General security

Outsourcing cybersecurity: What services to outsource, what to keep in-house

Rodika Tollefson
May 20, 2020 by
Rodika Tollefson

The growing need for outsourced cybersecurity

The growing number and sophistication of threats that organizations face daily puts a bigger demand on cybersecurity. With roaming users accessing the network and data from everywhere, the challenges of protecting assets are even greater and require an increasing number of resources. To help solve some of these challenges, organizations are turning to managed security services providers (MSSPs) and other vendors for outsourcing a variety of security functions.

Various forecasts show the market for managed security services growing at double-digit rates. One report from Allied Market Research estimates the market to reach nearly $41 billion by 2022, based on a 16.6% compound annual growth rate between 2016 and 2022.

The evolving threat landscape is only one driver behind these trends. The shortage of security talent — estimated currently at more than 4 million by (ISC)2 — is also making it more challenging to both recruit and retain talent. Outsourcing allows an organization to shift the burden of providing security analysts and other workers to the managed services providers, while using the in-house staff for more strategic work.

Trends in outsourcing

A 2019 Deloitte survey of 500 C-level executives found that 99% of organizations outsourced some portion of cybersecurity operations. The most common percentage of outsourced services was 21-30% (identified by 44% of the execs). The survey also identified that the top four outsourced categories were security operations, vulnerability management, physical security and awareness and training.

Cisco also found that outsourcing has increased significantly in 2019, compared to the previous year. Based on a survey of 2,800 IT decision makers, the company’s 2020 CISO Benchmark Study found that cost-efficiency is the top reason for outsourcing (identified by 55% of respondents), followed closely by the need for more timely response to incidents (53%).

Cybersecurity services you should consider outsourcing

Based on some of these trends and views from cybersecurity practitioners, these are some of the top services you should consider:

Security operations

Threat actors don’t keep office hours — you need to monitor your environment 24/7. One best practice is to unify your security team, technology and processes under the umbrella of a security operations center (SOC). Running a SOC around the clock, however, is not feasible for many businesses, especially smaller ones. 

Outsourcing either some of the security operations, such as network monitoring, or the entire SOC to a vendor that provides managed security services could provide cost efficiencies. Another advantage of using managed security services provider (MSSP) or managed detection and response (MDR) vendors is that you can leverage their expertise, as well as not having to worry about employing a large cadre of security analysts and other specialists.

Vulnerability management

As we saw with cyberattacks like WannaCry, legacy and unpatched systems pose a major risk because bad actors are constantly finding ways to exploit vulnerabilities in software and hardware. But managing vulnerabilities is a constant battle for many organizations.

In a survey of nearly 3,000 IT security professionals, Ponemon Institute found that despite putting more resources toward vulnerability management, organizations are still not able to minimize the risks of an attack. Only half of the respondents said they could quickly detect vulnerabilities and respond to attacks, and only 44% said they could patch quickly. 

One of the realities of cybersecurity is that even with a full contingent of security personnel, you’re not going to be able to patch everything. Outsourcing functions like vulnerability assessments (which may also include penetration testing) can help you prioritize your risks so you can address the most critical vulnerabilities first.

Employee education and training

Cybersecurity education and training involves several layers. You need to train both your end users and your security personnel. There are benefits to outsourcing each of these programs. 

Security staff training

The threat landscape is evolving so quickly that you always need to stay on top of the latest threats and best practices. Vendors whose core function is training are constantly updating their knowledge and training, which would be a lot more difficult to do in-house.

End user training

Your security awareness and training program for employees and other end users needs to be ongoing, starting with new employee onboarding. Don’t rely solely on self-learning tools like training modules; also conducting regular simulated phishing exercises. Many education providers offer both these services. 

Cybersecurity functions to keep in-house

Should you outsource your incident response? There’s a debate among security practitioners and both sides of the discussion have merits. The other aspects that may be best retained in-house are security strategy and security architecture.

Security strategy

Creating a security strategy requires an in-depth knowledge of your particular business, and consideration of factors ranging from the industry and company size to your business model and practices. It’s one of those areas where you’d want to be hands-on rather than completely turning over to a third party.

If you can’t have a full-time, in-house chief information security officer (CISO), hiring a consultant may be a better option than outsourcing the entire strategic function. Many security companies and professionals also offer virtual CISO (often called vCISO) services, which helps you build a consistent relationship with an expert who gets to know your business and needs.

Security architecture

Building your security architecture is another core function that involves critical decisions and has overarching impacts on your organization’s cybersecurity. Similarly to the security strategy, it’s best to hire a consultant rather than outsourcing entirely, so you maintain complete control over the decisions.

Conclusion: Considering the pros and cons

Before you decide whether to outsource your cybersecurity — or which aspects — consider the implications of trusting an outside party with your critical data and assets. Handing over the proverbial keys to the kingdom has its own risks, and you need to ensure you’re mitigating those risks.

Choosing a trustworthy provider takes a lot of homework. Before proceeding, organizations need to have a strategy, understand the risks, ask lots of questions and set the right expectations. 

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.


Rodika Tollefson
Rodika Tollefson

Rodika Tollefson splits her time between journalism and content strategy and creation for brands. She’s covered just about every industry over a two-decade career but is mostly interested in technology, cybersecurity and B2B topics. Tollefson has won various awards for her journalism and multimedia work. Her non-bylined content appears regularly on several top global brands’ blogs and other digital platforms. She can be reached at