I have witnessed this scenario more times than I would care to count: a promising startup or growing company proudly tells me they have "sorted their cybersecurity" by engaging a managed security provider. They have ticked the box, satisfied their investors or clients, and moved on to focus on what they do best.
But while they are celebrating their outsourced security solution, someone from their internal IT team is quietly making a "small" configuration change to a server. Maybe they are opening a port for testing, adjusting database permissions, or tweaking cloud storage settings. It seems innocuous enough. It is just a quick fix to keep development moving.
Then the inevitable happens. A database gets accidentally exposed. An S3 bucket becomes publicly readable. A service meant for internal use suddenly faces the internet. I have seen companies discover their customer data sitting openly on AWS, visible to anyone who knew where to look, all because a checkbox was ticked in the wrong place during what should have been a routine configuration change.
The Managed Security Provider Paradox
Managed security providers are excellent at what they do. They monitor networks, manage firewalls, respond to incidents, and provide expertise that would cost a fortune to build in-house. For small to medium-sized software companies, they are often the most practical way to achieve enterprise-level security capabilities.
The problem is that these providers typically operate at the perimeter. They are watching for threats coming in and data going out, but they are not involved in the day-to-day infrastructure decisions that happen within your environment. When your DevOps engineer needs to spin up a new service or your IT person needs to adjust permissions, they are often working independently of your managed security provider.
The Internal Knowledge Gap
This is where the gap becomes dangerous. Your internal team making these configuration changes may be incredibly talented. Brilliant developers, skilled system administrators, capable DevOps engineers. But cybersecurity? That may not be their wheelhouse.
I have seen database administrators who could optimise complex queries in their sleep accidentally expose entire customer databases because they did not understand the security implications of their access control settings.
Building Internal Security Literacy
The solution is not to become cybersecurity experts overnight. It is about building foundational security literacy within your technical teams. Even a basic theoretical course on cybersecurity, specifically tailored to your tech stack, can make the difference between a secure deployment and a data breach waiting to happen.
If you are running on AWS, your team should understand AWS security fundamentals. Azure shop? Get them familiar with Azure security best practices. The investment in a few days of training can save you from months of incident response and regulatory headaches.
But it is not just about technical training. Your broader team needs to understand the governance requirements they are operating under. What are your privacy obligations? What compliance frameworks apply to your business? How do security decisions impact your ability to serve customers or meet contractual obligations?
This is where having someone with a cybersecurity and privacy background, even at a foundational level, becomes invaluable. They become the bridge between your outsourced security provider and your internal operations, asking the right questions before changes are made rather than after incidents occur.
Making Security Everyone's Business
Your managed security provider should remain part of your security strategy. They bring expertise and capabilities that are hard to replicate internally. But they need to be complemented by internal security awareness and literacy, particularly among the teams who have the keys to your infrastructure.
The goal is not to replace your managed provider. It is to ensure that the decisions made internally align with the security posture they are helping you maintain.
If you are looking to bridge this gap in your organisation, reach out. From technical training tailored to your internal policies and procedures, to broader governance and privacy awareness programs, the aim is to ensure your team has the foundation they need to make security-conscious decisions.
The best security incident is the one that never happens because someone asked the right question before clicking deploy.