Critical security functions are being outsourced to combat the skills shortage, but there could be an even better answer – writes Ping Identity’s Head of Asia Pacific and Japan, Ashley Diffey.
Across 2022, reports have surfaced that point to a significant amount of outsourcing of security functions. To some extent the figures look overly high, conflating – for example – the use of managed services as a form of outsourcing.
Of more interest, however, is the extent to which more core capabilities of security teams are being outsourced, and – in particular – offshored. The annual SANS SOC survey summarises this distinction neatly: “Much of what SOCs do can be outsourced, so we wanted to understand what SOCs choose to outsource.”
SANS’ numbers show outsourcing of security functions is largely unchanged over the years. Importantly, they also show that businesses are highly selective in what they’re happy to outsource: testing, yes; core functions, no.
Anything to do with strategy, architecture, engineering, tool configuration and deployment, monitoring, and IR, is much more likely to remain in-house than be sat with a third party.
Still, that assumes the business, and particularly the security practice, is well-resourced enough to have this choice.
Security is a sector with acute skills shortages in critical areas. If these skills shortages cannot be resolved, outsourcing and offshoring of more critical security functions may start to look like an attractive way for some businesses to alleviate immediate resource availability constraints.
Short-term thinking
There are two core problems with outsourcing security functions as a response to the skills crisis.
First, it may not be the most cost-effective way of resolving the issue.
Anyone with exposure to outsourcing arrangements will be aware that there are often hidden costs, and almost certainly increasing costs over time to contend with.
Second – and perhaps more important – it’s not a long-term solution to the problem at hand.
Unless the outsourcing is short-term and accompanied by simultaneous investment in building up internal capability, then it is unlikely to get businesses to where they need to be in the longer term.
For that reason, I suspect we’ll see a lot of businesses look at outsourcing, but only a relatively small number actually go down that path.
Longing for a long-term solution
Where that leaves most businesses is with a need to double down on ways to create skilled local resources.
In businesses’ favour, there’s no shortage of opportunities for people to get into cybersecurity and skill up to be a part of the growth. With that growth set to continue, businesses need to work to create a continuous pipeline of potential candidates that want to work in security-related fields.
While classroom and on-the-job training are likely to be the main ways to prepare candidates for careers in security, technology will also play a part in lowering barriers to entry.
The advent of low-code and no-code security tools is changing operating models in a number of technology domains. Rather than requiring developers with decades of experience to script everything, even non-technical users can easily drag and drop to connect actions and create workflows. Such orchestration services intend to make it easier to integrate existing identity security with a range of IT systems.
Making identity security simple and easy benefits not only potential new hires but also existing teams, reducing administrative effort and freeing up time and workload capacity. That extra capacity could result in significant time and money saved, and also buying time to train up new resources for more strategic needs.
The cybersecurity skills shortage is not going away anytime soon, the sheer demand cannot meet the daily influx of threats. It will take a concerted effort across business and government to ensure resources are being allocated correctly, from embracing new technology and offering more training.
Anything that can be done to make security more operationally and administratively efficient is likely to make careers in security more accessible. Simplification may be just what the industry needs to compete against bad actors and ensure our systems our resilient.