To outsource or not to outsource: that is the question that has been facing CISOs the world over since the dawn of time, and the question that Phil Muncaster puts to information security experts
Information security practitioners often debate the values and perils of outsourcing. On the one side, there is the opportunity to free up talented staff to concentrate on higher value tasks, whilst simultaneously improving the organization’s resilience and ability to defend against potentially devastating cyber-attacks. On the other side is the nightmare scenario: hidden costs, loss of control, a provider that doesn’t understand your business and, at worst, one that ends up exposing your organization to even greater risk.
Forrester research from 2013 found that despite numerous other distractions, information security outsourcing was still a top priority for 21% of EU security chiefs and 15% of US CSOs. So where exactly is the sweet spot between what you keep in-house, and what gets pushed out to a third party? Are there any obvious choices on what to outsource, and how exactly should CISOs go about selecting the right consultancy for them?
At a very high level the answer is: it depends. However, all the industry experts Infosecurity spoke to agree that, aside from perhaps a handful of large multinational organizations, some element of outsourcing is always desirable.
“An experienced outside perspective will always be important,” says 451 Research senior analyst, Adrian Sanabria. “Consultants are constantly working with different companies and seeing what works and doesn’t work in different environments. It is hard to gain that breadth of experience and perspective from within a single organization.”
Forrester principal analyst Andrew Rose believes it makes sense to outsource those “boring, repeatable tasks” like pen-testing, identity and access management, log reviews, hardware management and so on, and hand internal staff the more challenging, interesting stuff.
“This will make their job more fun, more varied and make them more likely to stay,” says Rose. “They’re also adding more value.”
This is doubly important given how difficult it is for firms to hire enough talented information security practitioners in the first place. Ironically, this is because many of them are tempted by the big bucks of the large consultancy firms, as well as major financial multinationals. Also, if you’re in the UK, expect the talent pool to shrink by a factor of 10 if your firm is not located in London, Rose warns.
What Stays, What Goes?
So how exactly do you go about deciding what should be outsourced and what should be kept in-house? Kevin Jones, Dean of the Science and Environment faculty at the UK’s Plymouth University, argues that there’s a sliding scale depending on the resources available and the degree of security required.
DDoS prevention is a good example where internal resources – in this case bandwidth – are usually insufficient to manage in-house. Pen-testing is another security element which most agree should be outsourced. “It’s very unlikely a small or even large company has the ability to perform these audits with the right level of skill. If they could, there would be something wrong because that resource would be sitting idle for large periods of time,” Jones argues. The best practitioners of ‘specialist’ skills like these may be smaller independent players rather than the big consultancies, he adds.
“Consultants are constantly working with different companies and seeing what works in different environments. It is hard to gain that breadth of experience and perspective from within a single organization”Adrian Sanabria, senior analyst, 451 Research
Will Semple, former New York Stock Exchange CISO and now vice president of research and intelligence at Alert Logic, argues that a good CISO should first hire a team of seasoned solutions architects, then build out an ops team and install GRC experts, where needed.
This is followed by the most in-demand resource in US firms – a team to manage threat and vulnerability exposure.
In most organizations this must be outsourced, he claims.
“Have an overall strategic plan for the operating model, define roles that are tactically delivered by partners, and build a capability and maturity that leverages the ecosystem,” he adds. “The modern CISO will need to be able to manage multiple relationships both internally and externally and step away from building large security groups.”
For Rose, things that are “culturally sensitive” should be kept in-house; elements like policy, communications, business alignment and relationship management. “These are best kept internal because you need to be close to the organization to know what works,” he says. “It’s also best to keep those technological aspects which are fundamental to your organization in-house: architecture and investigations are best done in-house, but they can be supplemented by third parties.”
Peter Clay, CISO at US security firm Invotas and former CISO at the Deloitte Federal Practice, explains that the Security Operations Center (SOC) is at the heart of his organization’s in-house efforts.
“Coordinating that across organizational lines is not something I would ever want to consider,” he says. “You need that ability in the organization because the faster a disaster can be remedied and returned to normal, the better the outcome.”
Will Semple, former New York Stock Exchange CISO and now vice president of research and intelligence at Alert Logic, argues that a good CISO should first hire a team of seasoned solutions architects, then build out an ops team and install GRC experts, where needed.
This is followed by the most in-demand resource in US firms – a team to manage threat and vulnerability exposure.
