There has been a trend towards outsourcing and seeking support for security services. In a recent survey of 287 U.S.-based IT and business professionals conducted by CIO, CSO and Computerworld, 56% of the respondents said that their organizations are enlisting outside consultants to help with information security strategy and 40 percent said they’re turning to Managed Security Service Providers (MSSPs). Australian companies are also following this outsourcing trend. This is evident from the annual Australian Cyber Security Centre 2016 survey. Of the 113 organisations that completed the survey, 55% outsource elements of their IT function and 83% actively sought security information, advice or guidance from external sources.
This follows a broader trend towards outsourcing functions. The Deloitte 2016 Global Outsourcing Survey found that outsourcing was likely to grow across a range of corporate functions including legal, facilities management, tax, human resources, finances and procurement. By far the largest areas currently outsourcing is IT (72%) and Real estate and facilities management (60%). These are areas that traditionally incorporate the security function in an organisation.
The same Deloitte Survey found that cost, enabling core business functions, and solving capacity issues are primary drivers to outsource. Leading practice organisations use outsourcing to drive transformational change and improve business results. The Survey also asked respondents to quantify the drivers for outsourcing functions. This information is presented below.
- Cost cutting (59%)
- Enables Focus on Core Business (57%)
- Solves Capacity Issues (47%)
- Enhances Service Quality (31%)
- Critical to Business Needs (28%)
- Access to Intellectual Capital (28%)
- Manages Business Environments (17%)
- Drives Broader Transformational Change (17%)
Agilient has found during numerous engagements with clients in the public and private sectors that the following five are the most logical security areas to outsource. All the following are areas that require minimal business context to gain consistent and effective results.
- Security systems, frameworks and plans. There is a range of security standards and frameworks available. It makes sense to engage a security provider experienced in all these standards and frameworks to architect your systems. Such a security provider will most likely have templated frameworks, policies, procedures and plans that can be customised for your unique culture and threat environment. This saves countless hours spent in re-inventing the wheel or adding security policy, procedures and plans in an ad-hoc fashion.
- Security threat and risk assessments – Security Threat and risk assessments (STRAs) take a significant amount of time and expertise to undertake. They also need to be revised regularly as the environment changes. It makes sense to leverage a security provider that is exposed to many organisations and threat environments to undertake STRA. Such a security provider will have a tested methodology for conducting STRAs, have experienced personnel and a large database of potential threats and risk scenarios to draw upon. Additionally, a security provider will have a library of industry specific tools and templates that will make the process more cost effective and ensure better quality outcomes.
- Security incident response – If you have security monitoring up and running, whether in-house or outsourced, the next thing to think about is what you will do in the case of a real security incident. While there is a lot of preparation that your company can do itself in terms of teeing up all the right people internally to help navigate the process of triage as well as communicating a security incident internally and externally, it can sometimes be challenging to find the right on-demand internal expertise at your fingertips when you are in the thick of an incident. Therefore, establishing a relationship (either on retainer or simply going through a selection process in advance) with a security provider that specialises in security incident response and forensics is a smart move.
- Third-party security risk assessments. Whether the third party in question is a vendor whose services you will use, another entity you are hoping to acquire or even a partner you will somehow connect with, third-party security assessments are another common compliance and contractual requirement. It can be easy to see these assessments as a “check the box” and move on with it type of task, but it is an opportunity to identify real risks these third parties pose to your organisation. Third-party assessments are ideal candidates for outsourcing because it can be difficult to predict when they are going to occur, and therefore may cause unwanted impact to your security team’s daily operations. Also, as long as you have a predefined framework and desired reporting outcomes, less business context is required to discover valuable findings and security risks.
- Training. Security training takes a variety of forms, and there are several products on the market that provide off-the-shelf security awareness content. However nothing beats targeted security training that is for specific to your organisations culture and threat environment. As such this is a prime opportunity to leverage external expertise.
While your company may shy away from permanently outsourcing certain functions of your security program, sometimes the best option is to lean on a knowledgeable outside expert in an interim or long-term capacity.