Why don’t we outsource IT security?

Europe has been reeling for some time. Everyone in Europe must now be compliant with the General Data Protection Regulation (GDPR) which makes tough demands in relation to IT security. Are we all really compliant? IT security is already often in the news for other reasons. Do we really have everything under control? A lot has been written about personal data protection and IT security. For instance, about what action you need to take to be fully compliant. It goes without saying that you have to stick to the law – everything you do or refrain from doing must be legal – but you also have to explain that everything you do or refrain from doing is proper and legitimate.

This is no mean feat. You now need in-depth knowledge, which makes it tough because it is, of course, not our core competency. You need to have clear ideas about it, and you need to know what you do and do not want. To ensure a good standard of IT security, you need the benefit of scale because of the variety of skills needed. You need to be attuned to events around the globe so that you find out in time when the next malicious incident happens, ensuring that you are well-equipped for the next one. You need to identify trends so that you can resist known and unknown threats proactively and reactively, and you need to keep a whole system of people and computing capacity on hand. Even the largest of organizations cannot manage this by themselves, never mind the rest of us.

Complexity is out

Most organizations actually have no choice. If you want to safeguard personal data and IT security, you need to outsource it. Major suppliers of IT security solutions have huge benefits of scale, which most organizations cannot even come close to. They employ many more specialists in many more specialist fields. They have an (almost) global presence and therefore find out sooner when new threats loom. They are well-organized and continually alert. Through them, your organization will be part of a large community with a huge learning capacity. They can afford tools that you can only dream of. Successful major Internet and IT businesses, such as Adyen, Airbnb, Apple, Bol.com, Booking.com, Google, Knab, Netflix, Samsung and Uber, all have in common that they simplify things for you. Complexity is out. Just like you eliminate complexity for your customers (you do, don’t you?), you can equally find parties that will eliminate complexity in everything that you find too complex. This applies to both personal data protection and IT security.

Businesses that provide IT security make it much easier for you to meet the required standards. They ensure that you are compliant sooner, and they provide a standard of quality and value for money that you could never achieve on your own. More organizations are coming round to this way of thinking. With an annual growth of 20%, IT security is the fastest growing segment for outsourcing.

Yet if you do decide to outsource IT security, it will likely cost you a lot more than you are paying now. Outsourcing drives costs up. Let’s be honest, almost everyone is lagging far behind when it comes to IT security. Good security is expensive, which actually means it is extremely expensive. If you outsource, your IT security will not be more expensive, but you will pay more for it. This is because your IT security will be miles better. If instead of buying one apple for a dollar, you buy four apples for three dollars, the apples are not more expensive, but you are paying more. You will gain so much more security that, despite the lower unit cost, you will end up paying more. And you will get so much more IT security because you need it. For many organizations, IT security resembles the New Orleans levees fifteen years ago. Low cost and waiting for an accident to happen…

Explicit choices

To be concise, IT security is best outsourced. This does not mean that there is nothing for you to do. Just as with all outsourcing, you need to know exactly what you want. You will have to manage the strategy and policy, although fortunately frameworks are available to assist you. You will have to establish what you will have to do to achieve statutory compliance and how you will achieve it. Hopefully, you will want to go further and establish some more demanding IT security requirements. In which case, you will need to know where your vulnerabilities lie and what you are willing to do to protect those vulnerabilities. You will need to introduce an IT security culture in your organization, but what do you want this to look like and how will you ensure that you actually achieve the envisaged IT security culture? How will you communicate with clients and other stakeholders about this?

Honestly and transparently? Or perhaps a little bit less than that? In May, I received a lot of messages from organizations that I have a relationship with. Some spelled out simply (!) and honestly what they do, while others (quite a lot, actually) aroused my suspicions by not explaining things simply, honestly and transparently. Rather than wondering whether this is legally okay, I tended to wonder whether I still wanted to do business with them. Personal data protection and IT security are subjects which require you to make a lot of explicit choices, even if you choose to outsource them. However, the stupidest thing you can do is to make all these choices implicitly and to continue to keep IT security in-house.

Complexity is out and IT security is so complex that it simply makes sense not to do it yourself. Organizing IT security is very expensive, but New Orleans has taught us that the cost of waiting until the levees fail is even greater.

Authors: Bart Stofberg (Consultant at Quint Wellington Redwood) and Eus Pontenagel (Partner at Quint Wellington Redwood)