Woman on an IT detection and response team reporting results on a tablet

May 9, 2024

The Cost-Benefit Analysis of Outsourcing Cybersecurity in Higher Education

By: Jacob Picart

IT leaders at academic institutions face significant insider risks, strict compliance requirements, and universally tight budgets. Compared to the average commercial enterprise network, every user in a higher education environment represents a much higher level of risk.

At the same time, today’s security threats are more disruptive than ever. Executive decision-makers have to contend with cybersecurity risks that can cause catastrophic damage to campus equipment and operations. If hackers attack an unprepared university and demand half a million dollars in ransom, campus leadership may feel intense pressure to pay.1

Facing these risks in the unique security environment of a higher education institution comes with steep challenges. Instead of putting additional pressure on small IT teams with resources already stretched thin, some campus IT leaders proactively address security risks by leveraging reputable managed security service providers.

Higher education comes with unique security challenges

Higher education security threats span a wide spectrum. Security leaders must safeguard the institution from external threat actors, malicious insiders, and advanced persistent threats that bypass perimeter defenses.

Many security technologies are designed with commercial enterprises in mind. This makes for an uneasy fit into the unique context of a university campus.

Some of the unique security challenges that universities face include:

These challenges set a standard for higher education security teams to meet. They all factor into the strategic decision between developing in-house security operations or delegating security to a reputable third-party service vendor.

Cost-benefit analysis of in-house vs. outsourced IT security 

Defending against complex threats requires adopting a comprehensive approach to university security along zero trust principles. Before adopting best-in-class security solutions, university leaders must choose between developing their own internal capabilities and outsourcing security to managed service providers.

Achieving operational security excellence is an exercise in risk management. University IT leaders are used to making difficult decisions and accepting a certain level of risk due to time and resource constraints. However, third-party IT security partnerships supported by advanced technology may reduce overall security risk considerably.

In-house security operations provide visibility and control, but at high cost

University leaders who focus on developing security architecture internally gain total visibility and control over the process. The risk of vendor lock-in is significantly lower because the team chooses which technologies to implement based on their needs.

At the same time, internal security personnel gain deep knowledge of the unique characteristics of the university IT environment. They do not divide their time between multiple clients, ensuring the institution’s security needs always come first.

However, developing internal security capabilities means building and staffing your own Security Operations Center (SOC). Achieving 24/7 security coverage requires hiring at least eight analysts. According to US Bureau of Labor Statistics payroll data, that means paying $1.2 million in salaries, taxes, and benefits in the first year alone.2

This calculation doesn’t include additional costs for technological implementation and licensing. For a campus with 5000 users, basic security implementation can run between $150,000 to $500,000. Some technology vendor pricing models may lead to higher costs since they’re designed for enterprise businesses instead of university campuses.

Choosing open-source technologies will not necessarily reduce these costs, either—they will transform them into higher staffing and personnel costs. Implementing open-source software means conducting your own code maintenance, assuming responsibility for open-source management, and performing legal and compliance checks on your own. 

These aren’t activities your security analysts can do on their own. Instead, you’ll need to hire network security architects, which can cost an additional $127,000 per year per person.3

High costs may cause university leadership to take an ad hoc, piecemeal approach to information security. This dramatically increases the risks associated with security misconfigurations and incomplete implementations. Additionally, it introduces stubborn obstacles to achieving GLBA and NIST compliance.

Outsourced security providers alleviate internal burden and provide specialist expertise

Managed detection and response vendors provide SOC-as-a-service capabilities that scale according to the institution’s needs. They offer comprehensive solutions that include personnel, technology, and compliance in a single, unified package.

Unlike the internal strategy, these services come with a low, predictable cost. Managed security service providers can scale upwards on an as-needed basis—like diverting specialist expertise and resources to incident response the moment a critical threat is detected. This is not possible with a purely in-house approach.

A managed detection and response vendor that provides 24/7 monitoring and response allows universities to allocate internal resources more effectively. Instead of reacting to security alerts and ransomware threats, internal IT staff can proactively work on higher-impact strategic initiatives.

