What on earth were they thinking? That's what we – and other security experts – were wondering when content giant Patreon recently dismissed its entire internal cybersecurity team in exchange for outsourced services.
Of course, we don't know the true motivations for this move. But, as outsiders looking in, we can guess the cybersecurity implications of the decision would be inescapable for any organization.
Fire the internal team and you take a huge risk
Patreon is a content-creator site that handles billions of dollars in revenue. For reasons unknown to us, Patreon fired not just a couple of staff members or someone in middle management. No: the company fired its entire security team.
It's a big decision with significant consequences because it results in an incalculable loss of organizational knowledge. At the technical level, it's a loss of soft knowledge around deep system interdependencies that internal security experts will just "know" about and accumulate over time. Knowledge that is rarely ever written down.
Fire the team, and all that knowledge is gone. Can it be rebuilt? Possibly, but in the middle of a crisis, how long will it take an external team to figure things out? It's anybody's guess, but it won't be easy.
The "buy-in" and the "right now"
There are two other things to worry about when considering in-house vs. outsourced teams and firing your in-house team. It's dedication and responsiveness.
No matter how knowledgeable a contractor is, a contractor will never have the same buy-in that you get from your internal employee managing your systems at your company. After all, contractors look at a system because they're contracted to and will never fully integrate into the company culture.
That affects the dedication and speed with which issues are resolved and how invested a team is in fixing a problem. Yes, SLAs can guide performance standards, but when it matters, in a crisis, an SLA will never replicate the urgent sense of "right now" that you have with a dedicated, internal team.
Sure, internal teams might not be able to solve a problem instantly. Still, in the middle of a security crisis, the last thing you want is a group of contractors watching the clock and splitting their attention across several clients.
Forget about replacing lost talent
When making a significant decision such as this, another point to consider: can we reverse the decision if we regret it? Yes, given enough time, Patreon could rebuild the capabilities and knowledge they lost. But can the company find the talent to do it?
Talent acquisition is a significant problem in the tech market – retaining talent is tough, and hiring new talent is even more challenging. Either way, it will take months and months to rebuild a moderate level of competence.
It will also come at great expense as recruits take time to understand their new environment and how its intricacies differ from other environments they worked in. Much of this is learned through experience – no "best practices" manual can cover it thoroughly.
Is the net result as intended?
We don't know why Patreon made this decision, but it could be a cost-saving measure, the common motivation for outsourcing. But here's the thing: investing in an internal cybersecurity team that's truly on top of things is designed to save you costs when it counts.
When an organization's systems are under attack, a deeply ingrained, highly trained internal team will have worked to prevent a successful breach. All that hard work, dedication, and knowledge add to highly secure systems.
That's a challenge for cybersecurity: when a well-funded and motivated team does its job well, there's nothing to show for it except for the absence of incidents. On the flip side, incidents resulting from inadequate security delivered by a (cheaper?) external contractor can be incredibly costly to deal with and clean up.
Bad for press, bad for finances, bad for security
Was there a valid reason other than cost savings for dismissing an entire in-house cybersecurity team? Lack of competence, insider risk, interpersonal issues, lack of communication, or failure to achieve business goals? These would all be valid reasons.
Yet even if there's a valid reason, the outcome won't be good. There is bad press coverage as massive, sudden changes in cybersecurity regimes send the wrong signal. This, in turn, can lead to a loss of trust with the creators that drive Patreon's bottom line.
The most significant risk is a cybersecurity failure. The most important risk is a cybersecurity failure when firing an entire internal security team. Was the internal team incompetent? Perhaps the better solution would have been combining internal knowledge with external expertise.
With nobody now at the helm, we think that the move by Patreon just won't work out well for its security efforts and that theirs is a risk that it won't work out well for the creators that continue trusting Patreon with their content.
Cybersecurity is not getting any easier, and finding reputable and reliable outside help is not getting easier either. When weighing your options, you should double-check your situation before committing to such a move. Even if it were the best decision, the reputational stain would be tough to remove.