In most organizations this must be outsourced, he claims.
“Have an overall strategic plan for the operating model, define roles that are tactically delivered by partners, and build a capability and maturity that leverages the ecosystem,” he adds. “The modern CISO will need to be able to manage multiple relationships both internally and externally and step away from building large security groups.”
For Rose, things that are “culturally sensitive” should be kept in-house; elements like policy, communications, business alignment and relationship management. “These are best kept internal because you need to be close to the organization to know what works,” he says. “It’s also best to keep those technological aspects which are fundamental to your organization in-house: architecture and investigations are best done in-house, but they can be supplemented by third parties.”
Peter Clay, CISO at US security firm Invotas and former CISO at the Deloitte Federal Practice, explains that the Security Operations Center (SOC) is at the heart of his organization’s in-house efforts.
“Coordinating that across organizational lines is not something I would ever want to consider,” he says. “You need that ability in the organization because the faster a disaster can be remedied and returned to normal, the better the outcome.”
However, organizations are increasingly finding ways to save costs on outsourcing by automating many of the menial, repetitive tasks – like managing service desk tickets – and are beginning to orchestrate processes as a result. “We’re already seeing dramatic results across several different use cases,” he adds. “It allows organizations to allocate their staff to higher value processes.”
Now for the Tricky Part
Once the CISO has decided what he needs to push out to a trusted third party, the inevitable question is raised – which third party? Most experts argue that you can’t go wrong with one of the big players. Yet as we’ve seen, for more niche or bite-sized projects, there may be more benefit from choosing a smaller provider.
It all revolves around personalities, according to Forrester’s Rose. “You need to find the people with the right mentality you can work with; people you click with, because it’s a relationship and you need to work together,” he advises.
Plymouth University’s Jones, whose faculty includes the Centre for Security, Communications and Network Research (CSCAN), adds that in the UK at least “qualifications are beginning to have meaning”. In this way, practitioners who can claim to have gained accreditation in key areas are worth seeking out. The extended CISO and information security network can also be invaluable here.
“Infosecurity Europe is a very good place to see everything, from the largest players to the one man shops,” he argues “Getting to know people who can help is very important in the community – the better network you have and the more people you know, the more chance you’ll find what you’re looking for.”
The ‘old boy network’ has helped Peter Clay for the past 20+ years in the industry, he tells Infosecurity.
“For external risk consultants, I always go with a recommendation from someone I know,” he says. “This network you just collect through your career.”
For external IT consultants, Clay favors what he describes as “the best athletes” – those who can test his systems to breaking point to tell him what works and what doesn’t. If any third-party is set on bringing a specific product into his organization, that tool must also be tested to breaking point in order to assess risk, he says.
Pitfalls and Priorities
As if all of that wasn’t enough to manage, CISOs must also bear in mind the internal stakeholders who may have an impact on outsourcing strategy. Procurement can actually help security chiefs “drive best value and go through the right due diligence”, according to Rose. However, any others “with skin in the game” need to be kept happy.
“It’s the CISO’s job and challenge to set the vision and tone for the infosecurity program and others have to buy into that program”Peter Clay, CISO, Invotas
“When I became a CISO, I had to learn five different languages,” adds Clay. Apart from IT, these are the languages of legal, internal audit, risk management, and the board.
“Being able to speak and answer questions and address how information security plays a role in the business must all be part of the CISO role,” he argues. “It’s the CISO’s job and challenge to set the vision and tone for the infosecurity program and others have to buy into that program.”
Not only that, but CISOs must also avoid some common outsourcing pitfalls, according to KPMG principal advisor, Alejandro Rivas-Vasquez. “The most common I’ve come across is building the Security Retained Organization too thin. Particularly on contracts with 10+ services across different disciplines, a single service manager often doesn’t have the capacity and capability to deal with all the issues: performance, security events, projects, etc.,” he says
Kevin Lidbetter, head of the UK Security Service Line at outsourcer Steria, warns that the CISO’s reliance on a provider will increase “exponentially” during the contract.
“Background knowledge and information transferred to the provider at the start of operational engagement becomes lost to the company, and through time is simplified to meet the specific needs of the service provided back to the company,” he adds.
“If you decide to bring it back ‘inside’ or transfer to another supplier, the information accompanying the transfer will necessarily be less, and maybe given with less understanding of importance and implication."