Information security outsourcing risks rise as security service providers take on many global customers for securing their systems, and, companies fail to properly manage the security service providers.
All organizations review their expenditures periodically and often assess the need to make changes in order to reduce operating costs. Information security is not exempt from this process, and nor should it be. Sometimes, as a result of this cost review process, outsourcing appears a cheaper alternative and considered for the path forward as the company makes the decision to make the strategic changes.
Outsourcing scope is often determined internally based on the cost/benefit analysis, availability of expertise, and quality of services in areas where the business may be adversely affected due to the lack of adequate security. For example, many service providers manage security operations from offshore which is why they can manage security cheaper. But, this doesn’t come without added risks as offshore people will have privileged access to business and customer data which brings up the following concerns:
There are two main solutions to address the above concerns after the outsourcing scope is defined:
Selecting a Security Provider
The process of selecting a security provider is somewhat like speed dating before getting married. In the beginning of the outsourcing process, a few pre-selected service providers are invited for presentations to convince the company why outsourcing makes sense in case there are still some undecideds and why the companuy should select them. The providers are often very respectful no matter how unreasonable an organization might be as they want to be selected for the outsourcing project. However, this attitude often changes for the worse after the contract is signed.
To select the finalist, the quality of the service is often validated by references from other customers and potentially a site visit. Existing customers usually praise the service provider for a flawless service backed up with monthly colorful reports. One should not expect that the service provider will report all findings from their vulnerability assessments and penetration tests, especially if they have been tasked to secure the infrastructure and related systems or data. This is a SOD (segregation of duties) and COI (conflict of interest) issue of the highest levels. If a vendor must secure systems as part of its security operation obligations, and provide security risk reports, their reports must be validated with some tricks which I will cover later.
Common Security Provider Challenges
The most common problem with MSSPs (managed security service providers) which monitor security for a variety of customers is that typically, the MSSP has a SOC (security operation center) room with lots of monitors displaying plenty of charts and alerts. Overloaded staff who monitor the monitors are told to focus primarily on the top five paying customers listed on a whiteboard in front of them. If you aren't on the whiteboard, your systems are not a priority.
Another challenge relates to highly technical and specialized tasks such as penetration testing for detecting vulnerabilities as quickly as the old ones are remediated. There is often no evidence that the individual completing the security testing used a quality tool vs a freeware scanning tool or is adequately skilled nor is there any proof that the all vulnerabilities present were discovered and reported due to the COI factor as I have previously mentioned.
The major information security outsourcing risks is that while intent remains the same, security assurance is greatly reduced especially if incompatible tasks are outsourced to the same MSSP which create SOD and COI issues. An example is outsourcing web application management and penetration testing to the same vendor. This is not different from cases in which organizations assign the security responsibilities to the IT and operations staff. What incentive would they have to report security issues to the attention of the executive management? It would be like committing suicide.
Separating operations from oversight is the only assurance solution whether this is done internally or outsourced to another vendor to oversee the activities of the MSSP. This is not different from organizations which do not outsource information security, yet, they retain a CISO who reports to the highest levels of management if not the board regarding the security posture of the organization across the enterprise.
Whether outsourcing or keeping the security capabilities in-house, the security governance and oversight group acts as a watchdog, providing assurance that the security of the enterprise is being properly managed and reported correctly and completely. The internal system owners, IT folks, and security service providers should be responsible for securing the enterprise systems and the security team should ensure that this happens. Otherwise, management has no guarantees that security matters are being reported accurately and completely.