Should you outsource cybersecurity or keep it in-house?

Cyber Security

The discussion about whether to set up cyber security in-house or to outsource as part of your cyber security strategy may focus too much on the cost, rather than the pros and cons. 

While the expense of each isn’t insignificant, it’s likely to be far less than the cost of a security breach – something experienced by 65 per cent of Australian businesses in the past year. When you put cost aside, both in-house and outsourced cyber security options have different pros and cons, giving businesses a choice based on their requirements.

Here’s a guide to both in-house and outsourced cyber security options to help you decide.

If this topic interests you, see ECU's Master of Cyber Security for more formal training.

The similarities

What both in-house and outsourced cyber security teams have in common is that they address the two greatest global security challenges – the ability to detect and respond to incidents promptly and the impact of new technologies.

The in-house option is often referred to as a Security Operations Centre (SOC). This is usually a team of cyber security experts who monitor an organisations network and attached devices. They identify potential security incidents and provide a timely response to ensure cyber security. 

You may also be familiar with a Global Security Operations Centre (GSOC) which combines cyber security with physical security. There’s also a Joint Security Operations Centre (JSOC) which can serve multiple businesses.

The outsourced option is known as a Managed Security Service Provider (MSSP). 

Both in-house and outsourced solutions can develop a comprehensive cyber security plan for your business. They can also prepare and manage an incident response plan

Of course, each solution also has some advantages over the other, which might make one more effective than the other for your business.

The case for in-house


The major advantage of having a cyber security team in-house is control. With cyber security experts on staff, management maintains control of who works in and on the business. They can monitor what their cyber security experts are doing and ensure they embrace the organisational culture. In-house teams can also be informed of confidential business initiatives.

Outsourcing, on the other hand, connects your business to a third party which can raise unexpected security and privacy risks, as Apple discovered recently. The company engaged a contractor for quality control of user’s requests to voice assistant Siri. While Apple put strict confidentiality requirements in place, they didn’t inform users that humans would be listening in. A whistle-blower revealed that contractors regularly heard Siri recordings with drug deals, medical details and people having sex. 

In addition to enduring embarrassing media coverage, Apple released an iPhone update to enable users to opt-out of the quality control project.

Better knowledge of the organisation

In-house cyber security teams develop a deep understanding of the business. Not only do they know network hardware and software, but they know faces, names and the day-to-day business activities. 

This gives them a heightened awareness of the impact that technical changes can have on individuals, teams and projects, as well as the networks they’re working on. The in-house cyber security experts can work closely with the business to minimise service downtime.

Blends with your existing security

Another benefit of in-house cyber security is that it can be combined with existing physical security, such as building access control, swipe cards and video surveillance. This creates a Joint Security Operations Centre (JSOC) which enhances both cyber and physical security. 

Security software developer Symantec established a JSOC with the goal of sharing knowledge and expertise between physical and cyber security experts. This enables deeper investigation of cyber security breaches to explore visitor and staff movements prior to the event. 

Other business functions, including HR and legal, are also closely involved with Symantec’s JSOC to broaden security and build a bigger picture around critical events.

The case for outsourcing

Quicker set-up

Setting up an in-house SOC takes time. From recruiting; training; and retaining, cyber security experts to researching and setting up security software and hardware can take between 6 to 12 months. That means most businesses will be waiting a year for in-house cyber security protection that’s operating effectively. 

A Managed Security Service Provider (MSSP) has the staff, infrastructure and more, just waiting to go – and it works straight out of the box. That includes a large team of cyber security experts who have extensive experience and knowledge. 

Broader knowledge

Because they have a larger team than most in-house solutions could ever hope for, MSSPs can draw from a much broader and deeper pool of knowledge. They can also re-allocate those resources quickly and call in more help for your business if necessary. Most MSSPs offer businesses 24/7 protection without having to even contemplate asking IT staff to be on call.

As they are working with several different businesses, MSSPs can apply recent real-world learnings to your business. And because they are living and breathing pure cyber security every day, they have increased access to the latest hacker strategies.

Less expensive

The bottom line with MSSPs – they can do much of what in-house teams can at a lower cost. For growing businesses, an MSSP can easily scale while an in-house team would need to think about hiring additional staff and purchasing infrastructure.

Best of both worlds

So how do you choose? The truth is, some businesses don’t. 

In the same way that the best data backup system has multiple copies on different media, many businesses choose both in-house and external cybersecurity options. From a cost perspective, it means they can have a smaller in-house team with the ability to scale in response to a cyber security incident. 

With regards to experience and knowledge, the in-house team may have more junior cyber security experts on staff to detect, classify and escalate attacks. The MSSP then provides support with additional expertise to mitigate those attacks. 

They can also assist in building tools and processes to improve the in-house team’s ability to identify threats.

Finding cyber security experts is the greatest challenge

The demand for cyber security professionals is growing rapidly, and businesses are looking for cyber security experts, both in-house and through outsourcing. This is an excellent opportunity for information technology professionals. 

ECU’s Master of Cyber Security builds on your qualifications and experience so you can graduate as a cyber security expert. Then you can choose for yourself – in-house or outsourced.

Learn more about ECU's online Master of Cyber Security. Get in touch with our Enrolment team on 1300 707 760.