In my last article, we examined the viability of cyber insurance. This article takes a look at the pros and cons of outsourcing various aspects of our cyber security programs.
There are many reasons to outsource aspects of your cybersecurity program, including but not limited to:
Most CISOs have to be budget conscious, and budget considerations can work both ways when considering outsourcing. For example, at various times I had to deal with corporate-directed hiring freezes. During these times, my CIO would free up funds so I could hire contract help to fill analyst roles in our Secure Operations Center (SOC).
I liked this model because the contractors were onsite, and we could ensure the quality of their work. In this model, they were not a shared resource with other clients as in off-site Managed Security Service Providers (MSSP) models. So, they focused solely on protecting our network and systems.
Of course, if budget is not a concern, companies can outsource their entire security monitoring function. Depending on your situation, outsourcing various components of your security program can be a cost-effective alternative.
Regulatory and Compliance Requirements
There are regulatory and compliance requirements that necessitate outsourcing specific cybersecurity functions. For example, if your organization is classified as a Level 1 Merchant by Visa/MasterCard, you have to have an annual certification (Report of Compliance (ROC)) audited and certified by a Qualified Security Assessor (QSA). Additionally, you have to have quarterly network scans performed by an Approved Scan Vendor (ASV).
Another example: as part of our annual financial audit, our outside audit firm would assess the security of the systems and processes involved in producing financial reports. Also, as discussed in my last article on cyber insurance, the insurance underwriter or the insurer will conduct a security baseline of sorts in order to understand the company’s security posture.
Outsourcing as the Right Thing to Do
It might be considered overkill, but I had two different outsourced vulnerability scanning services perform external security scans on a monthly basis. I found that no single vulnerability scanning service will catch and expose every vulnerability.
We used one trusted ASV outsource partner to provide scans to meet our PCI-DSS requirements. For the other, we were able to use the Department of Homeland Security’s Cyber Hygiene service since we had government-related components. These scans were augmented by our own robust external and internal vulnerability scanning program conducted by our in-house analysts.
Note: CISO’s already know this, but I would like to point out that website vulnerability scanning is more of an art than science. The validity of these scans is dependent on the effectiveness of the tool used to scan, the skill of the analyst, and the analyst’s knowledge of the technical nuances of the website itself.
I also used a trusted outsourced security service provider to perform a number of security assessments annually.
Prior to developing our annual security budget, we would meet to plan and schedule a program of four to five security assessments to be performed during the year.
For example, we were rolling out a mobile consumer application, so we had an in-depth security review of the application’s code. Other assessments included red team pen testing, firewall configuration testing, industrial control system security, etc. We would change up the assessment program each year based on “hot” security topics to ensure we tested wide and diverse aspects of our IT infrastructure. Other outsourcing services that make sense are email phishing exercises and employee training and awareness programs.
Incident Response and Contingency Planning
Getting back to my experience with our PCI-DSS program (for which I considered we were highly compliant) we used a trusted third party in a “retainer” type of contract to assist us with incident response in the event of a credit card breach. This contract also included the annual incident response testing exercises in which all departments (e.g., IT, legal, security, communications, etc.) participated in testing our incident response plan.
They also reviewed our overall PCI-DSS security program and offered valuable recommendations for improvement.
Often an afterthought, backup and disaster recovery programs are a key components of a company's operational IT infrastructure. Any disaster can escalate into a major disaster, and any business interruption can potentially create long-lasting issues. Outsourcing backup and disaster recovery can be a preferred solution as a simpler, easier way to ensure that a company's data is protected. Managed service providers can make the entire process of recovering from disasters faster, easier, and less damaging.
Other Outsourcing Considerations
Besides services like black box pen testing, outsourced cyber security service providers need detailed knowledge of the company’s networks, systems, and general IT infrastructure. This includes detailed knowledge of what software is being used and its version levels, which is critical in protecting the company’s networks and systems.
Ensure outsourcing contracts include detailed items such as:
- Specific and detailed descriptions regarding the tasks to be provided by outsourcers.
- If the vendor charges on a volume basis such as for security desk calls and security alerts/resolutions, make sure to factor in seasonal adjustments like in the travel industry where holidays, vacation times etc. can have significant transactional spikes.
- Set performance metrics and Service Level Agreements (SLAs) as a way to exert controls over outsourcers.
- Rights to audit the outsourcer.
- Contract termination language.
Outsourcer regulatory compliance – going back to the PCI-DSS example, the outsourcer should be responsible for compliance with items like timely patch applications and data encryption.
Have the outsourcer provide a list of references and make sure to contact them.
In summary, the old adage that “no one size fits all” is especially applicable to cyber security outsourcing. Trust is key to any partnership, and that works both ways in outsourcing arrangements.
Share This Article