clearly communicate what you care about over time.
2. When you want specialization and customization
One stand-out benefit of outsourcing is the potential to access a wide range of experts you wouldn’t necessarily be able to hire in-house — and whose salaries you don’t have to pay.
Advanced jobs like threat hunting require technical expertise you may not have the time, resources, or ability to develop. Security analysts have had to grow over time in their knowledge of overall detection and response capabilities. There’s simply more to understand than existed in the past.
“Security analysts have always had to know a little about a lot, as opposed to a deep subject-matter expert who has to know a lot about a certain area,” says Colin.
Luckily, outsourcing can help your team keep up when these sweeping changes take place. Furthermore, IT services aren’t necessarily packaged into neatly organized tiers. Their über-specific nature lends itself to customization, so there is a vendor out there that will dig deep to find out exactly what you need.
3. When you’re looking for a long-term relationship
Connecting with a third party is like nurturing a new friendship. It works best when you’re both fully invested and in it for the long haul. If you can identify needs your in-house team can’t fulfill, it could be time to welcome the fresh perspective and capabilities a business relationship can provide.
Cultivating a relationship takes patience but is worth the energy and investment.
“Ultimately, it comes down to trust and finding the right partner,” Ray explains. “Operationalizing and building this relationship, it’s not fast. And it takes time for a provider to understand what the company cares about, what threats are most relevant — you can’t fast-track any of that.”
The perfect solution for the in-house versus outsource dilemma? There isn’t one.
Despite where you may come down on this industry-wide debate, there could be practical motivations for both approaches to detection and response. To reach the most reasonable conclusion about what will work for your business, explore some basic questions.
Which tasks, if any, would be most helpful to outsource?
What are our non-negotiables when it comes to response time?
To what degree does our environment allow for response flexibility?
What kind of relationship would we want to have with a vendor?
How much customization do we need, and can we take the time required to develop those custom features?
Ray summarizes his balanced experience: “I've seen both sides of the house: being able to build a team and manage and grow that team over time, as well as looking to offload some of those capabilities to a provider. Honestly, I really feel like it depends on where the company is on their existing security journey.”