Outsourcing Cyber Risk: Why an Integrated Approach is Critical

Written by

While the world is shifting back to a revised normality, the impact of the pandemic is still presenting lasting challenges for organizations globally. The 'work from anywhere' model that looks set to stay for many has increased complexity for security teams worldwide, adding to the already ever-growing cybersecurity challenge.

The powerful cloud collaboration tools used to keep us connected in the 'work from anywhere' model present ongoing data security challenges. Critical organizational data is now being consistently shared across multiple platforms, often outside the stringent security boundaries of the corporate network. And opportunistic cyber-criminals are capitalizing on this increased threat surface.

Long-term hybrid work keeps protecting corporate data at the top of the list of concerns for security teams. In fact, according to recent Proofpoint research 56% of UK CISOs agree that they have seen an increase in targeted attacks in the last 12 months due to this working model, with 53% saying that increases in employee transitions mean that protecting data has become an increased challenge.

As complexity in our environments increases, and the cyber staffing crisis continues, there is the temptation to want to take steps to reduce both the resource drain and the complexity by consolidating and outsourcing risk, with 58% of UK CISOs admitting that the 'work from anywhere' trend has led them to outsource key controls to managed services providers.  

But can organizations effectively outsource risk?

The Temptation to Outsource

Organizations are focusing more budget on security tools, solutions, training and services. Gartner forecasts that information security spending will reach $187 billion in 2023, an increase of 11.1% from 2022.

Many organizations may be considering putting additional budget toward bringing in outsourced partners to manage some elements of their security strategy, believing this will help to address increased complexities effectively. In fact, 42% of UK CISOs listed outsourcing security controls as a top priority for the next two years.

Security teams may think that perhaps if they consolidate with a single provider, outsource key controls to a managed security service provider (MSSP), turn to insurers to provide recovery funds in the event of an attack, or outsource risk to end-users by training them to identify and report phishing attacks, that they can reduce complexity, drive efficiencies, and focus on business outcomes.

Or simply, the temptation to outsource is there because it’s increasingly difficult to find the staff and skills required internally.

However, despite this increased spend, whether on internal controls or outsourced partners, we continue to see an increase in breaches, data loss, ransomware infections, and credential theft, with 60% of UK CISOs feeling at risk of a material cyber-attack on their organization in the next 12 months.

Ultimately, no matter which security controls or procedures are outsourced, effectively or not, when it comes to a successful data breach, the organization, and its security team/CISO remain accountable. 

To stay resilient in today's threat landscape, security teams can partner up with third-partner technology and service providers to build a robust cybersecurity posture that helps protect its people and defend critical data.

Outsourcing is Rarely the Silver Bullet

Fully outsourcing key functions to third parties exposes the business in new ways. For example, by attempting to completely outsource and automate processes, you may lose critical in-house skills and context. Internal analysts are still required to complement automation and external threat intelligence. You need a team that understands your business context, and analysts that can forecast future threats and attacks. A team to make intelligent interpretations of alerts, with the business in mind.

It also becomes very difficult to measure efficacy of your controls if much of your security program is outsourced. Organizations may be creating programs in isolation that do not align with the risk profile of the organization. An organization’s risk framework may look good and appear to capture all potential risks that could impact the business – but assurance and the measurement of the effectiveness of controls are just as critical as identifying risks in the first place. How can you really trust that your risk framework is working if all your controls are fully outsourced? How do you assess what’s important and ensure readiness to deal with potential incidents or crises if the controls aren’t being monitored in-house?

Assessing true priorities, and the potential implication of vulnerabilities and attacks, is only possible with the deep business understanding and insight that comes of daily interaction with the stakeholder and an understanding what the business values. Such insights so not come easy to an outsourced partner responsible for service provision to several customers, whose peril for failure is just a breached service-level agreement (SLA), not long-term damage to their organization’s value proposition.    

That said, there is a strong opportunity for collaboration with outsourced providers. Internal teams can ingest the threat intelligence they receive from third parties, vendors and outsourced partners and weave them into their risk profile, determining and prioritizing the threats and vulnerabilities uncovered from these services, through an internal lens.

We also cannot ignore the heightened attack surface from working with third parties. If they’re breached, you can be too – via network connections & collaborative workspaces, remote admin access, or simply credible, fraudulent invoices. A recent Proofpoint study revealed that more than half (58%) of organizations surveyed reported that third parties and suppliers were the target of a breach in 2021. 81% of responding organizations were concerned about risks surrounding suppliers and partners, with almost half (48%) specifically concerned about potential data loss as a result of such risks. 

An Integrated Approach

To stay resilient in today’s threat landscape, organizations’ security teams can partner up with third-partner technology and service providers to build a robust cybersecurity posture that helps protects its people and defend critical data.

Many organizations are looking for a silver bullet to combat all threats, while ensuring business continuity and success. However, there is no such thing as a one-size-fits-all approach. That said, a key starting point is implementing effective prevention controls, blocking as many threats as possible from reaching your people in the first place. Organizations must look to leverage external agencies as part of an audit, quantifying where your gaps are against industry benchmarks, having them provide estimates of how much they need to invest to reach maturity levels.

Security teams can leverage external threat intelligence sources to handle the low-hanging fruit and high-volume alerts. The outsourced partner can be integrated into internal intelligence to help remove false positives, allowing internal teams to better spend their time.

In addition, once you’ve identified the risk metrics you want to collect, that accurately determine controls required to mitigate identified risks, you can outsource the gathering of these metrics to vendors and service providers. Make your solution providers work for you to give you the visibility and insight you need, so you in turn can action the intel provided more effectively. Who within your organization is being targeted, what types of threats do they face, how are they engaging with these threats and what privileges do your most attacked employees have? This insight can and should be provided by your vendors to enable you to identify your most high-risk groups and put the required segmentation and controls in place.

Ultimately, the focus when outsourcing should be on building integrated programs that are focused on reducing the likelihood and impact of risks that you have identified to your data and your people. Elements of this resilience can certainly be outsourced, but fundamentally, the risk is yours to own and manage.

What’s hot on Infosecurity Magazine?