The cost and burden of cybersecurity incidents are tremendous and can runaway very quickly if not managed correctly. The average cost of a data breach across Small/Midsize Businesses (SMBs) and nonprofits is over $200,000 per incident. Unfortunately, only 14% of SMBs have the tools and resources to prevent these breaches under their control.

To help mitigate the never-ending wave of threats, SMBs today are considering just how to develop a comprehensive and cost-effective cybersecurity program. Companies have two choices for their team: in-house or outsourced.

Goliath’s Cybersecurity programs can help reduce your cybersecurity cost and burden by taking the technical responsibilities off your hands. We can be your cyber team, saving you hundreds of thousands of dollars in onboarding and build out, or augmenting your existing team with our expertise, thus multiplying the effectiveness and value.

But before you make a choice merely trusting us (which would be okay with us), or tell you what we recommend, let us further analyze each option.

In-House versus Outsourced

In-house cybersecurity teams typically consist of one or more cybersecurity experts led by a Chief Information Security Officer (CISO). These are professionals that you will have to find in the talent pool, hire, train, and coordinate with to execute security strategies to mitigate every conceivable threat in the entire cyber landscape.

Conversely, outsourced cybersecurity solutions (i.e., managed security services) are fully managed security solutions that exist outside of your organization and coordinate with your business to mitigate risks with 24/7 monitoring, detection, prevention, and mitigation. Depending upon the outsourced cybersecurity solution you choose, they may also include security training for your employees, next-gen firewalls, and device security configuration services.

When weighing the options for your SMB, some things to consider are:

  • Overall cost
  • Business time commitments
  • Management responsibilities
  • Ability to meet non-technical needs (e.g., training, policies, etc.)

Let’s break down each of the above (and more) …


In-house cybersecurity teams aren’t cheap.

Let’s start with salaries, Cybersecurity staff average annual salaries (without Benefits and Bonus, for arguments’ sake) …

  • CISO = $175,876 – $300,775
  • Cybersecurity Lead = $150,000 – $225,000
  • Cyber Security Engineer = $120,000 – $210,000
  • Cyber Security Analyst = $95,000 – $160,000
  • Penetration Tester = $80,000 to $130,000
  • Network Security Engineer = $125,000 to $185,000

*** You will need more than one security analyst, especially since you’ll need 24/7 around-the clock monitoring and risk mitigation. The bad actors can strike at any time — not just when you’re awake***

Range: $250,000 to $1,200,000

That’s just salary. In a hot market like cybersecurity (currently sits at a 0% unemployment rate), you’re going to have to offer a full package of benefits. These account for roughly 30% of employee costs though those costs can rise for SMB’s who must pay more than larger companies for benefits due to the law of Economies of Scale.

Then, you must figure in training…

  • Training and onboarding a new employee $5,000 (average)
  • Wait for productivity to kick in as new employees adapt – Every day without productivity costs the company

What about products and tools?

  • Endpoint and Network Security product H/W and S/W licensing
    • Estimated – $30,000 – $75,000/yr
    • Implementation & Training Cost – additional $
  • Security Tools (SIEM)
    • Estimated – $10,000 – $40,000/yr
    • Implementation & Training Cost – additional $
  • Security Automation Software
    • Estimated – $10,000 – $30,000/yr
    • Implementation & Training Cost – additional $

Additional costs (which may be too unpredictable to forecast)

  • Office space (if working remote a stipend for a resource using home office)
  • Computers & Mobile Devices
  • Equipment – monitors, phones, headsets, etc….
  • And all the other odds-and-ends that go into making a productive security team

Final tally could be $1.5 Million for a Midsize Business, and at least $300,000 for the smallest of business that most comply with government laws.

Time Commitment

In-house cybersecurity is a time sink. Even if we ignore the time it takes to find talent, hire them, train them, and make them fully productive, the time it takes to implement the right suite of tools, test all your security applications, and create a flexible, highly useable tech stack can be a very large task. You also must spend significant time and resources developing standard operating procedures and policy frameworks for those cybersecurity programs.

For starters you must…

  • Implement & Configure software solutions to help your team immediately detect risks
  • Implement and test all your other security apps
  • All while training your employees how to use them. This can incur additional costs from vendor training courses and certifications.

