Maksim Kabakou - Fotolia

Security Think Tank: Top things to consider in security outsourcing

What critical security controls can be outsourced, and how do organisations – SMEs in particular – maintain confidence that they are being managed effectively and appropriately?

Outsourcing cyber security operations is not only possible, but highly attractive – especially in the face of increasing complexity, the continual evolution of the cyber threat and the current shortage of skilled cyber practitioners.

However, what you cannot do is outsource the associated business risks and regulatory responsibilities, such as those under the General Data Protection Regulation (GDPR).

While service level agreements (SLAs) governing security services will exist, suppliers are unlikely to provide unlimited liability for consequential losses as the result of a cyber attack, or privacy breach. You therefore need to be able to make judgements on the services you are being provided and make informed decisions on what is sensible to outsource for your business.

At a business level the CISO will want to retain overall control and management of the organisation’s security policy, disaster recovery, regulatory aspects such as GDPR and high-level incident and media management, but it would be perfectly feasible to outsource the underlying support – such as the actual incident response and aspects of disaster recovery.

However, a full time CISO may not be affordable for small to medium enterprises (SMEs), so an alternative solution that is growing in popularity is to employ a “virtual CISO”. These are skilled and experienced CISOs who can provide independent support, to ensure regulatory requirements are being met and that outsourced providers are fulfilling the necessary service levels, at a fraction of the cost of a full-time employee.

Typical security services that can be outsourced include protective monitoring, vulnerability management, firewall management, antivirus etc. How you decide to outsource may depend on whether you already outsource your IT provision or if you use cloud services.

The current trend amongst SMEs is for cloud-based solutions, as they lower the overhead of having your own IT and security management teams, especially when using storage and software services as security controls – like patching and back-ups – are included in the subscription.

If you have an IT service provider, they may also be able to provide similar basic security services, or more advanced services such as security monitoring.

When outsourcing to multiple providers (e.g. using your IT provider for patching and antivirus, a specialist security monitoring provider for protective monitoring and a third provider for incident response), it is essential that they communicate not just at the time of an incident, but on a day to day basis to maintain a single situational awareness picture.

Deciding what to outsource is often driven by the need for specialist staff (who are currently in high demand), threat knowledge and the practicality of maintaining your own capability.

As illustration, on occasion you may need an incident response team of several experts covering incident management computer forensics, network forensics, malware analysis, etc. But having these professionals on the payroll full-time, “just in case”, would be too expensive, assuming you could retain their interest.

Also, effective protection depends on a good level of up-to-date threat intelligence so, unless you have specialists engaged in threat hunting and gathering threat intelligence, it will be difficult to defend your systems. Incident response and security monitoring, closely followed by vulnerability monitoring, are therefore the first things to consider.

Patching, firewall management and access management are more routine, so may be kept in house, but if this is the case, any protective monitoring provider must be aware of the current configuration to meet their SLAs.

Measuring performance

When appointing a supplier of security services, you should ensure they meet the appropriate standards, such as ISO27001, but to track and measure performance, it is important to set the SLAs and reporting requirements.

These should include performance measures covering time to patch, or apply new antivirus definitions, or notification time of different priority incidents and the time to advise on incidents/requests and provide incident reports, which should include recommendations as to any actions you may need to take.

Quality SLAs should also cover the delivery of regular reports. During the contract, you should look for the supplier not to just meet the SLAs, but to try and go above and beyond the SLA requirements and provide reporting that is valuable to your operational team, rather than just the minimum.

One of the main things you need confidence in from a protective monitoring supplier is the expertise of their staff and their security posture through continuously building their cyber situational awareness/cyber threat intelligence (CTI).

This is difficult to apply a quantitative measure to, but you should expect them to be continually improving their security posture through threat hunting and gathering information on the different threats. Ideally, they should be able to tailor this information to your industry vertical.

To gain further confidence, you can of course organise independent audits and tests on your own infrastructure to see if the supplier picks up on events occurring which are outside of “normal operation”.

Read more on Hackers and cybercrime prevention