Maksim Kabakou - Fotolia
Security Think Tank: Outsource security operations, not control
What critical security controls can be outsourced and how do organisations, SMEs in particular, maintain confidence that they are being managed effectively and appropriately?
Today’s organisations operate in an increasingly challenging environment. Factors such as cyber crime, the growth in data that needs to be managed securely and data protection legislation such as the General Data Protection Regulation (GDPR) all contribute to a significant rise in the risks they face.
As a result, IT security is now widely regarded as non-discretionary – an essential part of day-to-day business activities.
Despite this, it continues to cause a headache for many organisations, regardless of size, because it requires knowledge and skills that are outside their core business operations.
This is exacerbated for small to medium-sized enterprises (SMEs) – with often-limited resources to address the issues, it comes down to bandwidth.
Arguments for a managed service
The need to do more with less raises the question of whether the “do-it-yourself” approach is a sustainable long-term strategy, with many enterprises, large and small, concluding that a better alternative is to outsource security controls.
Cloud-based technology makes this an appealing option; it allows costs to be based on a shared subscription model, and is therefore affordable and predictable.
As well as enabling costs to be managed, taking an outsourced (or managed service) approach has the potential to provide organisations with better technical solutions.
For starters it ensures access to the latest iterations of technology, usually out of reach of SME budgets. This is supported by a team of IT, security and risk management experts, effectively closing the “capability gap” that enterprises face as they struggle with increased risk, rapidly changing technology solutions and finite knowledge and budgets.
In terms of the controls it is most effective for SMEs to outsource, this will depend on what is considered to be the highest risk to the business. It could be anything from basic segregation of duties checks to security automation and analytics (security information and event management, or SIEM).
But deciding to take the outsourcing route is only the first step. To ensure that they see real benefit, it is critical that organisations of any size are clear about how they will manage this way of working.
A key point to remember is that it is operations – not control – being outsourced. This requires the right mechanisms to be in place from the root to the tip of the process.
There also needs to be a shared understanding between the managed service provider (MSP) and the customer about roles and responsibility, with this reflected in legal documents that avoid any ambiguity.
Communication and realistic SLAs
Service level agreements (SLAs) need to be practical and aligned to business objectives. They might include service availability, response times for logging ticket submissions, or issue resolution times.
However, they also need to be realistic. The managed service company has very limited control over third-party technology providers, for example, and it is not effective to make commitments that it may not be possible to keep. SLAs also need to include mechanisms for regular reporting, as well as dispute resolution.
Outsourcing, like most business technology processes, benefits from human input to provide insight and context, which will help SMEs to see real value in a managed service contract.
This requires the right forums to be in place, such as a monthly service report reinforced by regular meetings. These might look at issues such as whether SLAs have been set correctly.
On paper, the outsource provider may not be meeting some of them, but open, face-to-face discussions bring an understanding of why this is the case. A four-hour SLA to set up a new user may not be achievable for complicated roles that require complex access rights, for example. Appropriate communications resolve this, rather than leave a series of SLA red flags.
Consultancy is critical
SMEs are often faced with situations where everything is a priority, such as client relationships, IT, human resources (HR) and marketing.
Therefore, it can make more sense to consider a more advisory or consultative IT security service to help senior management to understand what is important for their organisation, and to gain an external perspective on what good looks like. Only then can an informed decision be made about whether a particular risk is critical for the business and would benefit from additional controls.
In this way, the service provider acts as a management consultant and trusted partner to assist in the strategy for security. Outsourcing controls can be performed from a more knowledgeable standpoint, even if the knowledge was not necessarily within the organisation inherently. Informed decisions on outsourcing critical IT security controls are made, and the customer kept closely in the loop.
This tackles the implied assumption that organisations know what security provision they need for their business. It also provides SMEs that may not have the time or inclination to understand the nuts and bolts with important strategic input.
Some SMEs may want to outsource the entire IT security process – although this calls for them to be comfortable to relinquish a high level of control, making it more critical than ever to do due diligence on the service provider, both in terms of technical skillset as well as whether it is the right fit for the organisation itself.
In conclusion, taking a managed service approach to security controls offers SMEs the latest technology solutions and relevant expertise. But, as with any business function, it needs to be proactively managed.
Read more from Computer Weekly’s Security Think Tank about outsourcing security controls
- Not all security service providers are created equal.
- A risk-based approach to security outsourcing.
- Top things to consider in security outsourcing.
- Risk tolerance key to security outsourcing policy.
- Almost all security can be outsourced, but not the risk.
- Outsource responsibility, not accountability.