If you don't have the time or expertise to focus on it, then someone who does has a greater ability to stay on top of it than you do. There are a few different ways of saying it, but my company likes: "Security is a journey, not a destination". Basically, security is not something that you "have" – it's a continuous process.
If it's in your budget, then I would outsource. If it's not in your budget, then you need to budget time and resources to do it yourself. Given that you won't do it as well, and it still comes out of your budget, then that's where you have to balance the tradeoffs. What's the likelihood of being attacked? What is the expected cost of a breach? etc.
No, you don't have to open source anything that is just for you.
It's a little different if you're selling a security product. By not open sourcing commercial security code you will be open to a lot of criticism. People won't necessarily trust your product. They will claim you are trying to achieve Security by Obscurity. Indeed, such products often become targets for people trying to break in. This means that if there are any flaws in your implementation, then the only people with that information are malicious third parties, and you have no ability to get feedback through public auditing. (Security researchers often audit such products). But this doesn't sound like your situation.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
If you don't have the time or expertise to focus on it, then someone who does has a greater ability to stay on top of it than you do. There are a few different ways of saying it, but my company likes: "Security is a journey, not a destination". Basically, security is not something that you "have" – it's a continuous process.
If it's in your budget, then I would outsource. If it's not in your budget, then you need to budget time and resources to do it yourself. Given that you won't do it as well, and it still comes out of your budget, then that's where you have to balance the tradeoffs. What's the likelihood of being attacked? What is the expected cost of a breach? etc.
No, you don't have to open source anything that is just for you.
It's a little different if you're selling a security product. By not open sourcing commercial security code you will be open to a lot of criticism. People won't necessarily trust your product. They will claim you are trying to achieve Security by Obscurity. Indeed, such products often become targets for people trying to break in. This means that if there are any flaws in your implementation, then the only people with that information are malicious third parties, and you have no ability to get feedback through public auditing. (Security researchers often audit such products). But this doesn't sound like your situation.