All this technology and time also limits your scalability. If you need to expand, not only do you have to find fresh new faces on the talent marketplace, but you must train those new employees and fully integrate them with your company culture. The cycle from above just repeats itself endlessly as the costs associated with it skyrocket.

On average it can take months, but in reality, over a year, to build out an in-house cybersecurity program, especially when you include technical training. And by the way- this is all only considering today’s threats… not the ever-expanding multitude of unpredictable threats in the future. The whole team has to catch up with the next big threat, even after years of cultivation after today’s built out.

Management Responsibilities

Managing in-house Cyber Security programs requires a lot of oversight. Between ballooning ransomware attacks and growing cloud-based attacks, you’ll likely have to hire a CISO to oversee your security team.

While that top-dollar CISO will certainly help alleviate some of that pain, management will still need to be heavily involved throughout the duration of the program. You must have the right Human Resources program to facilitate training and recruitment, and you’ll certainly need a chain of command to help keep all your new employees adequately supported and aligned.

Further, one of the key pain points for in-house teams is the financial support you’ll need to support all this management. You won’t be working with concrete numbers. The costs of your in-house Cybersecurity program will fluctuate, and you will have to be financially flexible enough to incorporate varying training costs, tool costs, and management costs. Remember time that you or your other managers spend on this new team is technically a cost — since they (or you) could be focused on other critical work and revenue capturing activities during this time.

Non-technical Needs

While many organizations like to think of cybersecurity as a purely technical pursuit, today’s Cybersecurity programs have more to do with business than tech. From governance and compliance (e.g., Safeguards rule, HIPPA, CCPA, GDPR, local, state, federal, etc.) to security policies and standard operating procedures, Cybersecurity programs reach far beyond the computer.

You need documentation and change control, and you need the right reporting features to ensure that you’re compliant, comprehensive, and accurately detecting threats. Part of the Cybersecurity program also involves employee training. Believe it or not, your employees are your biggest security risk. You need to train them on the proper protocols — including using multi-factor authentication, securing files, and ignoring those malicious phishing emails.

If you’re planning on using an in-house team, you must handle all this alone. And that’s a big bucket of responsibilities! In fact, the ever-changing regulatory landscape of data and security alone can completely consume your business. When you factor in cybersecurity insurance, financial audits, and all the technical needs — like monitoring and data protection — you can quickly run into a brick wall.

Another Way

Goliath is passionate about helping businesses avoid cyber-attacks and keeping them secure with the best cyber security tools & techniques used in the industry today. We can help you identify what security practices are best to meet your budget and business needs.

Once the Goliath team has fully integrated with your business, your work is done. Goliath will be accountable for the overall management and oversight of your Cyber Security program.

This means that you don’t have to invest in a CISO, and you don’t have to spend precious time dealing with day-to-day cybersecurity workflows or management. Instead, Goliath allows you to focus on what really matters — growing your business.

Additionally, we will work with you to review your policies, identify your needs, and integrate the right technology to help you. But you don’t have to worry about all tech selection, testing, or tool knowledge. Instead, The Goliath Cyber Advisory team will identify the right solution for you and implement it throughout your organization. We can have a solution deployed within weeks (if not sooner), and we’re not here to up-sell you on the fanciest, shiniest new security product that you can’t even pronounce. Our purpose is to protect your business with the proper level of cybersecurity solutions for now and the future.


As your trusted Cyber partner, Goliath’s Cybersecurity programs help you reduce your cybersecurity cost and burden by taking the technical responsibilities off your hands. You don’t need to worry about any of the resourcing. You’ll have a fully staffed 24/7 team with cybersecurity analysts experienced in dealing with all kinds of threats and attacks. Our teams’ experience of assisting and managing different businesses will give you a full view of the threat landscape and how best to respond to each incident.

Goliath provides full visibility of all activities so you can easily report back to your senior leadership team.

We also have the knowledge and experience to test your security processes to continually enhance your security posture. And in the event of a breach, we support your response, resolution and lessons learned.

In short, Goliath saves you time and resources on software and employees, and it gives you the scale and flexibility to handle the surge of security threats without an expensive in-house security program. Goliath’s Cybersecurity programs can help reduce your cybersecurity cost and burden. We can be your 24/7 cyber team- in part or as a whole- saving you time, money, and stress.

Click here to contact us today and lets discuss how we can be your Trusted Advisor and make that burden a fraction of the cost.


Comments are closed