By Dave Buster
It seems like just about everything is outsourced these days. But what about when it comes to security concerns? Should we outsource cybersecurity? That's a good question, and like all good questions, the answer is, "it depends."
Many companies choose to outsource some cybersecurity functions due to the worldwide cybersecurity skills shortage and also to (hopefully) save money. However, outsourcing something as critical as cybersecurity has its own risks, and some critical cybersecurity functions should not be outsourced at all. Knowing the difference requires a considerable amount of knowledge on the part of the consumer.
Cybersecurity is a complex area, and for a discussion of outsourcing, it's helpful to break it down into sub-specialties. At Global Knowledge, we've identified the following cybersecurity functional areas:
- Secure Development (to develop applications with minimal vulnerabilities)
- Secure Operations (to install, configure, and operate systems securely)
- Penetration Testing (to intentionally attack systems to probe weaknesses)
- Incident Response (to detect and analyze security events and correctly respond to them)
- Identity and Access management (to manage identification, authorization, and permissions across all devices and systems)
- Data Loss Prevention (to deploy and manage security applications such as malware detection on endpoints and servers)
- Governance, Risk, and Compliance (GRC) (to measure and quantify risk, perform internal audits against best practices and standards)
- Architecture and Policy (to design and implement secure architectures in the data center)
Many of these functions should not be outsourced because responsibility and authority for security should not be separated. For example, Secure Development cannot be outsourced unless the entire application development process is outsourced. You can't simply outsource the responsibility to write some secure code and avoid the problem.
Likewise, much of DevOps can be outsourced in cloud environments, but the responsibility to manage security for those implementations still rests primarily with the business, not the cloud provider. For example, businesses often make the mistake of using the same security certificate for development as they do for production instances in the cloud. That is not something a cloud provider can fix.
Finally, security architecture and policy should always be kept in-house because regulatory agencies and laws assume the business is ultimately responsible. Saying "my contractor did it" won't stand up in court.
However, there are several functions can be outsourced depending on the situation. In order of popularity, it's most common to outsource:
- Incident Response (especially monitoring and analysis)
- Penetration and Application Testing
- Security Audits as Part of the GRC Function
Let's discuss these in order.
For incident response, there exists a large diversity of services from hiring contractors to sit onsite to remote automatic monitoring. More importantly, there are many hybrid product/service offerings being made available by solution vendors. These vendors often sell a product, like a Network Intrusion Detection System (NIDS) or Host Intrusion Detection System (HIDS) and offer a service to monitor them as a bundled offering (typically as a cloud service).
While often convenient, effective and inexpensive, care must be taken to make sure the solution is carefully tuned to match business requirements. More importantly, contract negotiations for bundled product and service offerings often focus more on purchase terms than actual Service Level Agreements for the services performed. The best approach is to be a knowledgeable consumer. Know exactly what is being purchased and what the limitations are. No system is perfect, and no cybersecurity solution can provide 100% protection. Purchasers should have the training to understand the job and what they are buying.
Penetration and Application Testing
Many companies hire penetration testing firms who will "attack" the company's network, resources, and even physical facilities. Few organizations have the necessary skills to do this on their own, and several new developments are happening in this area.
First, many law firms offering corporate council services can offer to run the contract for penetration testing. This is so that the results of the test, which show vulnerabilities, can be protected by attorney-client privilege. Otherwise, if a reported vulnerability was not remediated quickly, a company could be liable in court. (The report would be discoverable if not protected by privilege.)
Another new wrinkle in this area is to crowdsource the discovery of vulnerabilities using a bug bounty program. Large companies like Google and Microsoft run their own programs, but it's now possible for smaller companies to use services such as Bug Crowd. In any case, whether vulnerabilities are detected by internal testing, contractors, or the public, it's necessary to have sufficient education to know what to do to remediate the issues. If you don't understand the problem, you probably can't fix it.
It's becoming quite common to have security audits performed as an outsourced function. Many organizations operate in industries, such as finance and healthcare for example, that require such audits. These organizations are required to show compliance to operate such as the PCI-DSS standard required by credit card companies. These services are often assumed to be routine, but smart organizations use them as an opportunity for continuous improvement of processes and systems.
It's important to know that meeting the minimum requirements in an audit is not the same as being secure. Those minimums are just that-the bare minimum. Good organizations are better than that and use cybersecurity maturity models such as the C2M2 to measure their progress.
Finally, training is almost always outsourced in most organizations. Even though they may have individuals with the requisite skills and knowledge, these people also rarely possess the expertise in training necessary to get the concepts across to students. A strong, well-planned training program is critical to organizations whether or not they outsource or do cybersecurity functions in house.
For internal programs, training helps keep students aware of the latest industry best practices and techniques. Meanwhile organizations planning to outsource cybersecurity functions need sufficient education to understand the services they are purchasing.
Outsource? Insource? It's complicated. Either way, education can help you find the right solution to your company's needs.
- CISSP Certification Prep Course
- CCSP Certification Prep Course