- Hana Skoupá
The new Cybersecurity Act (according to the NIS2) defines the security roles that companies must have, depending on whether they fall under a higher or lower regime of obligations. The question is: Who should fill these roles? An internal person or an external contractor? The decision is not easy and depends on the type of company, its size, industry, and current capacities. In this article, we will focus on the most complex role – the cybersecurity manager.
Security roles according to regimes
- We wrote about the responsibilities and requirements related with security roles in the article here.
Cyber Security Manager
A cybersecurity manager is responsible for setting up, maintaining, and developing a cybersecurity system. They set security measures, communicate with management, manage the information protection system, set rules, and ensure that they are followed. In practice, this often involves a combination of strategic and operational work, from policy development to incident response.
They need to understand the processes in the organisation, understand the company's risks and be able to communicate across departments. They also have the role of "translator" – they can translate technical requirements into business language and vice versa. If this does not work, the system may exist "on paper", but in reality no one is interested in it and therefore it does not work.
Why an internal employee?
Benefits
- Deep knowledge of the company environment: The internal cybersecurity manager knows the culture, processes, and key people in the company.
- Quick response: They are available on site and can quickly resolve incidents and operational requests.
- Consistency and long-term development: They can systematically build a security strategy and culture within the company.
Disadvantages
- High costs: A qualified cybersecurity expert is a senior role, and the salary reflects it. Additional training and professional development are often required.
- Difficult to replace: If an employee leaves, there is a risk of losing know-how and a delay in finding a suitable replacement.
- Risk of professional blindness: A long-term internal perspective can lead to overlooking new trends and threats. Without outside support, internal roles can stagnate or be "alone against everyone."
- Difficulty finding qualified people: The market for cybersecurity professionals is saturated, and experienced cybersecurity managers are in short supply.
Training for cyber managers
When is outsourcing reasonable?
An outsourced manager brings experience from multiple environments. They can quickly get their bearings, set priorities, and avoid dead ends. They also have perspective, and to a certain extent , not being burdened by internal culture can be an advantage.
In practice, outsourcing involves a company "hiring" an external expert or team to perform the role of cybersecurity manager on a contract basis (for example, two days a month or as needed).
Benefits
- Flexibility and scalability: The scope of services can be adjusted according to the company current needs. In the case of a larger project, capacity can be quickly increased.
- Access to expertise: External specialists follow current trends, have experience from various companies, and are familiar with current legislative requirements (e.g., nZKB according to NIS2, ISO 27001, DORA, TISAX, and other standards).
- Cost savings: You only pay for the work actually done; you don't have to deal with benefits, vacations, or recruitment.
- Independent perspective: An external specialist often uncovers weaknesses that an internal team would overlook.
Disadvantages
- Less knowledge of the internal environment: An outsourced manager needs time to understand the specifics of the company and get their bearings in the environment.
- Availability: If the external contractor is not hired on a full-time basis, they may not always be immediately available in the event of a crisis.
- Need for quality communication and cooperation: Success depends on good cooperation and clearly set expectations.
- Need for trust: External roles must have access to sensitive data and management support.
Which option should you choose?
The internal role of cybersecurity manager is suitable for companies that have:
- a high amount of security tasks,
- complex infrastructure,
- a need for continuous development of a security culture,
- a sufficient budget for a high-quality expert.
- have a limited budget,
- need to quickly meet legislative requirements (e.g., the new NIS2 law),
- are looking for a part-time expert,
- want an independent audit and an outside perspective.
In many cases, a "temporary" solution has proven successful – an external manager sets the foundation, helps the company navigate the new requirements and the entire system, and train an internal personwho will take over the role. The advantage is that you gain both the system and the knowledge.
Example: : An IT services startup hired an external cybersecurity manager for six months. During that time, a risk analysis was conducted, security policies were created, and preparations for ISO 27001 began. In the meantime, an internal employee was trained, gradually becoming involved in the preparations, and after six months took over the role of cybersecurity manager.
How much does a cybersecurity manager cost?
The decision should not be based solely on money, but budget obviously plays a role. For smaller companies, it is often more advantageous to use an external form, where you buy a specific result and do not have to deal with recruitment. You should include this basic cost package in your calculation:
- An internal manager = fixed costs (salary, benefits, training)
- An outsourced manager = costs based on scope (e.g., 3 days per month, project-based)
What the cybersecurity Act says
Companies subject to higher obligations will have to appoint a cybersecurity manager. Although this obligation does not apply to companies subject to lower obligations, they must still clearly designate a person responsible for cybersecurity who will perform similar tasks, although to a lesser extent.
The Act does not require the cybersecurity manager to be an internal employee. They may be an external contractor, but it is important that they have:
- clearly defined roles and responsibilities,
- access to information within the company,
- management support,
- appropriate knowledge and experience.
Be aware of formal "outsourcing" just for the sake of having the title of cybersecurity manager somewhere on paper. If the cybersecurity manager has no real influence on setting up the information security system and managing cybersecurity, it is a worthless piece of paper and often a problem during inspections or audits.
How to decide?
Each option has its pros and cons. It is important to know what you expect from the role – and choose accordingly. A cybersecurity manager is not a technician. It is a strategic role that connects security with business..
The best solution is often not black and white. In many cases, it makes sense to start externally and gradually prepare the role internally so that the company can identify with it and continue to work with it. When deciding:
- Map the company's current and future cybersecurity needs. Consider the type of services and your size.
- Consider the costs of salary, training, benefits, and the time required for recruitment.
- When outsourcing, check the supplier's references and competencies, and set clear SLAs (availability, response times).
- For an internal manager, expect the need for continuous training and a plan for replacement in case of absence.
