Today’s enterprises keep evolving to keep up with the fast-paced digital economy. Organizations and structures within enterprises are constantly changing to rapidly respond to new opportunities in the market. It is because of these constant changes that a robust, integrated cybersecurity framework is crucial in protecting the enterprise network.
Earlier, management had much less to worry about security while devising a technology strategy, but with today’s extensive use of technology and digital infrastructure that are always online and connected to the enterprise intranet and Internet, there’s much more concern about cyberattackers and their capability to exploit weaknesses in the enterprise network and launch sophisticated attacks.
Though your management might acknowledge the risks to the enterprise network and the overall business operations from such cyberattacks, there’s very little understanding about how to create a comprehensive cybersecurity strategy that is dynamic enough to address all forms of threats in the long term.
So, what is the correct VoIP security strategy for your enterprise? Do you think your enterprise is capable of building and implementing an appropriate cybersecurity function on its own without any help from external experts? Do you think you should outsource the entire cybersecurity to external IT security providers so that you can focus on your core business? Or do you think you should have the best of both worlds and develop and implement a cybersecurity function with an inhouse team and external experts working together to protect your enterprise network?
Inhouse cybersecurity function
A very competent IT security team led by an expert security leader can design and implement a cybersecurity function without any help from external experts, which is really good news, if your management thinks things should be handled by your own people.
The IT security team, being part of the enterprise will be well-versed with the business context, the IT infrastructure, and the network topology, so the preliminary homework stage is mostly eliminated. Also, since the team is connected and familiar with the business stakeholders, the business units too get in on the action and contribute freely to the creation of the cybersecurity framework. This means multiple business units in the enterprise will work as a big team.
Also, an inhouse IT security team usually will get strong support and commitment from management. Because of the inherent awareness of the enterprise network, the security team can define a clear set of priorities and document processes and services that involve the new cybersecurity function with a detailed view of business unit-wise cost apportionment and value proposition.
However, where there are so many advantages, there are also some pitfalls that you must know. In a lot of enterprises, the opinions of inhouse teams are taken with a pinch of salt. Management is always wary of internal politics between business units, and so they would rather listen to external experts, whom they believe will not have any skin in the political games. This wariness also will carry forward to the stage when investments and expenses need to be approved, and money will not be loosened so easily to inhouse teams.
Then there’s the issue about conflicting priorities of different business units. For example, the Information Security team might give different weightage in certain aspects of security than the IT Security team. There might be things that the Information Security team wants locked up, which the IT Security team needs kept open.
An inhouse security team might also be less aware of the constantly changing technology of the security landscape and the threats that enterprise networks face. This kind of knowledge and expertise can only be provided by external experts whose job it is to focus on such threats.
Outsourced cybersecurity function
Outsourcing cybersecurity to external experts who will take care of the security of your enterprise network is a good idea for enterprises who want to simply focus on their core business and leave the rest to the experts who can most probably do a better job. When you outsource the security of your network, you also have a plethora of technology and service options available from different expert security providers. Also, it becomes much easier to upgrade to new technology frequently, especially if you can include the long-term costs in your deal with the security providers.
By outsourcing cybersecurity, you can focus on the core business and strategy, which is your bread and butter, and spend all your efforts on growing and transforming your business based on market requirements. This makes it much easier to manage dynamic business teams that quickly scale up and down based on the demand for your products in different market regions globally.
All these advantages sound good as long as you take care of a few things to manage your outsourced cybersecurity function. Before you start shopping for external security providers, be sure to know your requirements. While you need to ensure that all aspects of your enterprise network are secure, you don’t want to be paying for things you don’t need. The term caveat emptor applies perfectly here. It’s the job of the service provider to upsell and cross-sell, while it’s your job to beware of paying for frills that you don’t need.
On the other hand, if you ask for services that don’t belong in the service providers’ standard packages, you might be charged a premium in the name of customization.
As an ongoing process, you must also have a core IT security team who will ensure good governance and evaluation of the services being provided, keep the service provider on their toes, while also maintaining a good relationship with them.
While you’ve got your security worries out of the way, you will still face a few challenges in managing external security providers. If you hire a single security provider to keep things simple, you’re essentially dependent on them all the time. If you hire multiple security providers, coordinating among them will become a big task in itself. So it is of great importance that you strike a balance and keep the count of security providers low and manageable.
The worst aspect of outsourcing your security needs is that though there’s a lot of flexibility allowed when you reprioritize projects, you also incur additional costs. Sometimes it becomes very difficult to change projects mid-way just because of the security costs involved, which shoots up your budget.
Hybrid cybersecurity function
While there are advantages and disadvantages to the different approaches of designing and implementing cybersecurity functions, it is advisable to absorb the advantages of both worlds — inhouse teams and external experts — and create a hybrid strategy that involves using a mix of both the strategies.
In a hybrid strategy, your inhouse IT security team is responsible for creating the core framework of the cybersecurity function and making governance-related decisions internally, but you can still maintain scalability using external security providers.
The beauty of going hybrid is that while your trusted, inhouse security team, who is well-versed with the business and requirements of the enterprise network, uses a self-developed strategy to secure and monitor the enterprise network, the laborious process of implementing the strategy can be outsourced to external security providers.
So while you get the advantage of an in-house IT security team who can work well with business units in the enterprise, you also get the additional expertise and labour of the external security provider who manages the daily affairs of the cybersecurity function, thereby leaving your core security team to monitor and govern.
Note that you’re outsourcing only the responsibility, while you’re still accountable for your network’s security, which is a good thing. The security providers should only own processes, while you retain the governance and authority over the security aspects. Even though security providers bring their own expertise, you still need to have an upper hand with your own core team who has to be a very senior level of experts in the cybersecurity space, so that they are knowledgeable enough to govern effectively.
We’re not saying that you want a bunch of minions in the form of service providers because they too will be experts in the field, especially if they secure networks of multiple other customers. The motive behind having your own IT security core team is to ensure that you don’t end up with elephants in the form of service providers in your enterprise cybersecurity space whom you can’t move unless they want to. This extra bit of authority that you hold over your service providers is only to emphasise that you own the enterprise network and are ultimately accountable for its security.
As a personal experience, we’ve noticed some enterprises failing in their operational and business aspects when they’ve outsourced everything they can to external service providers. They do this mostly because they lack the expertise themselves and rely on service providers to bring their expertise, thereby giving away power over themselves. This is a bad situation to be in — you don’t want to be completely dependent on others for your critical functions.
So the endgame in a hybrid model for your enterprise’s cybersecurity is to have an inhouse strong, expert core team of people who design and govern the security function and outsource the responsibility of implementing the function to external service providers who are experts in running the daily grind of security-related processes.
Like most people, you’d want to have the cake and eat it too. Otherwise, what’s the point of the cake?
We’d like to also ask you, our readers, about your opinion about the cybersecurity model for enterprises. Do you know of a better model? Have you implemented any innovative strategies to secure your enterprise network?