What the hell were they thinking? That’s what we — and other security experts — were asking when content giant Patreon recently laid off its entire in-house cybersecurity team in exchange for outsourced services.
Of course, we do not know the true motivations of this movement. But, as outside observers, we can guess that the cybersecurity implications of the decision would be unavoidable for any organization.
Fire the internal team and you take a huge risk
Patreon is a content creation site that manages billions of dollars in revenue. For reasons unknown to us, Patreon did not fire just a few staff members or a middle manager. No: the company has laid off its entire security team.
It is a big decision with important consequences because it leads to an incalculable loss of organizational knowledge. On a technical level, it is a general loss of knowledge about the deep system interdependencies that internal security experts will only “know” and accumulate over time. Rarely written knowledge.
Fire the team, and all that knowledge is gone. Can it be rebuilt? Maybe, but in the middle of a crisis, how long will it take for an external team to figure things out? Anyone can guess, but it won’t be easy.
The “buy-in” and the “now”
There are two other things to worry about when considering in-house versus outsourced teams and firing your in-house team. It’s dedication and responsiveness.
No matter how knowledgeable a contractor is, a contractor will never have the same assent that you get from your internal employee who manages your systems in your business. After all, entrepreneurs look at a system because they are under contract and will never fully fit into the corporate culture.
This affects the dedication and speed with which issues are resolved and a team’s investment in resolving an issue. Yes, SLAs can guide performance standards, but when it matters, in a crisis, an SLA will never replicate the sense of “now” urgency you have with a dedicated internal team.
Of course, internal teams may not be able to fix a problem instantly. Yet, in the midst of a security crisis, the last thing you want is a bunch of contractors watching the clock and dividing their attention among multiple clients.
Forget replacing lost talents
When making an important decision like this, another point to consider: can we reverse the decision if we regret it? Yes, given enough time, Patreon could rebuild the skills and knowledge they lost. But can the company find the talent to do so?
Talent acquisition is a big issue in the tech market – retaining talent is hard and hiring new talent is even harder. Either way, it will take months and months to rebuild a moderate skill level.
It will also be very expensive, as recruits take the time to understand their new environment and how its intricacies differ from other environments they have worked in. Much of this is learned through experience – no “best practices” manual can cover this in depth.
Is the net result as expected?
We don’t know why Patreon made this decision, but it could be a cost-cutting measure, the common motivation for outsourcing. But here’s the thing: Investing in an in-house cybersecurity team that really gets it right is designed to save you costs when it counts.
When an organization’s systems are attacked, a deep-rooted and highly skilled internal team will have worked to prevent a successful breach. All that hard work, dedication, and knowledge adds up to highly secure systems.
This is a challenge for cybersecurity: when a well-funded and motivated team does its job well, there is nothing to show for it except the absence of incidents. On the other hand, incidents resulting from inadequate security provided by an external (cheaper?) contractor can be extremely expensive to deal with and clean up.
Bad for the press, bad for finances, bad for security
Was there a valid reason other than cost savings to lay off an entire in-house cybersecurity team? Lack of competence, internal risk, interpersonal problems, lack of communication or inability to achieve business objectives? These would all be valid reasons.
Yet, even if there is a valid reason, the result will not be good. Media coverage is bad, as massive and sudden changes in cybersecurity regimes send the wrong signal. This, in turn, can lead to a loss of trust with the creators who determine Patreon results.
The biggest risk is a cybersecurity failure. The biggest risk is a cybersecurity failure when laying off an entire internal security team. Was the internal team incompetent? Perhaps the best solution would have been to combine internal knowledge with external expertise.
With no one now at the helm, we think Patreon’s decision just won’t work well for their security efforts and theirs is a risk that it won’t work well for creators who continue to trust Patreon for their contents.
Cybersecurity doesn’t get any easier, and finding trustworthy and reliable outside help doesn’t get any easier either. When weighing your options, you need to double-check your situation before committing to such a move. Even if it was the best decision, the reputation stain would be hard to remove.