Cybercriminals have been very active since the start of the COVID-19 pandemic, which is why it's important for private companies to call on the services of cyber security professionals to help them better identify their risks and be better protected. Given today's labour shortages, which are also affecting the information technology (IT) industry, businesses have much to gain by outsourcing some of their security-related operations. But what is the best approach?
To answer this question, I spoke with Guillaume Clément, Partner, Consulting, Cyber security at KPMG Canada and President of Egyde Inc. Our conversation has been edited for clarity and length.
Valérie Houde: Why would a company want to outsource certain cyber security responsibilities to an external firm?
Guillaume Clément: With the growing labour shortages, it is increasingly difficult for companies to meet their needs, especially in cyber security. People with in-depth knowledge on the subject are rare, given the needs we have today. I don't believe this situation will improve in the medium term. A company that is interested in having this department's tasks carried out internally faces a considerable challenge in the current environment. But even if it manages to hire a resource, he or she will be difficult to retain, given current market conditions. The company will also have trouble covering all the skills required to address the various challenges faced by businesses today.
Companies therefore need to make outsourcing part of their toolkit, to address the various aspects of cyber security that they don't cover internally. They must also determine how much of their activities to outsource, and which tasks to target, depending on their means and ambitions.
Valérie Houde: Does a business derive any advantages from having internal cyber security professionals?
Guillaume Clément: It's clear that, in most cases, a company must have at least one or two employees with cyber security-related responsibilities and tasks. They will have the advantage of knowing the organization and its vision, since they are involved in the company's projects and will be ensuring that progress is being made in the company. This is essential. Otherwise, the projects will never be completed. If the people dedicated to these tasks are less familiar with cyber security concepts, but are interested in learning, then a firm like KPMG can support, mentor and train them. This is a great way to address the lack of skilled labour for the services you want to keep in-house.
Valérie Houde: Can the size of a company influence the scope of its outsourcing?
Guillaume Clément: Yes, the size of the company can affect its outsourcing strategy, but also the complexity of the processes it will need to adopt.
But you shouldn't think that a large company will be less likely to outsource its processes. Being larger only means that you face bigger challenges. The opposite is also true: smaller companies may need a turnkey strategy.
Valérie Houde: What tasks and functions should a company outsource?
Guillaume Clément: Companies are currently facing challenges in their efforts to recruit and retain qualified labour. They need to provide their employees with interesting and stimulating tasks, so they must outsource functions that are repetitive and have less value added for their employees. For example, here I'm thinking of 24/7 surveillance services, which we often see outsourced.
Complex tasks that require cutting-edge experience on a specific subject also benefit from being entrusted to an external firm. The best example here is the investigation required after a cyber incident. Even though it may be exciting to "play Colombo," companies cannot afford to cut corners in this kind of situation, especially when there has been a computer intrusion. There is also the whole issue of preserving evidence that needs to be considered.
Valérie Houde: On the other side, what responsibilities should a company think of keeping in-house?
Guillaume Clément: There are both operational and tactical tasks, which require a varied knowledge base and considerable experience. Such tasks are particularly attractive to the existing staff because they have no inherent redundancies. For example, if an external firm identifies a company's security vulnerabilities, it is up to the internal cyber security manager to learn about them and set priorities. He or she works closely with colleagues to close the gaps and manage the risks.
Depending on the individual's qualifications, he or she may also optimize configurations, enhance existing tools and strategies, and develop some system architecture and designs. This cyber security specialist acts somewhat like a conductor, working closely with external partners, setting priorities, drumming up new ideas and solving problems, based on the company's business environment.
Valérie Houde: Companies are increasingly using a variety of technologies. What challenges are they likely to face as they make this transition?
Guillaume Clément: As businesses make greater use of various advanced technologies, they are becoming aware of how difficult it can be to manage the related tools, such as alerts and technical problems. Sometimes certain advanced solutions can block processes that are essential to the company's operations.
This becomes a kind of vicious circle. The more a company has invested in cyber security, the more this generates work and responsibilities. However, this makes the company better equipped to detect fraudulent activities and respond, if and when an incident occurs.
In other words, the more a company is protected from cyberattacks, the greater its needs in terms of labour and professionals with the appropriate experience. It therefore has no choice but to outsource certain responsibilities, if it doesn't have the internal resources needed to support its growth and meet its cyber security needs.
Valérie Houde: How should a company select an external firm specialized in cyber security?
Guillaume Clément: Businesses must be careful: there are service suppliers who may say that they are cyber security specialists, but they don't have all the necessary skills. Here are a few things to consider when choosing your cyber security partners.
First, it is essential to determine the scope of the firm's service offering. How many employees are on the team, and what are their skills? It is relevant to consider your cyber security partner's previous mandates with companies similar to yours or active in your industry. Lastly, it is best to request bids from at least three firms, in order to compare them.
It is worth noting that some firms are specialized and others are generalists in this area. For example, some offer only monitoring services, but they don't design cloud architecture. A company that is interested in outsourcing certain tasks may need to draw on the services of several firms to meet all its current and future needs.