What happens if your recruitment efforts are fruitless and you can’t bring in the people and skills you need? Outsourced cybersecurity might be the component to add to your IT capability.

In a previous article we looked at what small and medium-sized businesses (SMBs) can do about recruiting cyber professionals. As noted then, “recruiting cybersecurity staff as an SMB is still hard and will remain so for the foreseeable future”. Is outsourcing an option?

Outsourced cybersecurity services are perceived as costly. This is no surprise: the cyber skills gaps we write about from time to time make it a seller’s market, with hourly and daily rates that reflect this (between $50 and $300 according to contractrates.fyi), while salary rates from recent ISC2 research range from $86K for an entry-level cybersecurity employee up to $215K for a senior, executive level cybersecurity leader. So is outsourced cyber really feasible and affordable for the average SMB?

The flippant answer would be: paying a cyber outsourcer is preferable to the alternatives – paying a fine for a regulatory breach or handing over a load of Bitcoin to a ransomware criminal to release encrypted systems. Sticking with that logic is far from ideal, though, so let us look more robustly at what we can do.

Set the Level

First, remember that cybersecurity is an incredibly wide field (as exemplified by the sizeable variety of domains in certifications such as the CISSP). Whilst it would be easy to equate “wide” with “complicated”, the opposite is the case to some extent: that is, where there is a variety of subject matter to cover, some is bound to be considerably easier to comprehend than the rest (and of course some will be harder), which means you don’t necessarily need an expensive cyber consultant for many of the more basic elements.

Know What You Need

Second, although cybersecurity needs to be a business-as-usual concept to which everyone in the organization should constantly be exposed, some of the cyber activities a business needs to undertake will be one-off exercises, or at the very least infrequent. Deploying a new anti-malware suite or web filtering solution would be two examples in this context: while specialist assistance will inevitably be needed to get up and running, much of the ongoing activity like installing agent software on new PCs that the organization buys can be handled just as well by the wider IT team or IT person as they would by a specialist cyber contractor. Perhaps even more so, in fact, because any problems encountered might well be more easily diagnosed by an IT specialist than a cyber consultant who’s not skilled in diagnosing why something’s not working on a particular PC.

Use Existing Frameworks and Resources

Third, and this relates somewhat to the first point, much of the work has been done already for SMBs. That does not, of course, mean that the cyber equivalent of Santa Claus has snuck into the office and configured everything for you. It means that governments around the world have looked into common sources of cyber risk and have put together frameworks that are pretty comprehensible, even to non-technical business leaders, and which make it straightforward to get the basics right. Jun 2014 saw the launch in the U.K. of the Cyber Essentials scheme: this is a set of five simple actions you can take that will defend against roughly 80% of the attacks you’re like to see. Later on, in 2019, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) launched its own framework and associated toolkit, which is a little more complex than the UK’s Cyber Essentials but has a similar motivation. Imaginatively, it is called the Cyber Essentials Starter Kit.

There’s even legislation on the statute books – with plenty more to come, no doubt – that will make it even easier for companies to do cyber security correctly from the start without needing specialist cyber assistance. Most prominent in this respect is the U.K. Product Security and Telecommunications Infrastructure Act (the “PSTI Act” as it is known), which makes it a legal requirement for vendors of certain technologies to avoid many of the security pitfalls that have traditionally been the source of cyber risk – guessable default passwords and the like. Better cyber quality from vendors equals less need for cyber specialists.

Does all of this mean that we don’t need to worry about using outsourced service providers if we can’t recruit internal talent? No, of course not: we mentioned earlier that some of the cyber frameworks we can use will defend against the vast majority of threats, there’s still the minority that we will inevitably need help with. Having a resource available – internal or external – when that happens is still essential, regardless of the size of the organization in question.

Use What You Need

What it does mean, though, is that we can be selective about who we work with and what we pay for. Complex new cyber product to install? Accept that you may need to pay a specialist for the initial deployment, but ensure you document everything thoroughly, so you don’t need them to do the easy stuff like installing the agent component on a new PC. Worried that you may need to respond to a cyber incident but hope you’ll never have to? Perhaps a local provider will give you an inexpensive retainer and then only charge you real money if you call upon them … or maybe a sensibly priced cyber insurance policy will help in a similar vein.

The cyber skills gap makes it hard to recruit in-house staff and has increased the price of outsourced assistance. Nevertheless, with a little clever planning and by paying the right people the right price for the assistance you do need, using outsourced cyber assistance need not be out of your reach.