Recently, I had a conversation with a top executive at a well-known Fortune 1000 company. This executive admitted to me that, given a choice between hiring truly talented IT security professionals and “monkeys” – meaning cheap, low-level offshore IT personnel – he’d choose the monkeys. His rationale was that his company would not only save money by offshoring cyber security services but also reap the benefits of having more boots on the ground because of the large number of staffers that could be hired due to being able to get them for almost nothing.
Offshoring – like robotics, automation, and smart machines – is a reality in today’s globalized knowledge economy. In many cases, there’s nothing wrong with offshoring a particular service. The organization contracting out the work benefits from lower costs, which it can then pass onto its customers. Being able to take advantage of lower-cost labor in developing nations has allowed many small companies to grow, thus creating other jobs here in the U.S.
However, there is a big difference between offshoring a customer contact center or the manufacturing of a widget and offshoring your organization’s data security.
“Bargain” Offshore Services Are No Bargain at All
The cyber security talent gap has made it difficult for organizations to locate qualified talent at all – and then, even if they do manage to find a suitable candidate, they may not be able to afford them. This has necessitated many organizations partially or even completely outsourcing their cyber security. Managed security services providers (MSSPs) are especially popular because they provide an array of services tailored to specific clients, from remote monitoring to dedicated on-site personnel.
However, while the prices charged by U.S.-based cyber security providers are less expensive than hiring in-house staff, no domestic company can compete with the “bargain basement” prices of offshore cyber security firms located in developing nations where the cost of living is so low, the minimum wage is only a few dollars a day. It’s understandable that CIOs, who are under constant pressure from the rest of the C-suite to minimize costs, would be entranced by the low, low prices of an offshore provider – even if they know the offshore workers are not completely competent. Further, the organization may already offshore numerous functions with no problem at all, so why not cyber security?
Problem is, contracting with a cheap offshore provider does not equate to securing an organization from cyber attacks, no matter how many staffers the provider assigns to your account. In fact, it may leave your organization even more vulnerable to hackers. According to Verizon, about 95% of data breaches occur when hackers obtain legitimate login credentials, either by stealing them from employees (often through phishing emails) or obtaining them from malicious insiders. In this light, low-cost, offshore “monkeys” pose a threat on two levels:
1. They lack the education, experience, and ongoing training to fully understand the nuances of cyber security and keep up with new threats as they arise, which means they are far more likely to make mistakes than educated, trained professionals.
2. Because they are located in foreign countries, there is no way for an organization to run criminal background checks on the “monkeys” – or verify that the offshore service provider has done so. The cold, hard reality is that CIOs have no idea who their offshore providers are hiring, where they found these people, or how well they screened them. They may be fine, honest people, or they may be criminal hackers; there’s no way of telling.
That “bargain” offshore service provider will be no “bargain” at all if your company suffers a data breach or a ransomware attack – especially if the ensuing investigation uncovers that the attack was due to negligence, error, or malicious intent on the part of an employee of the offshore company. Keep in mind, too, that the offshore provider won’t be the one left holding the bag and facing a public relations nightmare and possible government penalties: Your firm will be, and, because the provider is located overseas, you may have little or no legal recourse against them.
What Can CIOs Do?
In the wake of the numerous, high-profile ransomware attacks and data breaches that have healthcare organizations over the past five months, the healthcare industry has been taken to task for not taking cyber security seriously. The industry was very slow to switch from paper to digital records and, when it finally did make the transition, it did so only reluctantly. As a result, healthcare companies tend to see cyber security, and IT functions in general, solely as overhead costs that need to be contained, not as something that enhances its core function, which is patient care.
While healthcare has been in the spotlight, the same accusations could be made of organizations in all industries, even those that embraced digital technology early on. Most organizations view their IT departments as overhead costs, like utility bills and office supplies, not as a critical element that aids the firm in providing better products or services. But increasing automation and internet connectivity means that modern organizations have more cyber vulnerabilities than ever before, and Internet of Things (IoT) devices are set to expose even more vulnerabilities to hackers – who are more well-trained, well-funded, and persistent than ever before.
A dramatic shift in organizational mindset is needed, and CIOs, as technology leaders, need to be the front-line advocates. Organizations can no longer afford to treat cyber security as an afterthought or an overhead cost that must be contained; it must be viewed as an absolute necessity to protect critical company and customer data. When CIOs seek to outsource their cyber security functions, they must not base their decision on cost alone; they must instead seek the highest quality of service and accept nothing less. Organizations should partner only with reputable, U.S.-based MSSPs who hire educated, skilled personnel who have undergone thorough background checks and who engage in continuous education to keep up with the latest threats and technologies.
An organization’s cyber security function is simply too important to leave in the hands of unskilled, untrained “monkeys” located across the world. There are too many risks involved, and the potential fallout should something go wrong is too severe.
Mike Baker is founder and Principal at Mosaic451, a bespoke cybersecurity service provider and consultancy with specific expertise in building, operating and defending some of the most highly-secure networks in North America.