Organisations are increasingly outsourcing information security functions. How do you do this in a way that fits your firm’s needs and minimises risk?
The shortage of people with infosecurity skills is proving to be a major motivating factor behind companies seeking outside help.
“The expense of cybersecurity talent has changed radically,” says JR Cunningham, chief security officer at Nuspire. “To acquire even baseline, fundamental cyber skills, it costs a lot more than it used to, so it makes sense for organisations to outsource those functions. The talent shortage can also be called the budget shortage since in many cases, it’s not that the talent isn’t there, but rather the company doesn’t have the money to pay for a full-time role.”
Right for you
“How do you know whether you need to outsource – let alone what? This comes down to having a well-developed understanding of your current security situation and what it should be. This will reveal the gap that needs to be filled.
“The key is often starting with a security posture review, using a recognised framework such as CIS critical security controls,” says David Peters, technical director at AN Security. “Once gaps in your organisation’s security have been identified, choose those functions that you simply cannot perform, either due to a lack of skills or resource.”
This is also an opportunity to make the most effective use of the skills that you do have in-house.
“Something else to think about is what you’d rather have your team focus on,” explains Cunningham. “Many security leaders I talk to would rather have their teams focus on the more unique parts of the business and outsource the services that have become commoditised, like managed detection response (MDR).”
Matching your needs
Getting the right security that matches your particular threat landscape is not easy. And some organisations may be concerned that they will be sold an off-the-shelf solution that doesn’t fit their requirements.
“This is a huge problem,” says Cunningham. “Gone are the days of one-size-fits-all. What we’re seeing is an almost constant evolution in three distinct areas: threat actors and tactics, security technology and the state of the business. Any organisation that is looking to outsource needs to make sure the provider understands their business and industry, as well as stays current on threats and security technology and can adapt when needed.”
The approach must be business-led, rather than being influenced by the latest and greatest technology.
"Your provider shouldn’t be leading with a product or tool – more a holistic view of your current posture,” says Peters. “We’ve seen some seriously sophisticated tooling sold to organisations with little chance of ever effectively using them, while having no patching policy or asset register in place. Start from the ground up, get the basics right, then branch out from there.”
Outsourcing can feel like a loss of control, and maintaining situational awareness about your day-to-day risks and vulnerabilities can be a challenge.
“The flow of data, information, feedback and ongoing communication is critical,” explains Mark Guntrip, senior director of cybersecurity strategy at Menlo Security. “Data must be consumed in the right format to be ingested into existing systems. This ensures that in-house employees receive what they need to and that everything is maintained. SLAs are also critical for response times and the prioritisation of issues that will addressed on a global scale. Regular updates (scheduled and defined by the SLA) on ongoing issues is a must.”
This also comes back to precisely which activities and capabilities you outsource.
“It’s not good to outsource a critical function such as an EDR tool and never speak with the provider,” says Peters. “Often the provider will give access to management consoles or dashboards so the client can retain some visibility.”
And defining what kind of communication you expect, and how often, is key.
“Make sure your provider is clear on what rises to the level of something they should wake you up for at 3am,” says Cunningham. “And let them know the types of updates you’d like weekly, monthly, quarterly or even yearly.”
Depending on the complexity of your situation and how much you are outsourcing, this can be a simple process – or a nightmare.
“The biggest mistakes I’ve seen are trying to outsource too much to one provider,” says Peters. “Often MSPs excel at one or two things, but endeavour to broaden their portfolio to include too much, where they themselves have limited resource. Make sure you choose your providers based on their speciality.”
But it isn’t always the supplier’s fault. Before entering into an outsourcing arrangement, you need to have a very clear idea of what you want from the provider, says Cunningham. “Setting expectations at the outset will help focus your conversations on what you really need, and make onboarding and ongoing operations a lot easier.”