The real cost of firing a whole cybersecurity team
Content giant Patreon recently laid off its entire internal cybersecurity team. While it’s publicly known that five employees from the team were let go, the organization didn’t confirm that the whole team had been fired – but a social media post from one of the just-fired individuals implied exactly that.
In any case, news of the company releasing its entire cybersecurity team spread like wildfire. It was a big decision that made many cybersecurity experts wonder: what exactly is this company thinking? Is there any sense in dumping a qualified internal team in exchange for an outsourced provider, just like that?
Nobody will ever know what motivated Patreon to take this route. However, from an external viewpoint, the cybersecurity implications of Patreon’s decision are clear.
Getting rid of established internal expertise is a huge liability
No organization can afford to take risks with cybersecurity posture – but cybersecurity is more pertinent for some organizations than for others. If you provide hosting services for countless content creators with over a billion dollars in revenue, then you’d certainly need to take cybersecurity extremely seriously.
In other words, don’t take large risks.
Firing a middle manager or one to two staff members would be a risk on its own, but it would be a manageable risk. Firing your entire security team all in one go – now that’s taking a colossal risk.
We don’t know why Patreon fired their entire internal security team, but it seems like that’s exactly what happened. It’s not difficult to predict negative consequences because losing an entire internal team means losing an incalculable amount of organizational knowledge.
Internal teams have “soft” knowledge of deep system interdependencies accumulated over time. Fire the internal team and you lose all that soft knowledge. And, in most cases, there’s no way to retrieve the lost knowledge because this soft knowledge is rarely written down somewhere.
Over time, knowledge can be rebuilt, but it’s not easy – and chances are that an organization would need to go without important cybersecurity know-how for a substantial period of time.
So, what does the replacement (probably) look like?
Patreon didn’t fire their security team just to leave nothing in place. The company likely decided to outsource instead.
Presumably, it’s a highly capable outsourced service provider that – while not in possession of the knowledge of the outgoing team – would still bring serious cybersecurity skills to the table.
But there’s another question in the in-house vs. outsourced debate: exactly how dedicated will the outsourced security team be?
We’d argue that even the most knowledgeable contractors will never have the same level of buy-in as internal employees. Patreon would have had far more in the way of dedication and responsiveness from the internal team.
Contractors keep an eye on security because they’re contracted to do so, but contractors will never take care of security with the same level of buy-in as an internal team. They are simply less invested in the safety of an organization’s systems, and it affects the speed and dedication with which security challenges are resolved.
Yes, security contractors are tied into SLAs that guide performance standards, but the fact of the matter remains that one client’s demands will compete with another’s. In a crisis, there’s a real question of whether a contractor will take the situation as seriously as an internal team would.
In the middle of a major security incident, the last thing you want is a contractor employee sitting and watching the clock while dealing with the crisis your organization is facing.
Can Patreon reverse course?
Firing an internal team and hiring a contractor is one thing – and it can happen quickly. Rebuilding an internal team from scratch is another story altogether. It’s an important point to take into consideration when making this type of decision: how easy is it to reverse the decision if we need to?
Talent acquisition is, at the moment anyway, a major challenge in the world of technology. Hanging on to the talent you have is pretty hard. Hiring one new team member is tougher, and rebuilding an entire team is an even greater challenge.
It’s not just a matter of expense – and it’s going to be expensive, given the training requirements and everything else that creating a whole team from scratch involves.
The bigger question: is it feasible at all? And how many months will it take?
Taking talent acquisition for granted is a bad idea and Patreon may well have made a decision that’s essentially irreversible, tethering itself to contractors and the associated drawbacks for some time.
Thinking about the outcome
There’s no reason to think that Patreon isn’t a well-run company with qualified executives, so one would assume there was valid reasoning behind the decision and that the executive team had an outcome in mind.
Was it a cost-saving exercise? Possibly. But here’s the important point to remember about the value of a highly trained internal team: internal teams are built up with care over time and are intended to save money when it really matters.
What do we mean by that? Well, you may save money by outsourcing cybersecurity and firing expensive internal employees. But when you’re in a bona fide cybersecurity crisis, your internal team is most likely the team that will respond the fastest and the most effectively – saving you from far greater attack damage.
In other words, your internal team saves you money when it really matters by reducing both the overall harm done and the resulting clean-up costs.
That’s the irony, of course, about a well-funded internal security team: the team often has nothing to show for their efforts because efforts are directed at avoiding noisy security incidents.
Good internal cybersecurity gains you an absence of incidents – and an absence of the massive, catastrophic costs associated with these incidents.
Yes, you might save some money with an outsourced team, but – at the same time– you could end up paying an enormous sum to pick up the pieces after a cybersecurity incident.
At the end of the day, what did Patreon gain?
That’s the big question we and everyone else are asking.
Again, we can only speculate on the reasoning behind Patreon’s decision, and a likely candidate is cost savings. Yet Patreon may end up paying a lot more if their decision goes awry and a successful breach does happen (and what better target than a company that’s just fired its security team…?).
There could, of course, be another valid reason – from incompetence on the side of the internal team to interpersonal issues or something else. Either way, it doesn’t send a good signal and it’s generated plenty of bad press for Patreon.
And what are the creators that are using Patreon supposed to think?
From our perspective, it’s difficult to foresee a good outcome for anyone involved, and we’d urge strong caution for any organization that’s considering such a move.