We provide Cyber Security services to a range of organisations from Top50 ASX listed to Startups to Government and we work with Business Owners, IT Teams, CISOs, internal Cyber Security staff and CFOs.
Over time some businesses grow large enough, typically over 500 people, that they start to do some back of the envelope maths. This maths might suggest that an internal Cyber Security staff member appears cheaper and provides more time than an external cyber security contractor.
At Vertex Cyber Security, we help businesses get the best Cyber Security for their business. We work with businesses that have internal Cyber Security and those that don’t. We enjoy both structures and do not have any concern with working with internal Cyber Security staff.
That said we have noticed a number of common observations:
- The average time for internal Cyber Security staff to stay in one role is less than 2 years. This means you need to factor in hiring costs, upskilling and loss of productivity costs resulting from this.
- Internal cyber security staff don’t keep up with the changes of technology or cyber attacks as they aren’t exposed to as many technologies and attacks as a Cyber Security business would be.
- Internal cyber security staff don’t get the same level of experience, training, documentation or automation available as a Cyber Security business as they only perform the task once, not multiple times a week.
- It takes internal Cyber Security staff at least twice the time to perform the same task as they don’t have the same level of practice.
- Internal Cyber Security staff can be protective of their role and have had less experience implementing the latest cyber protections. There is a tendency for them to prioritise avoiding risk of losing their job and keeping the peace over better cyber security.
- Internal Cyber Security have limited knowledge being one person compared to a team providing a range of capabilities from a Cyber Security business.
As shown with Optus and other large companies that have been cyber attacked, they had a lot of internal cyber security yet still failed to implement appropriate Cyber protections.
This doesn’t mean that you shouldn’t have internal Cyber Security staff nor does it mean that you should always have internal Cyber Security staff. It does mean that before thinking about hiring any internal Cyber Security staff consider that the cost is probably at least double what you may think. Also it is important to balance the decision with the strategic and business priorities.
Either way we would always recommend making sure you have at least some regular Cyber Security services provided by an expert Cyber Security business to reduce the potential impacts highlighted earlier.
To be honest this is based on multiple attempts in the past where we helped businesses hire internal Cyber Security staff only to discover these common observations. We have learnt from our mistakes and now try to help businesses understand why they should and why they shouldn’t hire internal Cyber Security staff.
If you want to see the difference an expert Cyber Security business brings, contact Vertex Cyber Security.