Best practice in outsourcing security

The issues CIOs must consider in balancing security needs and budgetary constraints

Warwick Ashford examines the issues CIOs must consider in balancing security needs and budgetry constraints

Outsourcing IT support, desktop support and infrastructure is relatively common and an increasing number of organisations are investing in outsourcing e-commerce systems, datacentre hosting and software and application development, but security outsourcing remains a challenge for many.

Despite the potential to increase security without investing in more staff or new defence technologies, the potential risks of outsourcing security are considerable, causing wary businesses to shy away.

According to a recent survey by The Corporate IT Forum, only 5% of respondents had outsourced security and 48% said they would not outsource their IT security teams.

However, in reality, businesses do not have to adopt an all-or-nothing approach to security outsourcing. Instead, they can outsource only IT security activities of their business that are best suited to the model. The Corporate IT Forum survey showed that, of those respondents who had outsourced security, 29% had taken a mixed approach, using third-party contracts for commoditised areas in IT security. But how can businesses identify what is best to outsource?

There are several approaches organisations can take.

Panel: Key questions for outsourcing security

  • Can a third-party supplier provide a better quality of service than you can provide internally for the same, or lower, cost?
  • Can the third-party supplier meet all of the compliance requirements that you must abide by?
  • Can you verify that the service provider delivers what it claims it supplies?
  • What would be the consequences for your organisation should the service provider fail to deliver their claims or otherwise fail your needs?

According to the Cloud Security Alliance (CSA), outsourcing is not advised for governance-related security functions, but for operations-related security functions there are several candidates. These include application security, identity and access management and virtualisation.

“It can be argued that all of the technology security stack can be outsourced except governance, risk and compliance, because it is one of the key processes in IT security,”says Vladimir Jirasek, of the CSA (UK).

This means that things like firewall management, network security, vulnerability scanning, anti-malware, host security and database firewall management are all good candidates for outsourcing.

Security is extremely hardware- and capital-intensive. Therefore, organisations that have to handle spikes in their business processes may want to opt to outsource basic security functions such as the firewall and let the service provider handle the spikes in performance demand. This negates the need to overpay for a capacity level that is not needed most of the time.

“I would prefer to outsource these as I have better leverage over my outsourcing partner then I have over my colleagues in IT. Another reason to outsource is that it is rather specialised and that means scarce resources, which may not be fully utilised in your company,” says Jirasek.

 For businesses that handle sensitive data under strict regulation, outsourcing IT security becomes a critical concern due to the limitations of service-level agreements (SLAs) and audit controls that the outsourcer may provide, says Peter Doggart, product marketing director at network security firm, Crossbeam Systems. “For this reason, these types of organisations tend to keep sensitive data controls in-house,” he says.

The Information Security Forum (ISF) believes the best place to start when deciding on what to outsource is where capability and/or expertise is lacking in the organisation – such as forensics – and where budget for creating and maintaining such a capability cannot be obtained.

Adding value to the business

The essential question for the business is whether the outsourcer can add value over and above what an equivalent internal team would cost.

A good example of value creation is a forensic security service. Forensics can be easily outsourced to individuals that have the right skills and can reduce the cost of having an expensive team on the internal payroll.

But when it comes to defining value, there are no easy answers. For some organisations and some projects, value is about cost savings and efficiencies. Other organisations might see value as being driven by innovation and thought leadership.

Benchmarking techniques can help to provide insight into what value is provided by service providers and/or internal IT teams and services, allowing organisations to make better decisions on outsourcing, says Dani Briscoe, research services manager at The Corporate IT Forum.

“Benchmarking services such as those available through The Corporate IT Forum allow organisations to compare their own performance with others’, although this is most useful when applied to organisations in similar industries or of similar sizes. Benchmarking that is not targeted in this way could be counter-productive or even misleading,” she says.

The ISF believes outsourcing can add value to specialised security tasks such as network monitoring, where an outsourcer has both expertise and the ability to collate and analyse data from many sources that the organisation could not match.

