If your company is working to improve its cybersecurity only marginally, there’s bad news: You’re probably courting trouble. Nothing less than a transformative change — in cyber strategy, organization, processes and technology — is needed to make significant progress on multiple cybersecurity goals of enabling the business, resilience, risk management and trust, according to our analysis.
It’s not just that threats are ever more sophisticated. Threats often come in surges that your everyday cyber team — right-sized for everyday defense — may not have the resources to meet. In many companies, digital operations growth is also creating an ever greater attack surface for cyber threats. New technology tools can help, but if they don’t work well with old ones, they may do more harm than good. Talent is in short supply and commanding ever higher prices while your company’s likely pressing your cyber teams for an ever faster response.
A new cybersecurity model, based on blending in-house technology and governance with a deep bench of dedicated specialists, can help meet these challenges while controlling costs.
Your organization should consider the next generation of security managed services if you face one or more of these cyber challenges:
There are just two options with traditional security managed services models: too little or too much. Some models fill a gap here or there, leaving your existing cyber defense costly and unwieldy. Others require you to hand over the keys to the kingdom, meaning you lose visibility and control and may be obliged to use a given vendor’s technology indefinitely.
With the next generation of security managed services, cyber outcome sourcing, you and the provider identify the security outcomes that your business, threat landscape and risk tolerance demand. The provider is then responsible for delivering these outcomes for a fixed fee that includes workforce costs. Your key cyber employees join the provider as part of a team dedicated to your company. This team works hand-in-hand with the provider’s deep bench of cyber specialists, ready to scale up your defenses when new threats emerge or surge.
You keep control of technology and governance, and your provider has a strong incentive to help you enhance both: Your technology and governance will help the provider deliver the outcomes that it’s responsible for. With a dedicated team, backed up by specialists, your security capabilities become embedded and elastic while remaining interoperable with multiple technology vendors.
Pain point: Companies typically acquire cyber defense tools piece by piece. But these pieces may not talk to each other and may cause duplicate efforts. But if you outsource technology to a vendor, you also outsource control — and then you might find yourself “married” to that vendor for life.
Cyber outcome sourcing: You keep full control of your technology, but a provider is incentivized to help you improve integration, increase automation, reduce duplication and enhance overall capabilities. Top providers have use-case libraries, KPIs and standard operating procedures that can provide fast, affordable tech support.
Pain point: You need top talent but it’s ever more expensive to hire and keep in-house. Traditional outsourcing models may cause you to lose your most talented, experienced employees and their knowledge of your organization.
Cyber outcome sourcing: Your key talent remains dedicated to your company, but they get to work with a team within the service provider, which also offers them new training and work opportunities. When a new threat to your company emerges, the provider addresses it on your behalf. Since its specialists serve many organizations, they’re constantly updating their business acumen, digital capabilities and social skills — while the provider can keep down costs.
Pain points: The threat landscape can be quiet for long periods — then suddenly attacks spike. Your in-house team may not have the resources to cope. Older outsourcing models can rush you extra resources for an extra cost, but they may not work well with your day-to-day team.
Cyber outcome sourcing: The provider has a team dedicated to your company, complemented by a deep bench of specialists across functions and disciplines such as security operations, vulnerability and attack surface management, identity and access management, and risk and compliance. When these two teams — joining deep knowledge of your company with deep insights into the surging threats — have already been working side by side within the provider, they collaborate seamlessly and there’s no extra cost.
Pain points: Cyber defense is high tech — complex and fast changing. Few companies have the ability to govern it effectively: with easy to use tools, well-defined accountability and metrics, and clear reporting and dashboards. The challenge rises further for third-party cyber risk. In fact, many wonder if organizations have become too complex to secure. Traditional outsourcing models remove governance from your hands, reducing visibility and accountability.
Cyber outcome sourcing: You own governance, but the provider is incentivized to help you improve it. Automated cyber risk dashboards that integrate third party cyber risk, frameworks to quantify cyber risk and track the efficacy of investments, and clear documentation on roles and responsibilities are just some of the ways in which providers can help.
The advantages of cyber outcome sourcing become still clearer when compared to the traditional models. These models — including traditional cyber managed services — fall short in one or more of four key areas: speed, comprehensiveness, visibility and cost control.
The most traditional approach to cyber defense is to do it in-house. That does offer full control and visibility, but most companies lack in-house resources to fend off sudden surges in the threat landscape. This model also does nothing to keep the cost for talent from rising and rising.
Faced with internal gaps, many companies seek a provider to augment their staff. Yet that help is often helpless. Without a deep relationship, your team and the provider’s team can hit communications and process gaps. Provider fees also tend to keep rising and you lack full control over governance.
Traditional managed services usually offer a one-size-fits-all cyber defense model, customized a little around the edges. Lacking full alignment with your business and its needs, this model may not provide comprehensive defense. Yet you may soon find yourself locked into the provider’s technology and dependent on their governance. It will be hard to switch — potentially trapping you in spiraling costs.
A hybrid model that continuously mixes external and internal teams to operate your existing technology is a better option that can provide fast, comprehensive defense. Process gaps between teams may still arise and you may face rising costs as the provider has little incentive to help you increase automation and efficiency. You also will probably have to give up full visibility and control over governance.
|In-house||Staff augmentation||Outsource ops and tech||Hybrid||Outcome sourcing|
|Organization attempts to staff and operate cyber function independently.||Organization buys bodies to fill staffing needs.||Vendor provides and operates proprietary technology.||Involves vendor supplementing your teams in operating your existing tech stack.||Alliance model in which provider operates on behalf of client.|
Several providers offer the next generation of security managed services, but they’re not all the same. Choose a provider that has the following qualities, which can help meet your unique challenges — and provide your current employees, when they become part of the provider’s team, with the opportunities they deserve.
For many companies, the time to switch to cyber outcome sourcing is right now. As digital ambitions rise, CEOs and boards are increasingly aware of the need to increase cyber resilience while supporting the business and controlling costs. The economics have changed — what organizations could do in-house or in traditional models before can now be accomplished at more favorable transaction costs.
Cyber outcome sourcing can do that by providing the talent you need for the outcomes you need while maximizing the value of your technology, improving governance and controlling costs.
Managing Director, Cybersecurity, Privacy & Forensics, PwC US
Principal, Cybersecurity, Privacy & Forensics, PwC US
Cyber & Privacy Innovation Institute Leader, PwC US