Outsourcing Cybersecurity

With the incessant stream of malware, data breaches, and online fraud, there’s no doubt that information security is one of the main worries of IT and business executives today. To make matters worse, top executives are constantly under pressure to cut costs and increase profitability in their companies. Added to that is the difficulty in hiring competent cybersecurity professionals. These are some of the reasons why an increasing number of businesses outsource their security functions to a managed security service provider or MSSP. These third party providers can manage an organization’s network security, intrusion detection systems, vulnerability scanning, anti-malware, and firewall management, which are usually handled by an in-house information security team.

The benefits of outsourced security are attractive. These include cost reduction (always the primary argument), superior technology and expertise (as MSSPs have better hardware, software, and personnel), and 24×7 support. It’s peace of mind, but at what price? A couple of disadvantages come into mind: risk and loss of control. It is tough entrusting your most sensitive information (e.g., intellectual property) to a third party without thinking about WCGW (what could wrong).

The arguments for outsourcing is that an organization should focus on its core competencies instead of managing an IT infrastructure. Security processes fit well in the outsourcing model because they scale well and eliminates the need for specialized IT staff. According to Bruce Schneier, we usually outsource things that have one of three characteristics: they are complex, important, or distasteful. I bet information security is all three.

Should a critical function tasked with protecting the organization’s information be left with an outsider? If the answer is yes, which security function should be outsourced and which ones should remain in-house? The Cloud Security Alliance (CSA), which is the premier organization promoting secure cloud computing, argued that all of the security technology stack can be outsourced with the exception of the security governance, risk and compliance functions. This makes perfect sense since GRC (governance, risk, and compliance) is the core business process responsible for overseeing the traditional network and computer stacks.

Outsourcing security is an excellent option for organizations challenged by increasing costs and competition for cybersecurity talent. However, outsourcing security is not devoid of its difficulties. Therefore, organizations must always exercise due diligence when choosing which security function to outsource, selecting the right provider, and aligning its objectives with its selected service provider.

Featured Post

Motivations towards Shadow IT

A logical place to understand the problems posed by shadow IT is to understand why the practice exists in the first place. One must know the users’ needs and motivations for getting external cloud … Continue Reading