Limited visibility is one of the main drawbacks to working with a managed detection and response vendor, although different vendors offer varying levels of operational transparency. Institutions that partner with reputable, high-quality providers with experience in higher education are much more likely to gain visibility into security operations.

Similarly, not all vendors are equally familiar with GLBA and NIST compliance, especially in the education sector. Partnering with the wrong vendor can make achieving compliance an uphill battle.

Partnering with an experienced managed service provider drives long-term value

Experts predict the managed security service market to grow at 14% per year for the next decade. That makes a remarkably wide range of service offerings available to university leadership, with results that may vary dramatically from one vendor to the next.

Developing niche, sector-oriented security providers is part of this industry-wide expansion. There is no longer any need for a higher education institution to partner with a generalist security provider.

Partnering with a managed security service provider with experience in the education sector resolves many of the disadvantages of outsourcing:

Outsourced SecurityIn-house Security
ProsConsProsCons
Much lower staffing costsLimited direct control over analystsDirect control over analysts’ activitiesHigh operating costs
Specialist expertise included in the serviceMay not know your organization’s security needs well.Deep knowledge of internal security programHard to find specialist expertise
Implementation included in the serviceNot all vendors and technologies may be supportedYou choose which technologies you want to implementSuccessful implementation requires specialist expertise
Able to attract and retain more experienced talentIndividual analysts are not dedicated to your company aloneYour security team does not divide its team between multiple clientsYour team has less experience handling a wide range of security issues
24/7 coverage available with predictable low monthly costYou may not be able to make direct changes to security policies at any moment.You retain control over your security program, policies, and technologies.24/7 coverage requires managing full-time employees, with constantly increasing costs.
Scalability is built into the service.Compliance may be easier to achieve, but harder to demonstrate.Compliance may be easier to demonstrate, but harder to achieve.Scalability means hiring new full-time employees and buying new licenses.

Built upon more than two decades of exclusive service to higher education institutions, Apogee Security Services help university IT leaders overcome resource and expertise gaps to comprehensively address IT security and compliance requirements. 

Apogee vCISO Services makes expert, higher ed-tailored security leadership and program oversight obtainable for budget and resource-strained teams. While essential tools like security risk assessments and managed detection and response  help build the framework for maintaining compliance and a robust IT security posture. 


1SC Media, “Separate ransomware attacks reported by Illinois county college,” March 2024. Accessed April 10 2024. 

2US Bureau of Labor Statistics, “Occupational Outlook Handbook: Information Security Analysts,” September 2023. Accessed April 10 2024.

3US Bureau of Labor Statistics, “Occupational Outlook Handbook: Computer Network Architects,” September 2023. Accessed April 10 2024.

Jacob Picart

ABOUT THE AUTHOR

Jacob Picart

Vice President, Security Services Jacob Picart joined Apogee in 2023 as member of the Executive Leadership Team. In his current role, Jacob is sharing his extensive experience in security compliance and related technologies, Amazon Web Services and Microsoft Azure cloud services, and network services for the benefit of Apogee and its higher ed clients. He is responsible for expanding the company’s comprehensive portfolio of information security services for colleges and universities. He is also responsible for continuously improving internal security processes and procedures at Apogee. Prior to joining Apogee, Jacob held various roles including serving as a cyber security architect, cloud solutions architect, and network and system engineer; leading a Managed Services Provider practice; and serving as an adjunct instructor of technology at a San Francisco-based business school, where he taught classes on Cisco-based networking, wireless, Microsoft and Linux server administration, infosec security, and ethical hacking. Picart is a member of the CompTIA Community and a past member of the EC Council. He has earned multiple AWS and Azure cloud certifications. He also has attained Certified Ethical Hacker (CEH), Microsoft Certified Professional (MCP), Microsoft Certified Security, Compliance and Identity Engineer, AWS and Azure Solutions Architect, CompTIA Network+ and Security+ certifications including various designations from industry leaders such as Splunk, Palo Alto Networks, and Brocade. Most recently, Picart obtained the Certified Information Systems Security Professional (CISSP) certification from the International Information System Security Certification Consortium (also known as ISC2).

Read Full Author Bio