Yes -- most of it, at least, and after a custom programme has been concluded.
A programme includes adequate awareness training of all employees, signed-off cybersecurity policies and quality processes, device certification/hardening, reference architectures/guidelines/checklists, etc.
The third party that takes on cybersecurity tasks can make everything very transparent, the same way EHS becomes fairly invisible once all signs and procedures are in place. Work happens in the background.
What is needed is a sharply identified person, or people, that, after receiving a bit more than a simple awareness course, will be engaged and interface internal/external actions upon new projects and/or changes.