G Woodbury and Associates, Inc. 1.888.877.5749

The primary argument for outsourcing is financial: a company can get the security expertise it needs much more cheaply by hiring someone else to provide it. Take monitoring, for example. The key to successful security monitoring is vigilance: attacks can happen at any time of the day, any day of the year. While it is possible for companies to build detection and response services for their own networks, it’s rarely cost-effective.

Staffing for security expertise 24 hours a day, 365 days a year, requires five full-time employees—more when you include supervisors and backup personnel with specialized skills. Even if an organization could find the budget for all of these people, it would be very difficult to hire them in today’s job market.

Retaining them would be even harder. Security monitoring is inherently erratic: six weeks of boredom followed by eight hours of panic, then seven weeks of boredom followed by six hours of panic. Attacks against a single organization don’t happen often enough to keep a team of this caliber engaged and interested.

This is why outsourcing is the only cost-effective way to satisfy the requirements. Think about healthcare again. I might only need a doctor twice in the coming year, but when I need one I might need him immediately, and I might need specialists. Out of a hundred possible specialties, I might need two of them—and I have no idea beforehand which ones. I would never consider hiring a team of doctors to wait around until I happen to get sick. I outsource my medical needs to my clinic, my emergency room, my hospital. Similarly, companies will outsource network security monitoring.

Aside from the aggregation of expertise, an outsourced monitoring service has other economies of scale. It can more easily hire and train personnel, simply because it needs more employees. And it can build an infrastructure to support them.Vigilant monitoring means keeping up to date on new vulnerabilities, new hacker tools, new security products, and new software releases. Outsourced security companies can spread these costs across all customers.

An outsource company also has a much broader view of the Internet. It can learn from attacks against one customer, and use that knowledge to protect all its customers. It also faces attacks much more frequently. No matter how wealthy we are, we don’t hire a doctor to sit in our living room, waiting for us to get sick. We get better medical care from a doctor who sees patient after patient, learning from each one. To an outsource security company, network attacks are everyday occurrences; its experts know exactly how to respond to any given attack, because in all likelihood they have already seen it many times before.