Home

How do you determine when to use insourcing vs outsourcing?

I'm on a journey towards insourcing. 75% of my security operations center (SOC) was outsourced so that I could have 24/7 coverage, but I did a capital project to build my SOC in Cincinnati, which will be staffed 24/7. I'll get the benefit of having staffing in the UK, and I’ll be able to have early and late shifts there that will help cover everything that I'm not getting out of my outsourced staff in India. One of the big reasons for insourcing is that outsourcing is not as cost effective as you might think. The second reason for insourcing is that I now control my own destiny and all the people. That's important to me because as an employer, we are investing in our employees. The turnover that I see among the outsourced people is roughly every 12 to 18 months. The insourced people seem to be around for four to five years. By investing in them and cultivating their career in the SOC, I can either send them elsewhere in my organization, which would be great, or elsewhere in the information security organization, which is almost as good. Even if I send them elsewhere in the company, they can still do great things for the business. If they're insourced, they're invested in their own performance and they want to get a better merit bonus. They want to grow their career and I want them to do it here at the company. If you outsource it, they're getting paid when I write a check every month and that doesn't change over time. We train the outsourced folks, build them up, and then they take that knowledge to somebody else's account. What good is that? 

Anonymous Author
I'm on a journey towards insourcing. 75% of my security operations center (SOC) was outsourced so that I could have 24/7 coverage, but I did a capital project to build my SOC in Cincinnati, which will be staffed 24/7. I'll get the benefit of having staffing in the UK, and I’ll be able to have early and late shifts there that will help cover everything that I'm not getting out of my outsourced staff in India. One of the big reasons for insourcing is that outsourcing is not as cost effective as you might think. The second reason for insourcing is that I now control my own destiny and all the people. That's important to me because as an employer, we are investing in our employees. The turnover that I see among the outsourced people is roughly every 12 to 18 months. The insourced people seem to be around for four to five years. By investing in them and cultivating their career in the SOC, I can either send them elsewhere in my organization, which would be great, or elsewhere in the information security organization, which is almost as good. Even if I send them elsewhere in the company, they can still do great things for the business. If they're insourced, they're invested in their own performance and they want to get a better merit bonus. They want to grow their career and I want them to do it here at the company. If you outsource it, they're getting paid when I write a check every month and that doesn't change over time. We train the outsourced folks, build them up, and then they take that knowledge to somebody else's account. What good is that? 
3 upvotes
Anonymous Author
Use the concept of insourcing the core, and outsourcing the context. If it's something that you want to build, and you want to be able to hire for the correct DNA to take the organization forward, outsourcing that is almost impossible. It's subtracted to begin with and you don't have the same degree of control over the interaction. How can you sit down with outsourced people and talk about their career path when they’re somewhere else? It's about balancing all those things out. I run a crowdsourcing company, so of course I am a proponent of there being a time and place to crowdsource and to outsource. That is where the context comes in. If finding the right match is difficult or prohibitive from the standpoint of skills or contextual knowledge, or if you have a retention issue associated with the type of skill that you need, then it makes sense. But it's not for everything. Sometimes our customers will say, "We can just crowdsource our entire security operation." But that's not how this works. You have to be able to divvy out the things that are appropriate to crowdsource and outsource, and then double down and actually understand why you're insourcing the other pieces.
2 upvotes
Anonymous Author
I've been trying to keep things balanced by outsourcing when I can for something that is highly specific. Beyond that, I’m trying to keep staffing up with folks who are generalists who I can train and retain. I have talked to folks who believe that you should be outsourcing every aspect of your security program right now, and I've talked to folks who believe the opposite. I don't think either of those is the right call, and I have found good success with this blended model.
2 upvotes
Anonymous Author
It can be hard to find enough cyber security people in particular, so MSSPs are a good way to extend your internal team with an outsourced arrangement. Let the MSSP look after the more transactional 24/7 piece so that your internal team can focus on those higher value tasks and those things that require deep understanding of the context of your organization.  It’s always good to get external consultants to come in and review what the security team and the business have put in place. It provides an independent view of the security controls to verify current and target state. Then roadmaps and investment decisions can be made. It can help to corroborate the CISO’s messages to the executive team and board. This would be outsourcing some of the assurance work of the internal team.
2 upvotes
Anonymous Author
The flip to insourcing becomes easier for some pieces, because you're working with vendors who can take advantage of the relationship, or that's their rate card. And now the economy scales where you position things, especially with inland areas where the cost of living is less, so it makes sense. There’s a surge of interest, especially in cybersecurity and development. I find it interesting that there’s such a myriad of managed security service providers (MSSPs) and everybody's got a solution. My gut instincts say, "These are my crown jewels. My security is the backbone of my company. How can you expect me to leave it all in your hands?" There has to be a defining line. In one of my roles, one of the first things I did was assess the contractors, and it was easy to see that it wasn’t working. I had a group that was tasked with specific IT operations pieces. There were clearly defined guidelines and policies, but they couldn't follow them. I didn’t see why we should pay people to get it wrong, so I removed them. I gave them notice and they were shocked. Of course, I ended up taking on their work until I could hire new people, but that was the burden I took on. In the past I've told folks that for every new hire, you will probably spend about 20% to 30% of your time getting them onboarded and up to speed. Depending on their skill level and what you hired them for, getting them to be productive could take weeks, even months. That's one of the big issues with upskilling and insourcing: How much do you take on at once, and how do you build up that scaffolding to be able to train the trainer?
0 upvotes