A few years ago, security management was considered a sacred cow; it was too important to be handed off to an external entity. After all, a mistake on the part of a service provider could mean porous perimeter defenses or sensitive data finding its way into the wrong hands.
But today attacks are more sophisticated and malicious hackers are more knowledgeable, and no company can afford a security breach amid the plethora of regulatory requirements. To top it all off, corporate IT environments are becoming more complex, and traditional defensive measures are not sufficient to protect the organization. In an effort to tackle all of these issues,
Security outsourcing represents a potentially compelling way to ease the burden of meeting these security program requirements. But as is often the case with IT outsourcing, a considerable amount of due diligence is required before making any kind of commitment, especially where security is concerned. Enterprises should keep the following misconceptions in mind while they evaluate their outsourcing options.
Outsourcing security is cheaper than doing it internally. Cost is usually one of the reasons businesses explore security outsourcing, but Forrester has consistently found that cost is not the primary driver. After all, outsourcing may not always lead to lower costs. In fact, many companies end up spending more. Some do so willing to because they gain competencies and get additional capabilities such as 24x7 monitoring or compliance reporting. Also keep in mind that an outsourcer that promises to help lower cost may do so by using cheaper resources or by taking more time to complete certain tasks.
Outsourcing security means transferring risk. Outsourcing means transferring responsibility, but not accountability. Careful consideration must be paid to the risk management aspect of the outsourcing deal. Data protection risks can't be transferred to an outsourcer, but the amount of risk a corporation takes on can be limited by developing right-to-audit clauses, service level agreements (SLAs) and limited liability provisions in contracts. It is also a best practice to ask outsourcers to adhere to a third-party security policy based on an organization's unique circumstances.
The vendor selection is similar to any procurement. A security outsourcing deal is much more intimate than a procurement contract. What does this mean? The complexity, scope, duration and business risk of an outsourcing deal dwarf most procurement contracts. Handing over a critical business process or technology changes the risk profile of the firm. This is not like a contract for parts or labor; it's essential to look beyond the technical capabilities while evaluating vendors. Think of it more like a partnership where alignment in corporate cultures and philosophies plays a significant role in the success of the relationship.
If my security operations are a mess, outsourcing security can help. The famous adage "garbage in, garbage out" applies here. If an organization doesn't have strong and consistent security operations, outsourcing can enhance their effectiveness, but lack of operational control will make things worse. Therefore, it's important to strengthen operations before outsourcing. Outsourcing may help improve operational control, but the chances of success are increased if the services to be handed over have solid measures and operational process control. If an organization does not have strong operational controls, it will be relying on the baseline set of controls provided by the outsourcer. This may or may not be in line with organizational requirements. To the extent possible, continue to drive improvements in the existing delivery environment before outsourcing.
Outsourcing security is the quickest way to get security controls implemented. Prepare for a marathon, not a sprint. Doing an outsourcing deal takes stamina and persistence over a fairly long period of time that can sometimes be compressed, but usually with increased risk. Prepare yourself and your team for the long haul by connecting first to the business strategies of the firm, and then building from there. It is appropriate to plan for some quick wins but it takes time for the outsourcing relationship to mature. Companies that have successfully outsourced security operations typically report that it takes them six to 18 months to really normalize the outsourcing relationship.
Outsourcing security is not for everyone, so before jumping on the outsourcing bandwagon, pay careful consideration to the impact of outsourcing in a particular situation. More importantly, have very realistic expectations of the relationship. It's important to do the due diligence and ensure appropriate provisions are part of any contract, but it's much more important to find a trustworthy provider and continuously build on the relationship. Think of it as a marriage -- you have to trust your partner, work on it consistently and be patient
About the author:
Khalid Kark is a principal analyst at Forrester Research. His research focuses on information risk management strategy, governance, best practices, measurement, and reporting. He can be reached at firstname.lastname@example.org.
This was first published in October 2007