16 Oct Understanding the Economic Value of Outsourcing Cybersecurity
Use of outsourcing to fulfill at least some cybersecurity functions is nearly universal: according to a survey from advisory services firm Kroll, 77% of organizations outsource some security functions, and 28% outsource their entire cybersecurity operations. A separate study found that 93% of organizations plan to offload additional aspects of cybersecurity risk to third-party providers within the next two years.
It’s no wonder why. Not only can the act of outsourcing cybersecurity reduce risk and improve security outcomes, but it can do so in ways that generate significant economic value. Done well, increasing investments in cybersecurity—including but not limited to outsourcing—can generate ROI of up to 179%, according to research from ESI Thoughtlab.
How does outsourcing security generate measurable economic value? It works through a variety of mechanisms, like those described below:
Labor Savings
Outsourcing can reduce the need for in-house cybersecurity staff, which may lead to savings on salaries, benefits, and ongoing training costs. There’s another dimension to this, too: a critical labor shortage in cybersecurity is making it so it’s sometimes not possible to hire; 71% of organizations report an “acute shortage” of cybersecurity skills. That, in turn, can impose a constraint on the organization’s ability to grow or even just meet basic mandates. Outsourcing avoids this issue altogether.
How to calculate the economic value: Compare the annual cost of employing a full-time cybersecurity team (including salaries, benefits, and training) with the annual cost of an outsourced cybersecurity service.
Capital Cost Savings
Outsourcing eliminates the need for capital investment in cybersecurity infrastructure and tools. “Going to a [managed security provider] can switch big chunks of the security budget from Capex to Opex,” writes TechTarget, “which can afford certain accounting advantages for the organization and create predictability in the budgeting process.”
How to calculate: Estimate the upfront and maintenance costs of cybersecurity hardware and software if managed in-house and compare these to the service fees of an outsourced provider.
Risk Avoidance and Mitigation
Effective cybersecurity reduces the potential financial impact of data breaches, including regulatory fines, legal fees, and reputational damage. Don’t underestimate the potential costs here. According to The Harvard Business Review (HBR), nearly two-thirds of organizations were hit just by ransomware in the last year. Most of those say it caused them to lose business. Altogether, HBR reports that the “average cost for a small or mid-sized organization to remediate a ransomware attack is $1.82 million.”
How to calculate: Use industry benchmarks on the average cost of data breaches and compare it against the investment in outsourcing cybersecurity services. Consider historical data or industry averages on breach costs, factoring in the size and sector of the organization.
Access to Expertise and Advanced Technologies
Outsourced cybersecurity firms often have access to more specialized expertise and cutting-edge technologies than what might be feasible in-house. “You get to leapfrog forward a lot of capabilities by bringing in an organization that’s already matured them,” says Rick McElroy, principal cybersecurity strategist at VMware Carbon Black.
“Through leveraging economies of scale, outsourced services are considerably more affordable,” writes HBR. “They also give you more bang for your buck, bringing a level of expertise and speed of response to the table that is nearly impossible to replicate in-house.”
In turn, that means organizations can potentially pursue business strategies and initiatives that would have otherwise been impractical. For example, a business will be better able to scale its operations and grow rapidly. In other words, more advanced expertise and technologies can yield new economic opportunities gained.
How to calculate: Estimate the cost of acquiring similar expertise and technologies in-house, including recruitment, training, and purchase of tools, and compare it to the outsourcing contract value.
Outsourcing Cybersecurity Has Bottom-Line Benefits
In the end, the economic value of outsourcing cybersecurity will vary based on factors such as the organization’s size, industry, current cybersecurity posture, and the specific risks it faces. But it’s clear that—when implemented strategically—outsourcing some or all security functions can position an organization for significantly improved bottom-line business outcomes.
About PSL
PSL is a global outsource provider whose mission is to provide solutions that facilitate the movement of business-critical information between and among government agencies, business enterprises, and their partners. For more information, please visit or email info@penielsolutions.com.