Maksim Kabakou - Fotolia

Security Think Tank: Almost all security can be outsourced, but not the risk

What critical security controls can be outsourced and how do organisations, SMEs in particular, maintain confidence that they are being managed effectively and appropriately?

Almost any critical security control can be outsourced, with a range of services on offer – from low-level, largely commoditised services – such as firewalls, network monitoring and anti-virus management – through to consultancy and bespoke services tailored to a specific organisation and a given deliverable.

Organisations can buy hours, completion of a particular activity or the expertise of an individual, such as CISO-as-a-service offerings. Organisations cannot, however, outsource risk or responsibility.

Irrespective of whether fault rests with a third party for a security incident, it will be the reputation of the organisation that suffers. For this reason, it is imperative that the information risks associated with any outsourcing arrangements are carefully evaluated and that the obligations of the supplier or service provider are precisely defined.

There are several benefits to outsourcing security. Particularly for smaller organisations, outsourcing can give access to deep security expertise and good practice that would otherwise be cost-prohibitive. Outsourcing does, however, entail some loss of control.

Organisations can bolster their confidence in outsourcing management of their security by giving due consideration to the following factors:

  • Information security practices and standards of potential outsource providers;
  • Classification of information to be placed in the care of the outsource provider;
  • Interdependencies between the function to be outsourced and other business functions;
  • Ability of the outsource provider to make a decision without knowledge of the business;
  • What decisions the outsource provider can make and how it will affect the business;
  • How an incident involving the outsource provider or its other customers will be handled;
  • Exit strategies from the relationship in the eventuality of an early termination of the agreement.

Above all, the detail of the outsourcing contract is paramount to maintaining confidence and mitigating the risks of outsourcing. It should clearly stipulate the expectations of the outsource provider, including:

  • Exact tasks and services to be outsourced;
  • Standards that the outsource provider must adhere to (legal and regulatory requirements, for example);
  • Key performance indicators (KPIs) and reporting requirements;
  • Business continuity arrangements;
  • Whether and how the contract will be audited.

Manage outsourced activity

Organisations should retain some capability in-house to provide oversight and verify the delivery of services, including whether specific requests of the outsource provider have been actioned. To do this effectively, staff with specific experience of managing security outsource arrangements should be sought.

The ease of measuring the quality and accuracy of work performed will depend on the type of security control outsourced and the extent to which the service provided is context-driven and/or reliant on the provider’s discretion. 

Due diligence, a thorough risk assessment and a well-drafted contract will enable organisations to realise the advantages of outsourcing and ensure security requirements are satisfied. There are, however, some limits to bear in mind, which mean security controls can only ever be mostly – rather than fully – outsourced.

While organisations will release control to some extent, whether outsourcing services or systems, there will ultimately be a point in time when a business decision is required from the organisation before an outsource provider can take further action. Moreover, there will remain certain issues that cannot be solved by outsourcing, such as the insider threat, reinforcing the need to maintain an effective security capability in-house.

Outsourcing is, in itself, a risk decision. Understanding that risk in the context of critical security controls, including its potential business impact, is paramount. Equally important is establishing agreed processes on how to react should those security controls fail, whether due to a service failure, security breach or other form of disruption to the outsourcing arrangement.

Read more on Hackers and cybercrime prevention