Information security outsourcing presents certain risks that companies must manage. As more companies decide to outsource certain aspects of their identity management and security services, and many security service providers offer security outsourcing solutions, companies must take responsibility for managing their security service providers.
All organizations review their expenditures periodically and often assess the need to make strategic changes in order to reduce operating costs. Information security is not exempt from this process, and nor should it be. Sometimes, as a result of this cost review process, outsourcing appears a cheaper alternative and considered for the path forward as the company makes the decision to make the strategic change.
Cost is not the only decision factor for outsourcing security and identity management services. Outsourcing scope is often determined internally based on the cost/benefit analysis, availability of expertise, and quality of services in areas where the business may be adversely affected due to the lack of adequate security.
Many service providers manage security operations from their offshore facilities which is why they can manage security cheaper. But, this doesn’t come without added risks as offshore people will have privileged access to business systems and customer data which brings up the following concerns and questions:
- What are the service provider’s hiring and employee management practices?
- Do they hire cheap, unqualified, and unethical people to remain competitive in the offshore outsourcing business?
- Do they provide adequate employee training?
- Would they notify their customers if they discover data theft or system intrusions?
There are two main solutions to address the above concerns after the outsourcing scope is defined:
- Develop comprehensive Service Level Agreements, and,
- Audit them for compliance.
Selecting a Security Provider
The process of selecting a security provider is somewhat like speed dating before getting married. In the beginning of the outsourcing process, a few pre-selected service providers are invited for presentations to convince the company why outsourcing makes sense in case there are still some undecided managers and why the company should select them. The security solution providers are often very respectful no matter how unreasonable an organization might be as they want to be selected for the outsourcing project. However, this attitude often changes for the worse after the contract is signed.
To select the finalist, the quality of the service is often validated by references from other customers and potentially a site visit. Existing customers usually praise the service provider for a flawless service backed up with monthly colorful reports. One should not expect that the service provider will report all findings from their vulnerability assessments and penetration tests, especially if they have been tasked to secure the infrastructure and related systems or data. This is a SOD (segregation of duties) and COI (conflict of interest) issue of the highest levels. If a vendor must secure systems as part of its outsourcing obligations, and provide security risk reports, their reports must be validated with some tricks.
Common Security Provider Challenges
The most common problem with MSSPs (managed security service providers) which monitor security for a variety of customers is that typically, the MSSP has a SOC (security operation center) with lots of monitors displaying plenty of charts and alerts. Overloaded staff who monitor the monitors are told to focus primarily on the top five paying customers listed on a whiteboard in front of them. If you aren’t on the whiteboard, your systems are not a priority.
Another challenge relates to highly technical and specialized tasks such as penetration testing for detecting vulnerabilities as quickly as the old ones are remediated. There is often no evidence that the individual completing the security testing used a quality tool or a freeware scanning tool. There is also no immediate proof that the tester has adequate skills nor is there any proof that all detected vulnerabilities are reported due to the COI factor as I have previously mentioned.
The major information security outsourcing risk is that security assurance is greatly reduced when incompatible tasks are outsourced to the same MSSP which creates SOD and COI issues. An example is outsourcing web application management and web penetration testing to the same vendor. This is not different from cases in which organizations assign the security responsibilities to the IT and operations staff. What incentive would they have to report security issues to the executive management? Often, CISOs who are in charge of system security report to the CIO who is in charge of the IT systems and operations. Why would a CISO report all security issues to the CIO specially if the CISO feels vulnerable and why would a CIO report the security deficiencies of the systems he is tasked to manage to the executive committee? It would be like committing suicide.
Separating operations from oversight is the only assurance solution whether this is done internally or outsourced to another vendor to oversee the activities of the MSSP. This is not different from organizations which do not outsource information security, yet, they retain a CISO who reports to an executive outside of the IT group or to the board regarding the security posture of the organization across the enterprise.
Whether outsourcing security services or keeping the security capabilities in-house, the security governance and oversight group acts as a watchdog, providing assurance that the security of the enterprise is being properly managed and reported correctly and completely. The internal system owners, IT folks, and security service providers should be responsible for securing the enterprise systems and the security team should ensure that this happens. Otherwise, management has no guarantees that security matters are being reported accurately and completely.
Steps to Manage Information Security Outsourcing Risks
- Clearly define the outsourcing scope in the contracts and establish a complete set of Service Level Agreements (SLA) with org charts, roles and responsibilities, tasks, and timelines.
- Address key issues related to staff management in the agreements such as hiring, training, conflict resolution, termination, and access monitoring.
- Audit against SLAs to ensure compliance with agreed upon procedures. This is similar to any vendor assurance audit and should be done by the internal oversight team or an independent party separate from the party providing the services.
- Request oversight team sign-off when deploying tools, systems, or changes to make sure security is properly tested.
- Ensure all internal or service provider staff are subject to social engineering tests and mock incidents, ensuring their response is appropriate.
- Build known vulnerabilities into applications before commencing penetration testing to ensure the service provider reports all findings.
- Finally, avoid commingling operations with security. This creates huge information security outsourcing risks around SOD and COI. Companies are advised to own the security governance and oversight function and separate the role from all IT and business operations.