Tip

Misconceptions about information security outsourcing

A few years ago, security management was considered a sacred cow; it was too important to be handed off to an external entity. After all, a mistake on the part of a service provider could mean porous perimeter defenses or sensitive data finding its way into the wrong hands.

But today attacks are more sophisticated and malicious hackers are more knowledgeable, and no company can afford a security breach amid the plethora of regulatory requirements. To top it all off, corporate IT environments are becoming more complex, and traditional defensive measures are not sufficient to protect the organization. In an effort to tackle all of these issues,

Requires Free Membership to View

CISOs are turning to security service providers for security management assistance in the following areas:

  • Analyzing and mitigating increasingly complex threats: CISOs are threatened by the complexity of attacks and an increase in the number of zero-day vulnerability exploits. Most worrisome are targeted threats, those meant to snare customers or employees of a single company or community. Rootkits, which are attack tools that conceal their presence on a victim's machine, have been a popular strategy for attackers since 2006 and prove to be exceedingly difficult to detect and remove. It is no longer sufficient to keep track of new vulnerabilities, detect which ones are applicable and apply appropriate configuration changes and patches. CISOs need help in devising strategies to proactively thwart complex threats.

  • Measuring, tracking and reporting on security metrics: Executive management expects justification when allocating dollars toward security, and regular progress reporting from the CISO. Business partners want reports for security accountability as well. Having a well-defined metrics program not only fulfills all these external expectations, but also enables the CISO to measure the effectiveness of the security program. CISOs need assistance in using metrics to measure their security posture, set goals, track progress, prioritize security initiatives and justify security spending.

  • Protecting information throughout its life cycle: Sources including government regulations and copious press coverage of data loss and identity theft have increased the pressure on businesses to better protect information. CISOs are struggling to comply with new regulations to safeguard consumer, financial, healthcare and employee data. A host of technologies are available to solve pieces of the problem, including encryption, endpoint security and information leak prevention (ILP). Strong authentication and identity and access management can augment these technologies in providing life cycle protection, but it can be a nightmare to integrate and operate these technologies, as well as audit to ensure there aren't any gaps. CISOs will need help in defining a comprehensive strategy and strong processes for identifying, classifying, handling, tracking, storing and disposing of information.

    Security outsourcing represents a potentially compelling way to ease the burden of meeting these security program requirements. But as is often the case with IT outsourcing, a considerable amount of due diligence is required before making any kind of commitment, especially where security is concerned. Enterprises should keep the following misconceptions in mind while they evaluate their outsourcing options.

    Outsourcing security is cheaper than doing it internally. Cost is usually one of the reasons businesses explore security outsourcing, but Forrester has consistently found that cost is not the primary driver. After all, outsourcing may not always lead to lower costs. In fact, many companies end up spending more. Some do so willing to because they gain competencies and get additional capabilities such as 24x7 monitoring or compliance reporting. Also keep in mind that an outsourcer that promises to help lower cost may do so by using cheaper resources or by taking more time to complete certain tasks.

    Outsourcing security means transferring risk. Outsourcing means transferring responsibility, but not accountability. Careful consideration must be paid to the risk management aspect of the outsourcing deal. Data protection risks can't be transferred to an outsourcer, but the amount of risk a corporation takes on can be limited by developing right-to-audit clauses, service level agreements (SLAs) and limited liability provisions in contracts. It is also a best practice to ask outsourcers to adhere to a third-party security policy based on an organization's unique circumstances.

    The vendor selection is similar to any procurement. A security outsourcing deal is much more intimate than a procurement contract. What does this mean? The complexity, scope, duration and business risk of an outsourcing deal dwarf most procurement contracts. Handing over a critical business process or technology changes the risk profile of the firm. This is not like a contract for parts or labor; it's essential to look beyond the technical capabilities while evaluating vendors. Think of it more like a partnership where alignment in corporate cultures and philosophies plays a significant role in the success of the relationship.

    If my security operations are a mess, outsourcing security can help. The famous adage "garbage in, garbage out" applies here. If an organization doesn't have strong and consistent security operations, outsourcing can enhance their effectiveness, but lack of operational control will make things worse. Therefore, it's important to strengthen operations before outsourcing. Outsourcing may help improve operational control, but the chances of success are increased if the services to be handed over have solid measures and operational process control. If an organization does not have strong operational controls, it will be relying on the baseline set of controls provided by the outsourcer. This may or may not be in line with organizational requirements. To the extent possible, continue to drive improvements in the existing delivery environment before outsourcing.

    Outsourcing security is the quickest way to get security controls implemented. Prepare for a marathon, not a sprint. Doing an outsourcing deal takes stamina and persistence over a fairly long period of time that can sometimes be compressed, but usually with increased risk. Prepare yourself and your team for the long haul by connecting first to the business strategies of the firm, and then building from there. It is appropriate to plan for some quick wins but it takes time for the outsourcing relationship to mature. Companies that have successfully outsourced security operations typically report that it takes them six to 18 months to really normalize the outsourcing relationship.

    Outsourcing security is not for everyone, so before jumping on the outsourcing bandwagon, pay careful consideration to the impact of outsourcing in a particular situation. More importantly, have very realistic expectations of the relationship. It's important to do the due diligence and ensure appropriate provisions are part of any contract, but it's much more important to find a trustworthy provider and continuously build on the relationship. Think of it as a marriage -- you have to trust your partner, work on it consistently and be patient

    About the author:
    Khalid Kark is a principal analyst at Forrester Research. His research focuses on information risk management strategy, governance, best practices, measurement, and reporting. He can be reached at kkark@forrester.com.

    This was first published in October 2007

  • Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.