Firms not convinced to outsource cybersecurity skills, despite shortage

While MSPs solve talent shortages in IT, organizations still prefer to have inhouse cybersecurity skills
4 October 2021

While MSPs solve talent shortages in IT, organizations still prefer to have inhouse cybersecurity skills. Source: (Photo by Rohan THOMSON / AFP)

The cybersecurity skills shortage is an ongoing dilemma that continues to wreak havoc on vulnerable systems globally. As organizations continue to face increasing cyber threats, it’s no longer just about having adequate cybersecurity protection as companies need to be able to understand their organization’s levels of protection.

In early 2019, Gartner TalentNeuron data predicted that there would be a global shortage of two million cybersecurity professionals by end-2019. The global pandemic has further escalated this situation. Another study by the Information Systems Security Association (ISSA) and industry analyst Enterprise Strategy Group (ESG) pointed out that the cybersecurity skills crisis continues on a downward, multi-year trend of bad to worse and has impacted more than half of organizations.

As such, a workforce with relevant cybersecurity skills is becoming highly sought after today. Unfortunately, the tragic reality is that there is a global dearth of trained cybersecurity professionals. Tech firms and organizations are already working round the clock to reskill employees with relevant, up-to-date cybersecurity skills. They are also partnering with education institutions to increase the number of graduates in the mission-critical fields of IT and cybersecurity.

In the meantime, while training and upskilling take time, organizations are instead looking to outsource and subcontract their cybersecurity staff in the near term. According to a NewtonX study, 56% of organizations are now subcontracting up to a quarter of their cybersecurity staff. Most of them are being sourced primarily from managed services providers.

However, this is where concerns can arise. While managed service providers (MSPs) can solve the shortage of cybersecurity skills, relying on them purely may influence how organizations make future decisions on cybersecurity.

Cybersecurity spending is usually determined from a combination of advice from the CISO, CTO, the CIO, and of course the cybersecurity team itself. Most C-level security leaders would understand the values of the organization and how much they would allocate for the IT budget, with a certain percentage always going towards cybersecurity.

Interestingly, the NewtonX survey found that the cybersecurity field is not as diverse as one might expect. There was almost no perceptible difference based on company size, and 80% of budgets fell into four categories which are cyber monitoring or operations, endpoint and network security, identity and access management, and app and data protection.

And despite 56% of organizations opting to outsource their cybersecurity needs, many still prefer to keep cybersecurity staff in-house whenever possible. This is why 40% of organizations do not subcontract their cybersecurity at all, regardless of their company size. And those that do, only do subcontract cybersecurity skills from a managed service provider as opposed to third-party staff augmentation.

Is outsourcing cybersecurity skills a concern?

MSPs today offer more than just cybersecurity. They can run an organizations’ entire IT capabilities. This includes security, cloud services, analytics, storage, and such. While MSPs offer a solution to the skills shortage predicament, the reality is, organizations using MSPs will have all their data managed by a third-party organization.

Despite the encryption and security of data, workloads, and more provided, MSPs often provide services to numerous organizations while also being susceptible to cyberattacks. For example, the recent cyberattack on Kaseya, an IT management software firm, led to thousands of its clients being unable to access their IT services.

This is probably the main reason why many organizations prefer not to subcontract their cybersecurity skills. MSPs may plug IT skills gaps, but when it comes to cybersecurity, in-house employees would still be preferred — and likely the more secured — option for companies. Hopefully, with an upward trend in IT upskilling sweeping the nation, the cybersecurity skills shortage problem will experience a downward trend.