Government data reveals outsourced cyber services are used far more widely in the public sector than the commercial or third sectors, with organisations citing staff shortages and economies of scale
“A high proportion of UK businesses continue to lack staff with the technical skills, incident response skills and governance skills needed to manage their cybersecurity.”
This is the rather downbeat note on which begins the Cyber security skills in the UK labour market 2023 report. The study, which is the latest edition of research published each year by what is now the Department for Science, Innovation and Technology, finds that 50% of organisations have a “basic skills gap” in the field of cyber, and while one in three have “more advanced skills gaps”.
Of course, one way to narrow such a gap is to bring in expertise from outside. And the study, which has been led each year so far by Ipsos, has consistently found that this approach seems to be favoured by public sector entities – a far higher proportion of which use outsourced cyber services than organisations in the commercial or third sector.
This year’s study, which was based on data gathered in the latter half of that 2022, showed that 52% of public bodies had outsourced at least some of their cyber security provision. Although this has come down somewhat – have been in the high 50s and early 60s in previous years – the figure remains a lot higher than the business sector, where only 33% of firms used outsourced cyber services, and charities, for which the figure is only 18%.
Among those public bodies that do make use of outsourcing, the most widely used service is setting up firewalls on 81%. About three quarters use an external party to: support incident response and recovery; detect and remove malware; create back-ups; and set up new user accounts.
Patching software is on 71% and managing security settings is at 68%, while less commonly outsourced are restricting software installations with 60%, and controlling admin rights on 56%.
The study finds that 28% of publics sector entities use a full outsourced security operations centre (SOC) – once again, comfortably ahead of both businesses on 17% and charities on 8%.
Qualitative research included in the study makes it clear that it is not just smaller organisations that rely on commercial partners to help plug gaps in skills or service provision.
Representatives of two public sector bodies – each of which has more than 1,000 employees – revealed that their organisation makes significant use of outsourced services. One said that using a full externally provided SOC offering is far more cost-effective than creating the equivalent set of services in-house.
“It’s all about economies of scale,” they said. “A SOC team is made of people with all sorts of technical disciplines. It needs to be 24/7, they have to work nights. Building that yourself is going to be costly in any organisation. Managed service providers can provide a SOC team that looks after a number of clients.”
Another research respondent said that using an outsourcer helps plug skills gaps that pop up periodically.
“We often find it hard to hold on to staff who have that technical knowledge, but this is compensated by the fact that we outsource more cyber functions to a third party,” they said. “So, this challenge is mitigated somewhat.”
The public sector’s significant use of cyber outsourcing is reinforced by PublicTechnology research earlier this year that showed that the number of cyber-related contracts being awarded by public bodies has more than doubled since the start of the pandemic.
Assessment of data on government’s Contracts Finder online database finds that, during the 2019 calendar year, public sector entities signed 118 commercial engagements featuring the word ‘cyber’ in the contract title or service description. This represented an increase of 30 on the 88 deals awarded in the preceding year – and nearly double the 62 such contracts recorded in 2017.
The number of cyber-related agreements continued to rise in 2020 – during which the coronavirus crisis struck in the early weeks of the year – growing to 167.
In both 2021 and 2022, the volume of cyber deals accelerated again, coming in at 253 and 248, respectively. The 250 cybersecurity-centric contracts now being signed by public bodies each year is more than double the numbers posted prior to the pandemic.