A third area where outsourcing could be considered is low-value and manpower-intensive activity such as patching and firewall management.

“After this, the choice becomes much more difficult, as the activities may be more bespoke and may be combined with other, non-security activities, such as IT hardware or user access provisioning,” says Adrian Davis, principal research analyst at the ISF.

Accountability and compliance

Although opinions on what should and should not be outsourced in security vary, there is consensus among IT security professionals that, while businesses can outsource the responsibility for delivery of a security service, they cannot outsource accountability, should that security service fail; or responsibility to ensure the company complies with legal, regulatory and industry requirements such as the Data Protection Act.

“While an organisation may choose to outsource the management of their firewalls and intrusion detection systems to a third party, the client organisation will still suffer the consequences of regulatory fines and loss of reputation should their service be compromised,” says Lee Newcombe, member of security professional organisation (ISC)2 and managing consultant at Capgemini.

“It is unlikely that any service credits or other contractual recompense would be sufficient to completely offset the reputational damage caused by such a compromise.”

Organisations looking to outsource specific security capabilities must be confident they are aware of, and can manage, the potential fall-out should their supplier fail. They should also look to work closely with suppliers to minimise the risk of such a failure.

“I believe organisations need to take a fully informed, risk-managed approach to outsourcing security services, as with any other outsourcing decisions,” says Newcombe.

Choosing a supplier

This means identifying by contract what is being outsourced; the standards the outsourcer must meet; how the outsource is to be monitored; and how redress is to be handled, should things go wrong, says Peter Wenham, a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management.

“If your company has no IT security expertise, the first thing you should consider doing is outsourcing the IT security management to a specialist firm that can ensure you have appropriate policies, procedures and operational guidance to form the basis of further outsourcing,” he says.

According to Wenham, the specialist IT security supplier could also offer overall security management of a firm’s IT environments, including security reviews and audits and awareness training for staff.

Whether in-house or outsourced, Newcombe believes businesses should always retain a capability to assure the delivery of its security services. “In the words of Ronald Reagan, ‘trust, but verify’. Outsourcing security services is certainly no time for blind faith,” he says.

Richard Hollis of the ISACA government and regulatory advocacy subcommittee says he would not hesitate to outsource the most sensitive of IT security functions under strong service level agreements that clearly detail legal liability responsibilities and consequences. “The key is to implement effective quality control measures on the service provider’s deliverables,” he says.

Selecting an outsourcing supplier should not be based solely on cost, but also on security, says Phil Stewart, director of communications at ISSA-UK and director of Excelgate Consulting. He believes the former is sometimes over-emphasised at the expense of the latter.

“When deciding on a framework for selecting your supplier in the bidding phase, you should clearly decide what you are trying to achieve for the business in terms of cost, functionality and security, and then have a scoring system that you will apply to the potential suppliers’ responses,” says Stewart.

He also cautions against failing to ensure that particular security needs are met. “For encryption, for example, requests for pricing often tend to merely ask what encryption algorithm has been used – quite often to a chorus of ‘Advanced Encryption Standard’ responses, which does little to differentiate suppliers. Dig a little deeper: ask which method has been used in the encryption implementation. As always, the devil is in the detail: the more thorough you are, the more likely you are to sort out the secure wheat from the insecure chaff,” says Stewart.

Choice, risk and due diligence

In summary, the CSA’s Jirasek says outsourcing IT security is merely an option. “Others are doing it, so you can too, but it’s not for everyone. Keep it inside if you want,” he says.

The ISF’s Davis says key to any successful outsourcing programme are due diligence and understanding what is to be outsourced; and how a company would like it to be run, managed and reported on.

“Without this knowledge, you will not get the service you want, you expect or are paying for. Outsourcing IT security can yield benefit, but only if you understand what and why you are outsourcing,” he says.

While there is no one-size-fits-all advice, if businesses consider these key factors, they can reap the advantages of outsourcing some IT security activities without increasing the risks and costs to the organisation.

Read more on Cloud computing services