Your Organization Already Outsources
Outsourcing is a dirty word in some circles, though in reality nearly all organizations outsource multiple solutions within their business – and many of them are critical to their operations. From logistics to HR, from legal to manufacturing, businesses outsource many functions. Often these functions are essential to the operation of the business, and nobody blinks an eye at outsourcing these activities.
InfoSec is an area where the arguments for outsourcing are strong, and they’re similar to the rationale for outsourcing other key functions:
- My organization can’t hire, train, and retain enough InfoSec talent
- InfoSec is a cost-center, it impacts the bottom line, and we need to find a more efficient model to provide comprehensive InfoSec to the company
- InfoSec is complicated. There are ever-changing technologies, solutions, best practices and requirements as well as ever-increasing risks – I can’t keep up by myself
Interestingly, the objections are also the same really:
- InfoSec is critical, I can’t afford to lose control of it, and I need the people to manage it
- My InfoSec team has to access company IP, PII, and other sensitive data; I can’t entrust that to a third party
- No third party is going to have the same sense of responsibility to my business that an internal team would
Studies range from fifty (50%) to seventy percent (70%) in terms of the percentage of enterprises who outsource InfoSec. Many take a hybrid approach to outsourcing certain functions and performing the others in house. In the cases above either for or against outsourcing, any business function could be inserted in place of InfoSec.
Outsourcing’s Bad Assumptions
So why do some organizations readily outsource many essential business functions, but pause when it comes to InfoSec? It most likely stems from some basic assumptions and misaligned expectations of what outsourcing InfoSec can and should mean.
Outsourcing InfoSec is not an “all or nothing” proposition
Your information security program is complex. It has a number of aspects from strategy to architecture, from engineering to operations, and may also include compliance. Each of those has complications of its own. Don’t assume that outsourcing is monolithic either. That said, choose an outsourcing solution that complements your program’s strengths and offloads its weaknesses to the provider.
Outsourcing InfoSec should not mean outsourcing responsibility
Don’t assume that an InfoSec provider is here to take over ownership of your security program. You will still need to provide direction and own responsibility for the security program. Your task will be to hold the provider responsible for their work, and to make sure they are aligned to your business goals and objectives. As much as they may try, a provider will never be as knowledgeable about your business and its needs as you are. Organizations that assume they are outsourcing the full responsibility for their security programs, or checking that box, are setting their outsourcing partners up for failure, and setting themselves up to have an ineffective security program. When outsourcing all or partial elements of your InfoSec program make sure to have a clear definition of the roles and responsibilities you are outsourcing and the ones you are keeping.
Outsourcing InfoSec provides value even if the provider isn’t performing remediation
Some believe that a provider who identifies legitimate security issues isn’t valuable unless they’re resolving those issues through making changes in the customer’s environment. That leads to a situation where people who are not aware of the day-to-day realities of your business are taking remedial action in your environment. How do you ensure they make sound business decisions before taking action? How do you hold them accountable for those decisions?
That seems like saying that outsourcing Accounting work isn’t valuable unless the provider approves and cuts all the checks for Accounts Payable. Would you want a third party having all that power and responsibility? Do you think they will have the institutional knowledge about your business to make payment decisions by themselves?
Instead perhaps focus on ensuring that your provider can feed you validated, enriched, and actionable information and trust your staff to handle the resolution with their business acumen and organizational insights. If the provider is doing their job well, they’re chasing down all the false positives and red herrings and handing off the small subset of alerts that your team can and should focus on.
Outsourcing enables you to leverage best practices, harness efficient processes, tap into continuous modernization, and deploy leading technologies while deepening your technical expertise. This optimizes your security spend and allows you to focus on your core business, leaving security to the experts.
Outsourcing InfoSec isn’t the same as staff augmentation, contractors, or temp workers
Your InfoSec outsourcing plan needs to be better focused than simply choosing a body shop to provide workers. Sure, sometimes a temporary InfoSec rockstar is the right choice for a particular problem, but for the sake of both your organization and your provider, well defined responsibilities and parameters are a must. Again, this goes back to the need to continue to be responsible for your own security program, and that means understanding and approving the activities your provider is specifically responsible for.
InfoSec outsourcing isn’t about staff reduction, it is about making better use of the staff you have
Most security professionals agree that there aren’t enough workers to fill the needed roles as it is. ISC2’s 2019 Cybersecurity Workforce Study shows there are about 2.8 million security staffers in the top 11 world economies, with a gap of about 4.07 million staffers today, or roughly 2.5 jobs for every InfoSec employee.
So focus on outsourcing the things that will free up your talent – the employees you’ve worked hard to train and who provide the core of your security program – to do the high-value work that you want them spending time on. Outsource Tier 1 and Tier 2 activities (the table below shows Tier 1 and Tier 2 Analyst activities, courtesy of our partner Exabeam). Outsource operational activities. Outsource the selection and management of security tools and technologies, but keep the people who can make sense of all of that and help you move the security program forward.
At the end of the day outsourcing will likely be more cost effective than attempting to staff for yourself, but you’re probably not reducing existing staff because you’ve outsourced.
Outsourcing InfoSec isn’t about technologies, or staffing, or resources, it is about outcomes
Nobody cares what calculators your hired accountants use. So why are you focusing on the technologies your InfoSec provider is bringing to bear? Instead, focus on the outcomes, instead of your personal opinion of the tools they’ve chosen to use. Though by the same token, if the provider claims they’ve built all their own tools from scratch you might want to understand how much R&D they’ve actually invested in developing them, how they support those tools and why they didn’t choose “off the shelf” tools from reputable providers in the first place.
What Size Fits All?
Outsourcing InfoSec is going to be different for every company, just like outsourcing accounting. Some companies will just want an auditor, others will want a tax accountant, and others will want a full accounting team substitute. And there are InfoSec providers out there to match most of that spectrum. Approach outsourcing InfoSec the same way you would any other business-critical outsourcing decision. Have an expectation of what value and outcomes you want from the provider, and keep focused on those. Be open to the expertise providers bring with them to the table, and be ready to evaluate how those providers complement the existing strengths of your program to find a good fit for your organization.