The arguments for outsourcing—that it can be cheaper and provide access to superior, real-time service and specialized knowledge—are especially inviting as demands from regulators, corporate management, and boards increase and specialists become scarcer, says Sunil Misra, the managing principal of the worldwide enterprise security practice global network services for Unisys Corp.
But can the outsourcers themselves be trusted? After all, it seems that the very idea—giving control of an obtuse but absolutely mission-critical procedure to an outside group—can be a recipe for trouble. Even after it’s proven that the firm is honest, how can you ensure that it’s providing optimum services to the client?
Enterprises need not worry, provided they approach things in a sensible manner and do their homework. Here’s what you need to know about outsourcing security safely.
Do some checking
The IT executive should so some footwork himself, says Kelly Kavanagh, a senior analyst with Gartner’s information security strategy practice. “Go on site to make sure it’s not a couple of guys with beepers in an office suite. If you can, get references.”
Kavanagh also says that IT execs should research the company’s financial statements and ways of doing business. Such elements as its funding, its balance between managed services and consulting, and how it enhances off-the-shelf products can provide important clues as to how solid the company is.
“Read publications discussing firms that do this kind of work,” adds Andy Weiss, an IT worker for the government. “Talk to IT guys in security you trust. Research companies with the better business bureau.”
Once it’s reasonably certain that the security provider is essentially honest, the enterprise must ensure that it’s getting the service it needs. Kavanagh says that this starts with a strong service-level agreement. “Take a hard look at the SLA they are offering,” he says. “If you need to tear it up, tear it up. It really needs to reflect what you want out of the relationship.” For instance, he says, if the number of firewall policy firewalls stipulated is inadequate, or if turnaround time on a change is too slow, speak up.
The enterprise should also insist on some insight into the process. For instance, you should have access to trouble tickets.
Finally, Kavanagh says, the CIO should “trust, but verify.” You can do this by scanning to ensure that everything promised is up and running. The enterprise itself can do this, or the CIO can retain an outside firm. As a very simple check, the enterprise can take a chance and disable a part of its security momentarily and see if the reaction of the outside firm is as advertised. “Occasionally, unplug the IDS sensor and start a stop watch to see how long it takes for them to call you and tell you it’s off line,” advises Kavanagh. Of course, enterprises shouldn’t do this with equipment and services that provide primary security.
At least one consultant says that outsourcing is inherently safer than in-house security—even beyond the extra skills the outside company brings to the table. “One of the statistics often stated is that 80 percent of the security breaches are internal rather than external,” says Ken Hilving, a consultant with Schooley Mitchell Telecom Consultants. “Moving IS/ICT security to an outsourcer is one way of dealing with the internal threat.”
Indeed, many internal security breaches have their roots in human interactions gone awry. “The social aspects of internal security threats are possibly mitigated with an outsourcer by the reduced social interaction with employees,” Hilving says.
A TechRepublic peer, who asks to be known by his user ID LordInfidel, noted that the wisdom of outsourcing security must be decided on a case-by-case basis. “I, for one, would not trust the security of my network in the hands of someone else,” he says. “But then again, my team and I have built several layers of filtering and monitoring/alerting into our network. I would not hand that over to a third party.”
LordInfidel feels, however, that outsourcing may be appropriate for less-technically-adept enterprises. “But for larger organizations that have staff devoted to security or that have active monitoring in place, it’s not worth it—unless, of course, it is in addition to the current scheme,” he says. “But a small company that does not have a experienced Net admin would benefit from this.”
The idea of separating the main function of the enterprise from the support function has historical roots in security procedures. “A large number of financial businesses outsource both site security and transportation security to companies that focus on these services, such as Brinks,” Hilving says. “In the military, the physical security of a site and information security are two different organizations, typically separate from the units who are getting the benefit of the security. Security alarm systems have a long history of being outsourced as well.”
Assessing the assessments
Many professionals accept the premise that security will be a mix of outsourced and in-house expertise. What isn’t as well understood is precisely how to draw the line between the two, says Trey Guerin, the chief strategist and founder of Network Security Consulting.
“The organization needs to develop capabilities in-house to determine [what should be kept in-house and what should be outsourced] on their own. They need an information source or a program that is architected in such a manner to help them derive those answers.”
Security elements that should be kept in-house and those that should be outsourced shift over time. The enterprise should be able to answer some key questions at any given moment, Guerin says. These questions include: What is the risk tolerance of the organization? What are the budgetary constraints? What are the current capabilities? What are the operational capabilities?
In the final analysis, a mixed bag is virtually certain. “For most organizations, the best balance between [the] level of security and the level of spending will be a mix of both in-house and outsourced security capabilities,” Misra says. “Certain items, such as security policy, should always be controlled in-house, even though you might have an outside consultant help create the policy.”