By Kevin Fuller

The Peer2Peer session "To Source or Not to Source. Is That Really the Question?" was very well-attended by security leaders across many verticals, offering a range of experience with regards to sourcing their security programs. Attendees shared what functions they have outsourced to a trusted third party, how they came to those decisions, and what their experience was in those endeavors. Several themes emerged in the discussion.

Most companies outsourced due to resource availability or skill gap

While there were a number of reasons attendees noted looking at out sourcing part of their program, two reasons came up more often than any others and they are not new issues. The availability of skilled security resources continues to be short and they are expensive when found. Sharing that resource burden with a trusted third party proved a common risk mitigation tactic. Even where resources were available, many attendees noted that they were able to acquire specific, needed skills through an outsourcing arrangement that didn’t make sense to keep in-house all year long. 

Security operations in a quick win

Many people shared positive experiences when they outsourced their Security Operations Center and/or tool management to a trusted third party. Due to the regularity of the work and clearer delineation of responsibilities, it made for a quick win when a company needed to free up resources for other projects or needed to shuffle their remaining personnel after others left. Of all program domains, the SOC was deemed the “easy example”. 

Nothing is off the table

The SOC may have been the “easy example”, but there was no security domain that was uniformly rejected by the group. Every security function called out was met by someone in the group who had outsourced it from penetration testing to the CISO. Each company must examine what their core competencies are and what security functions are tied most closely to those capabilities. What can impact your company the most should be held closest to the vest, but be open about functions further out. Look at the cost and personnel savings from an outsource agreement as an opportunity to reinvest in new security capabilities not previously funded.