I know what you're thinking: Outsource or in-source IT security? I've worked both sides, so here's my advice...
The pros and cons of using internal and external talent, or a mix of both
Comment You’re a small or mid-sized business and have a growing sense of unease that you aren’t doing enough on cyber security. Must be all those headlines about ransomware infections and databases ransacked. Or – perhaps – you’re experiencing an upsurge in phishing attempts.
Congratulations – you’ve woken up to something that a surprising number of companies haven’t. But now you’ve patted yourself on the back, the big question is: what’s next?
SMBs spent on average 27 per cent more on security in 2017 than the year before according to a survey last year by Cyren and Osterman Research, yet less than half felt confident they could prevent a network intrusion. Half, 52 per cent, had an IT security staff of two or fewer people.
The average SMB probably can’t afford what one might call a “proper” CISO to direct their security strategy. By that I mean someone with extensive experience, and typically formal qualifications, such as Certified Information Systems Security Professional and Certified Information Security Manager. CISOs can command six-figure salaries with an average in the range of £85,497 with “regular” staff starting above the national average.
Security professionals are expensive because they’re in short supply. They have always been difficult to find, but the shortage is getting progressively worse according to ESG Research, here.
Revealed: British Airways was in talks with IBM on outsourcing security just before hackREAD MORE
It’s therefore pretty certain that you’ll need to use third-party help at some point.
I’ve been on both sides of the consulting fence. As a CISO running cyber security internally and using external help. As a consultant, too, I’ve provided assistance to others. I’ve seen the pros and cons and been through the ins and outs of setting up and running outsourced cyber security contracts.
Let’s start with the pluses.
Using a managed service provider promises to cut the potential cost of your security set up by dint of the fact you no longer need to hire one or two expensive full timers.
Some of you may have decided that if you can’t afford an in-house CISO you should opt for a CISO-as-a-Service instead: but that probably won’t get you much more than a day a week as the daily cost of a specialist is way higher when outsourced than when in-sourced.
In such cases you’d be best advised to consider a hybrid role – maybe combine it with other compliance or internal audit roles, for instance, or train one of you techies to step up.
Using a proper service provider is a better route. That, at least, gives you access to a full set of analysis, applications, appliances, and staff. They can run detection and manage response, saving your handful of IT pros from the job of setting up, managing and filtering alerts, of wading through a backlog of server logs, or keeping up-to-date on latest vulnerability threats and fixes.
But there are a couple of downsides.
Loss of control and trust are two of the biggest issues. You are handing over the reins for your security – as well as responsibility for your data – to an outsider. Can you trust them in the first instance and, in the second, can you be sure they’ll treat you as an individual, not a number. They may claim 24x7 support, but you know you aren’t their only customer.
Complicated and unrewarding
If you are willing to press on, what might you be thinking of outsourcing? The best thing to hand over is the really involved, complicated and – yes – tedious stuff.
Firewalls and VPN management are two good candidates. Why? To stay up to date with latest compliance and security standards requires ongoing management and dedicated attention. Access log management is another, owing to the number of logs – something that will depend on the complexity of your IT ops. Vulnerability and malware scanning are good areas, too, for the reason that threats do not stand still and your provider should be up to speed on what’s new.
Content filtering is a cert. This can prevent users following links they shouldn’t and then inadvertently downloading dangerous code once so – again – it helps to stay current. Also distributed-denial-of-service prevention. DDoS attacks aren't new but are evolving, from assaulting the network and transport layer to the application while the volume of attacks is growing, making it difficult to keep up. Again, this is a good example of relying on somebody who does this for a living.
Across all of you will, of course, be talking servers, devices, PCs, storage systems and cloud.
Taking the middle way
When it comes to the actual nature of your outsourced relationship, my first piece of advice is: don’t be tempted to go-all-in.
You can stay secure by in-sourcing some of the basic good-practice parts of your cyber security regime rather than relying on somebody else.
If you do have techie staff, the chances are their level of awareness of cyber security is already pretty high: they may have configured something like Microsoft’s Active Directory for sign on and identity management to protect against unauthorised access and could have built your firewalls. Retain that knowledge and save money by not having somebody simply come in and hoover it up.
There’s off-the-shelf-help you can draw on, too. The UK government's Cyber Essentials sets a good standard: the five simple actions it demands (changing default passwords, keeping stuff patches and so on) are well within the remit and capability of most.
So, OK, you’re keeping some stuff and going to have a halfway house. Just don’t assume that by taking the middle way things will be problem free. In-fact, this relationship is just as complicated, and for exactly the same reasons, as if you’d gone 100 per cent outsource.
The first big mistake is failing to define the requirements properly.
Let’s take an example. You’re using Cisco ASA firewalls but you don’t have the skills to manage them, so you outsource the job. But what do you expect the outside specialist to do? Monthly firmware updates? Weekly failover tests? Monitor the logs and respond to certain types of activity?
You need to be absolutely, 100 per cent specific in the wording of your contract what’s expected: if something’s not in there as part of the service, you have no right to expect them to do it.
Are they doing a good job?
Supplier reviews are another big potential problem area. A widespread problem in outsourcing is engaging a supplier and leaving them to simply get on with the job, either by assuming they are the experts – so everything must be fine – or because you don’t have the time to check on them.
Part of the task of signing up an external provider is defining what my former boss calls “what good looks like”. You can call it a Service Level Agreement if you wish, but when you talk of SLAs there’s a tendency for people to start getting all hung up on ticket response times – in fact, you need to be defining the expectation across the board.
What you do need, is to define in writing how each performance indicator is measured, and how that is to be presented to you as evidence that all is well with the outsourced service.
As an SMB you may lack the skills to interpret the outputs of the service monitoring. If so, take independent advice when defining the measures and interpreting the results. Or there’s this approach: Years ago, I was involved in exercises that were nothing more than defining the desired measures and checking another consultants’ homework. It’s a perfectly reasonable thing for you to do, should you lack the in-house skills for defining the relationship and measuring how it’s working.
Breaking up is not hard to do
An important part of the service review is the termination clause. Every relationship has hitches and you need to be pragmatic and learn from them. But just as your HR team use the dismissal option in their disciplinary regime sparingly, it’s still there for them to use.
This is an important part. You may have outsourced cyber security, but accountability still rests with you, so be prepared to use the severance clause if you really have to.
In today’s world, it’s wise for an SMB to outsource at least part of their cyber security, just don’t leap in. Weigh up the relative costs, make the contract is watertight, monitor things closely, conduct regular reviews, pay someone for their help if you need it on performance and service levels, and make sure you have a get-out should you need it.
Ultimately, remember: just because it’s outsourced, doesn’t mean you should let go. Outsourcing might be right for today but in-sourcing could also make sense at some point in the future. ®