Blog | 05.27.2021

Build your cybersecurity team: Which roles to outsource, which to keep in-house?

In an earlier post we looked at typical headcount costs and other expenditures to build and maintain the full scope of cybersecurity capabilities in-house. Those figures often put a completely internal team out of reach, but the good news is that a strong cybersecurity strategy doesn’t need to be an all-or-nothing effort.

Here we’ll explore the four functional areas within a cybersecurity team—governance, risk, and compliance; threat management; SecOps; and transformation—and break down the various roles within each area. We’ll also look at a high-level assessment of costs versus benefits to help you determine where your company may be best served with resources inside the organization and which should be outsourced.

Governance, risk management, and compliance

One area where midsized companies are often best equipped to scale their cybersecurity capabilities internally is in the governance, risk management, and compliance arena. Whether they report through IT or the broader risk management department—and regardless of any matrix reporting that includes the CISO—the teams needed to effectively oversee these disciplines are generally much smaller than those handling threat management and SecOps, for example. Along with the security transformation group, this team holds ultimate accountability for the organization’s security risk and posture and should be handled internally.

Security transformation

Working closely with the governance, risk management, and compliance teams, the security transformation group comprises another set of disciplines that are often cost effective when assigned to internal resources. The transformation team’s primary function is the evolution of the company’s security architecture as business and risk needs change, owning the roadmap and priority of future initiatives.

By assessing the governance and security transformation functions as a partnership, the best skills to retain in-house include:

  • Security architecture design and implementation
  • Security policies and standards definition and enforcement
  • Security vendor selection and management
  • Security awareness training

When internal staff take on these roles, they can more easily maintain awareness of the organization’s maturity path, helping to ensure alignment between the long-term digital transformation strategy and related cybersecurity initiatives. Effective implementation and integration of new and existing solutions is best achieved through a partner that understands the organization and architecture standards as defined by the security transformation team.

Threat management

The threat management function within a cybersecurity program is highly resource intensive, making it one of the most difficult components to staff and fund internally. This team utilizes expensive tools and platforms to carry out its responsibilities and the need to maintain redundancy across key roles elevates the resource requirements even further.

The value of a relationship with an MDR provider to oversee your threat management function is significant. An experienced partner has all the tools and technologies to monitor and respond to the latest threats in an environment where attack vectors and methods appear, escalate, and change very quickly. When compared against purchasing and maintaining the necessary solutions and infrastructure yourself, services from an MDR provider typically cost between 10% and 25% of what it would cost to operate the threat management function in-house.

Threat management skills that are more cost effective when outsourced to a provider:

  • Platform operational management
  • Threat monitoring
  • Threat content development
  • Threat hunting
  • Incident response


Just as threat management expertise and technologies require significant expense to maintain internally, SecOps demands similar resource investments—both in terms of the niche expertise needed to carry out complex activities as well as the tools and staffing levels to ensure appropriate coverage.

Working with a third party using a shared resource model, where the MDR vendor is focused on SOC operations, provides the critical mass and redundancy you need without the steep costs to maintain those resources yourself. Most commonly, midsized organizations have an under-resourced SOC, which invariably leads to poor staff retention. However, it’s still best to have an individual on staff to maintain a senior-level interface between the SOC and the rest of your organization to oversee and elevate actions where necessary, in most cases this is covered through the interaction with the transformational team. This allows you to exercise appropriate control over new technology selection and implementation, as well as management of those projects. It also empowers your cybersecurity team to retain accountability for the regulatory and compliance requirements of the business, policy definition, and strategy, all without the burden of the underlying platform and operational workload.

Security device management skills to outsource to a provider:

  • Edge security (firewall, CASB, secure web gateway, , etc.)
  • Network security (NAC, wireless, SD networking etc.)
  • Endpoint security (EDR, MDM)
  • Incident remediation
  • Vulnerability scanning and assessment

Looking across the broad spectrum of skills and expertise that underpin an effective cybersecurity strategy, it’s nearly always more cost effective for a midsized enterprise to focus its budget on the governance and strategy components, while outsourcing threat management services to an MDR provider and the bulk of SecOps to an MSSP. The same experienced external partner can fill both roles if its methodologies and capabilities are mature. This arrangement allows for a full 24/7/365 SOC service for a fraction of the cost of building and maintaining it in-house.

With this blend of internal and outside resources, you’re outsourcing the volume work, after-hours work, and pricey platforms to a provider, rather than making those investments directly and running the very real risk they’ll be underutilized and too burdensome financially to sustain. You also don’t need to put money toward the skills requirements to develop the intellectual property necessary for a mature operational model, instead putting that investment on your providers.