Level 3 Communications

Dale Drew

Hiring a Cybersecurity Provider Isn’t just a Convenience, It’s Your Fiduciary Duty

No enterprise executive can be blamed for hesitating to transfer network security responsibilities to a third party, no matter how qualified that third party may be. Data, after all, is the modern enterprise’s most prized possession.

Still, business decision-makers must ask themselves whether the expense of an in-house cybersecurity infrastructure is the best option. The answer in most cases is no. And that’s because you have a fiduciary responsibility to invest your company’s money in the most efficient manner possible that orients it to your core competency. This includes getting the most effective and affordable security available. For most companies, that means hiring a third-party expert.

Think about it: do you hire your own security guards to protect your buildings, or contract that out to a security company? Chances are it’s the latter. Since your expertise isn’t building security, you leave that to an entity with a proven track record of recruiting and vetting well-trained guards to deliver the protection you need.

Third-party Expertise

Why not apply the same principles to cybersecurity? Now, instead of contracting a security guard company to guard your physical buildings and properties, you’re hiring cybersecurity experts to protect your data and networks. Whether you choose a cloud-based provider or a company that handles security on premise, you get the best protection money can buy – so long as you pick the right company.

You’ll want a security provider that has been put through its paces to prove it delivers reliable services. The right candidate will be transparent about how it protects your IT assets, shows that its solutions and processes have been independently audited (by multiple seasoned auditors), and that its technicians have the requisite security certifications.

Depending on your requirements, a third-party provider can manage all of your security needs, from user authentication policies to network and data protection to security to encryption of mobile devices. We’re talking things like round-the-clock monitoring, managed firewalls, application security, site-to-site and user-to-site protection, advanced user authentication and authorization, threat intelligence and analytics, and more.

There virtually isn’t an area of enterprise network protection today that isn’t within the scope of reputable IT security providers.

Fiduciary Responsibility

Where does fiduciary responsibility come into play in a cybersecurity context? Any business executive with influence over how a company spends its money has an obligation to the company, its employees, and its shareholders, to always act in their best interests. And when it comes to budget, that translates to spending company money wisely.

So if you are putting millions of dollars into recruiting, hiring and retaining cybersecurity talent when you can contract a service provider with a much smaller investment, you may not be acting in the best interests of the company’s stakeholders.

A qualified cybersecurity expert earns an average of $116,000 yearly, not too far behind what the average lawyer makes – $131,000. And that’s just salary. You also need to factor in recruitment costs, which can top $10,000 for specialized positions, and benefits, which on average add 30 percent  to an employee’s salary costs.

So that cybersecurity expert you may want to hire will cost you closer to $160,000. Multiply that by, say, 10 or 12, and you start to approach the $2 million mark. And the costs are bound to continue increasing. Cisco estimates more than 1 million cybersecurity jobs are currently unfilled worldwide, which means competition is fierce and salaries surely will rise.

On top of staffing costs, you’d also have to spend on the hardware and software that provide the layers of a solid cybersecurity infrastructure, and then maintain and update it regularly to keep up with a never-ending stream of new threats.

Once you add up all the costs of in-house cybersecurity, you’re bound to conclude using a third party is the way to go. And in going that route, you’ll be fulfilling your fiduciary responsibility to your company stakeholders.