[slt2021]

the actual reason for mandating companies to spend on cyber is because they are cutting costs on SRE/Ops by outsourcing all KTLO work to India and other offshore countries. If you ever looked at average S&P500 company IT Budget, there will be nontrivial amount dedicated to WITCH (Wipro Infosys Tata Cognizant HCL and friends) for outsourced KTLO work.

This makes it impossible to do anything meaningful de-novo on a high level, like create a good security architecture as a platform for all dev teams, or adopt a new security platform.

Outsourced companies do only a piece work on a ticket by ticket basis and require very specific instructions upfront.

Mandating companies to keep inhouse cyber staff makes it possible to grow talent inhouse and do high level designs of platforms to keep stuff secure

[makeitdouble]

Are there any provision stopping them from outsourcing the cyber security team as well ?

[slt2021]

mainly two:

1. Outsource companies are NOT known to be staffed with cyber pros, you won't be able to get a meaningful return on your money. Good security pros will NEVER work for body shop like Infosys who only focus on minimizing staff costs.

2. Trust issues. Much easier to hire inhouse person whom you know and who shows up in the office (and you can sue him US court in case of malice), than some offshore Dunder Mifflin Corp which can disappear and show up under different name

[makeitdouble]

Feels like your argument is that they _shouldn't_ outsource cybersecurity, especially if they care about the results.

That never stopped any of these companies from doing it IMHO.

[slt2021]

there is valid use case for outsourcing cybersecurity like MDR (managed detection response) and managed IT.

but consider them like any retail fastfood place - you will get standardized BigMac, and no ala carte steak

[red-iron-pine]

Legal enforcement of NDAs, non-competes, and being able to chase down some a-hole who steals your intellectual property and sue them. Don't share your secret sauce with people you don't trust, and even you don't fully trust them, you can at least have legal recourse if they sell your access keys.

Compliance issues. Auditors love hearing that your security and auditing team is a revolving door of random Indian guys.

Quality, as you want your Sec Teams to really give a shit, push back on stuff, and not do the absolute minimum to close a ticket. You get what you pay for, and if you want to pay shit you'll get shit security.

Business integration, as ultimately it's about risk and talking to the business as to what they think is important. The distance from Mgmt and Security is often a lot smaller, and they'll have the "keys to the castle".

[makeitdouble]

The interesting take to me is those could all apply to legal or accounting. These fields are also vital to a company above a certain size, yet partial or full outsourcing/contracting to an external cabinet is common.

At the end of the day it's a matter of trust ("you get what you pay for" feels weird to apply to Deloitte for instance. You absolutely get less than what you paid for and they get to pocket the most of it, you just don't care enough about the money to want to handle it yourself)