Misconceptions about information security outsourcing

Security outsourcing represents a potentially compelling way to ease the burden of meeting these security program requirements. But as is often the case with IT outsourcing, a considerable amount of due diligence is required before making any kind of commitment, especially where security is concerned. Enterprises should keep the following misconceptions in mind while they evaluate their outsourcing options.

Outsourcing security is cheaper than doing it internally. Cost is usually one of the reasons businesses explore security outsourcing, but Forrester has consistently found that cost is not the primary driver. After all, outsourcing may not always lead to lower costs. In fact, many companies end up spending more. Some do so willing to because they gain competencies and get additional capabilities such as 24x7 monitoring or compliance reporting. Also keep in mind that an outsourcer that promises to help lower cost may do so by using cheaper resources or by taking more time to complete certain tasks.

For more information: In this expert Q&A, security pro Michael Cobb explains the pros and cons of outsourcing email security services. In this tip, Richard Mackey explains how ISO 17799 can help infosec pros perform partner and service provider due diligence. Security expert Mike Rothman offers advice on the most effective ways to manage security risks, threats and vulnerabilities within an enterprise.

Outsourcing security means transferring risk. Outsourcing means transferring responsibility, but not accountability. Careful consideration must be paid to the risk management aspect of the outsourcing deal. Data protection risks can't be transferred to an outsourcer, but the amount of risk a corporation takes on can be limited by developing right-to-audit clauses, service level agreements (SLAs) and limited liability provisions in contracts. It is also a best practice to ask outsourcers to adhere to a third-party security policy based on an organization's unique circumstances.

The vendor selection is similar to any procurement. A security outsourcing deal is much more intimate than a procurement contract. What does this mean? The complexity, scope, duration and business risk of an outsourcing deal dwarf most procurement contracts. Handing over a critical business process or technology changes the risk profile of the firm. This is not like a contract for parts or labor; it's essential to look beyond the technical capabilities while evaluating vendors. Think of it more like a partnership where alignment in corporate cultures and philosophies plays a significant role in the success of the relationship.

If my security operations are a mess, outsourcing security can help. The famous adage "garbage in, garbage out" applies here. If an organization doesn't have strong and consistent security operations, outsourcing can enhance their effectiveness, but lack of operational control will make things worse. Therefore, it's important to strengthen operations before outsourcing. Outsourcing may help improve operational control, but the chances of success are increased if the services to be handed over have solid measures and operational process control. If an organization does not have strong operational controls, it will be relying on the baseline set of controls provided by the outsourcer. This may or may not be in line with organizational requirements. To the extent possible, continue to drive improvements in the existing delivery environment before outsourcing.

Outsourcing security is the quickest way to get security controls implemented. Prepare for a marathon, not a sprint. Doing an outsourcing deal takes stamina and persistence over a fairly long period of time that can sometimes be compressed, but usually with increased risk. Prepare yourself and your team for the long haul by connecting first to the business strategies of the firm, and then building from there. It is appropriate to plan for some quick wins but it takes time for the outsourcing relationship to mature. Companies that have successfully outsourced security operations typically report that it takes them six to 18 months to really normalize the outsourcing relationship.

Outsourcing security is not for everyone, so before jumping on the outsourcing bandwagon, pay careful consideration to the impact of outsourcing in a particular situation. More importantly, have very realistic expectations of the relationship. It's important to do the due diligence and ensure appropriate provisions are part of any contract, but it's much more important to find a trustworthy provider and continuously build on the relationship. Think of it as a marriage -- you have to trust your partner, work on it consistently and be patient

About the author:
Khalid Kark is a principal analyst at Forrester Research. His research focuses on information risk management strategy, governance, best practices, measurement, and reporting. He can be reached at kkark@forrester.com.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Microsoft WIL: How to take control of data integrity levels Screencast: Penetration testing with Metasploit Microsoft PatchGuard: Locking down the kernel, or locking out security? How to lock down instant messaging in the enterprise Employee-owned handhelds: Security and network policy considerations Worst practices: Exposing IAM blunders Screencast: Nessus Phased NAC deployment for compliance and policy enforcement BitLocker: Windows data protection with whole-disk encryption? Screencast: Opening up the Network Security Toolkit Creating and Managing Information Security Policies How to lock down instant messaging in the enterprise Worst practices: Security incidents to avoid Thompson calls for marriage of data and security management Incident response success in five quick steps Social networking Web site threats manageable with good enterprise policy IT GRC: Combining disciplines for better enterprise security Security management in 2008: What's in store Should keystroke loggers be used in enterprise investigations? Exploring enterprise policy management options With data breach costs soaring, companies should review data sharing policies Creating and Managing Information Security Policies Research Risk Management Metrics and Measuring Risk Failure mode and effects analysis: Process and system risk assessment The pros and cons of data breach insurance Quiz: Developing a risk-based compliance program Sophisticated spam, employee errors continue unabated Why you shouldn't wager the house on risk management models Cyber insurer hopes to boost business with pen testing What is the relationship between open port range and overall security risk? Building information risk management frameworks: Developing controls for people, processes and technology Security Metrics: Replacing Fear, Uncertainty, and Doubt What are ways to measure security risks, threats and vulnerabilities? RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary defense in depth  (SearchSecurity.com) non-disclosure agreement  (SearchSecurity.com) security policy  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.