In today’s cybersecurity landscape, the pressure on businesses to stay resilient is mounting. For Keith Cutajar, founder and CEO of CY4 Security, outsourcing is not only practical but essential. “We’re still struggling to understand that it’s a no-brainer,” he says. “Good luck finding someone appropriate for your organisation today.”

With more than 15 years of experience in security and over a decade working in forensics within the courts, Mr Cutajar has seen firsthand the widening gap between the demand for cybersecurity expertise and the limited supply available locally.

One of the core challenges facing Maltese organisations, he argues, is the skills shortage - especially as Europe introduces new compliance frameworks. “No company can ever get enough manpower to carry out its core duties in this regulated world we live in,” he explains. Requirements stemming from new and upcoming standards such as the Digital Operational Resilience Act (DORA) and NIS2 are placing heavier responsibilities on businesses, demanding stronger controls, better documentation, broader reporting obligations and continuous monitoring.

The talent pipeline simply hasn’t kept up. Even when organisations manage to recruit, it takes significant time, training and investment to bring new hires up to standard. “Someone may come in with an MSc in security, but they still need to undergo training. And if someone graduates with a general IT or software engineering degree, they’re totally off track.” The increasingly specialised nature of the field - from offensive security to digital forensics and threat intelligence - has made it nearly impossible for organisations to build fully capable in-house teams.

This is why Mr Cutajar believes outsourcing is not just a cost-effective solution, but a strategic one.

“Unfortunately there’s still the perception that the bigger the team I create, the stronger I am,” he says. “It doesn’t work that way. Actually, it’s the reverse. The bigger the team, the more complicated it gets.” Outsourcing gives businesses access to a pool of specialised professionals without the cost and complexity of recruitment, retention and ongoing upskilling. “You don’t need to build a team of 10 or 15 people in cybersecurity. It’s practically impossible and also unfeasible. The more you can outsource, the better.” Even in larger markets like the UK, companies outsource heavily because, as he puts it, “it is cost-effective.”

A common misconception Mr Cutajar encounters is the belief that data is safest when kept in-house. “That perception still exists: if you want to keep data safe, keep it in-house. When ultimately, they’re still outsourcing to cloud services.” His work in incident response tells a different story. “I can tell you how much data is leaked from inside to outside because of malware, ransomware, insiders- people leaking information on purpose or by mistake.”

He stresses the importance of recognising the difference between malicious insiders and accidental negligence. Most insider incidents, he says, stem from well-meaning employees making small errors - something proper training and strong external monitoring can catch early. “If a third party leaks data, the side effects are massive. We may lose a license. We may lose a client. So we are much more cautious and invest much more. A service provider cannot afford a mistake.”

According to Mr Cutajar, the trend towards outsourcing is already underway, but more awareness is needed. He recalls how difficult it once was to promote cybersecurity training. “Fifteen years ago we wanted to sell a €500 training package once a year and it would take your life out of you to sell it. Today we have conferences almost every day. We have newspapers calling us for articles. The culture changed because of awareness.” He believes outsourcing will follow the same trajectory as business leaders better understand its necessity.

CY4 Security positions itself as the type of specialised partner that modern organisations increasingly require. “We are a service company - an advisory firm. We provide SOCs, ad-hoc investigation, consultancy and GRC services,” he explains. Instead of paying the equivalent of a senior cybersecurity salary, companies get access to an entire team through a subscription-based model.

“Rather than giving an €80,000 or €100,000 salary to one chief, you’re signing a contract of €30,000 or €40,000 a year. With that you get a bucket of hours, and you’re onboarding a whole team.” That bucket covers high-level expertise - CISO-level guidance, incident response, strategic advisory work - as well as 24/7 monitoring, threat detection and access to specialists across multiple disciplines. “If one day you wake up and say, ‘I need something different today,’ the team adjusts. They’re there to do business with you.”

For Mr Cutajar, the message is simple. As regulations tighten and digital threats evolve, companies must rethink how they build and maintain cyber resilience. For companies looking to scale without the weight of overheads, outsourcing isn’t just a safety net - it’s a growth strategy. As Cutajar puts it, “It’s a no-brainer.”