Problem solve Get help with specific problems with your technologies, process and projects.

Misconceptions about information security outsourcing

With ever-evolving attack methods, demanding regulatory requirements and the constant threat of data leaks, it's no wonder security management can be a tough job. CISOs could certainly use a little help, and according to contributor Khaild Kark, one effective way to get that help is with security outsourcing. In this tip, Kark outlines the areas where most CISOs need assistance, and unveils common security outsourcing misconceptions and mistakes to avoid.

A few years ago, security management was considered a sacred cow; it was too important to be handed off to an external...

entity. After all, a mistake on the part of a service provider could mean porous perimeter defenses or sensitive data finding its way into the wrong hands.

But today attacks are more sophisticated and malicious hackers are more knowledgeable, and no company can afford a security breach amid the plethora of regulatory requirements. To top it all off, corporate IT environments are becoming more complex, and traditional defensive measures are not sufficient to protect the organization. In an effort to tackle all of these issues, CISOs are turning to security service providers for security management assistance in the following areas:

  • Analyzing and mitigating increasingly complex threats: CISOs are threatened by the complexity of attacks and an increase in the number of zero-day vulnerability exploits. Most worrisome are targeted threats, those meant to snare customers or employees of a single company or community. Rootkits, which are attack tools that conceal their presence on a victim's machine, have been a popular strategy for attackers since 2006 and prove to be exceedingly difficult to detect and remove. It is no longer sufficient to keep track of new vulnerabilities, detect which ones are applicable and apply appropriate configuration changes and patches. CISOs need help in devising strategies to proactively thwart complex threats.

  • Measuring, tracking and reporting on security metrics: Executive management expects justification when allocating dollars toward security, and regular progress reporting from the CISO. Business partners want reports for security accountability as well. Having a well-defined metrics program not only fulfills all these external expectations, but also enables the CISO to measure the effectiveness of the security program. CISOs need assistance in using metrics to measure their security posture, set goals, track progress, prioritize security initiatives and justify security spending.

  • Protecting information throughout its life cycle: Sources including government regulations and copious press coverage of data loss and identity theft have increased the pressure on businesses to better protect information. CISOs are struggling to comply with new regulations to safeguard consumer, financial, healthcare and employee data. A host of technologies are available to solve pieces of the problem, including encryption, endpoint security and information leak prevention (ILP). Strong authentication and identity and access management can augment these technologies in providing life cycle protection, but it can be a nightmare to integrate and operate these technologies, as well as audit to ensure there aren't any gaps. CISOs will need help in defining a comprehensive strategy and strong processes for identifying, classifying, handling, tracking, storing and disposing of information.

    Security outsourcing represents a potentially compelling way to ease the burden of meeting these security program requirements. But as is often the case with IT outsourcing, a considerable amount of due diligence is required before making any kind of commitment, especially where security is concerned. Enterprises should keep the following misconceptions in mind while they evaluate their outsourcing options.

    Outsourcing security is cheaper than doing it internally. Cost is usually one of the reasons businesses explore security outsourcing, but Forrester has consistently found that cost is not the primary driver. After all, outsourcing may not always lead to lower costs. In fact, many companies end up spending more. Some do so willing to because they gain competencies and get additional capabilities such as 24x7 monitoring or compliance reporting. Also keep in mind that an outsourcer that promises to help lower cost may do so by using cheaper resources or by taking more time to complete certain tasks.

    For more information:
    In this expert Q&A, security pro Michael Cobb explains the pros and cons of outsourcing email security services.

    In this tip, Richard Mackey explains how ISO 17799 can help infosec pros perform partner and service provider due diligence.

    Security expert Mike Rothman offers advice on the most effective ways to manage security risks, threats and vulnerabilities within an enterprise.
    Outsourcing security means transferring risk. Outsourcing means transferring responsibility, but not accountability. Careful consideration must be paid to the risk management aspect of the outsourcing deal. Data protection risks can't be transferred to an outsourcer, but the amount of risk a corporation takes on can be limited by developing right-to-audit clauses, service level agreements (SLAs) and limited liability provisions in contracts. It is also a best practice to ask outsourcers to adhere to a third-party security policy based on an organization's unique circumstances.

    The vendor selection is similar to any procurement. A security outsourcing deal is much more intimate than a procurement contract. What does this mean? The complexity, scope, duration and business risk of an outsourcing deal dwarf most procurement contracts. Handing over a critical business process or technology changes the risk profile of the firm. This is not like a contract for parts or labor; it's essential to look beyond the technical capabilities while evaluating vendors. Think of it more like a partnership where alignment in corporate cultures and philosophies plays a significant role in the success of the relationship.

    If my security operations are a mess, outsourcing security can help. The famous adage "garbage in, garbage out" applies here. If an organization doesn't have strong and consistent security operations, outsourcing can enhance their effectiveness, but lack of operational control will make things worse. Therefore, it's important to strengthen operations before outsourcing. Outsourcing may help improve operational control, but the chances of success are increased if the services to be handed over have solid measures and operational process control. If an organization does not have strong operational controls, it will be relying on the baseline set of controls provided by the outsourcer. This may or may not be in line with organizational requirements. To the extent possible, continue to drive improvements in the existing delivery environment before outsourcing.

    Outsourcing security is the quickest way to get security controls implemented. Prepare for a marathon, not a sprint. Doing an outsourcing deal takes stamina and persistence over a fairly long period of time that can sometimes be compressed, but usually with increased risk. Prepare yourself and your team for the long haul by connecting first to the business strategies of the firm, and then building from there. It is appropriate to plan for some quick wins but it takes time for the outsourcing relationship to mature. Companies that have successfully outsourced security operations typically report that it takes them six to 18 months to really normalize the outsourcing relationship.

    Outsourcing security is not for everyone, so before jumping on the outsourcing bandwagon, pay careful consideration to the impact of outsourcing in a particular situation. More importantly, have very realistic expectations of the relationship. It's important to do the due diligence and ensure appropriate provisions are part of any contract, but it's much more important to find a trustworthy provider and continuously build on the relationship. Think of it as a marriage -- you have to trust your partner, work on it consistently and be patient

    About the author:
    Khalid Kark is a principal analyst at Forrester Research. His research focuses on information risk management strategy, governance, best practices, measurement, and reporting. He can be reached at

  • This was last published in October 2007

    Dig Deeper on Risk assessments, metrics and frameworks

    Start the conversation

    Send me notifications when other members comment.

    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

    Please create a username to comment.