A CISO’s Guide to Security Outsourcing
Daniel Wallace, CISSP, PMP, Information Security Consultant at Grow Forward
Last week, SecureWorks completed the purchase of VeriSign’s managed security service business.
This continuing trend toward consolidation and specialization in the security services market that has seen IBM take over ISS, Verizon take over Cybertrust and BT take over Counterpane.
The players in this space appear to be adding scale in anticipation of the growth that is expected in this industry.
IDC’s 2009 Worldwide Security Services Forecast predicts that this market will grow from $23.5 Billion in 2008 to $44.1 Billion in 2009.
Other industry experts suggest that the security services growth rate could be higher in light of a continued global recession that forces firms to stabilize security costs and cut staffing while dealing with a more sophisticated threat environment.
The decision to outsource information security isn’t the right approach for every business; the choice of provider and which services to farm out to a 3rd party are unique to each organization and set of circumstances.
Furthermore, while the responsibility for information security’s daily care and feeding can be outsourced, the accountability for compliance, information protection, and assurance will still reside within the organization usually in the CISO’s office.
There are several things the CISO will need to focus on and ways to not only influence the security outsourcing decision but also take ownership of assessing the risk inherent in the outsourcing relationship.
For purposes of this discussion I am going to skip over the managed vs. hosting provider; onshore vs. offshore; bundled service suite vs. a la carte analysis that factors into most outsourcing decisions.
I am also going to ignore the tactical consideration of whether firewalls, IDS/IPS, authentication, scanning and pen testing is better done in house or left to someone else.
Instead I am going to present a generic set of considerations that will enable the CISO to ensure that risk considerations are baked into whatever direction the analysis takes.
Opportunity Discovery and Business Case Stage
Gartner recently outlined the benefits an organization can expect to receive from outsourcing information security.
The list looks much like the benefits of outsourcing any IT function and includes; improved service, skill sets and ROI; shorter implementation cycles; reduced cost; increased focus on core business.
Though any service provider will likely assert that their security level is higher than the prospective customer’s there exists a list of reasons not to outsource revolving around risk to brand reputation, sunk investment in existing infrastructure, control over unique critical technology and impacts on compliance posture.
If a CISO is going to influence the decision of whether or not to outsource he or she should start with taking ownership of building a model that will purposefully sort out and quantify the benefits of outsourcing a particular service vs. the risks.
As with building a business case for most security investments, the financial metrics are much more easily quantifiable and will likely be viewed as more objective than estimates tied to brand equity risk.
However, despite what your vendors might tell you, not every outsourcing arrangement will save money or result in a positive ROI based solely upon financial metrics.
The CISO will have to engage different constituencies to make this determination usually the CFO, procurement, audit and perhaps legal.
Pricing estimates from vendors will balance out the other side of this analysis.
There is good volume of information out in the marketplace on standard pricing ranges for a host of outsourced services.
It can pay off to compare your vendor quotes for reasonableness against cost ranges available from sources such as Gartner and Forrester.
The Vendor Assessment Stage
The risk level of all potential outsourcing vendors must be identified.
Though it may make sense to stick with the “big name” players, it is also important to remember that large companies run into trouble and fail.
The CISO can bring value to this analysis by building information assurance elements into a consistent, principled and repeatable risk scoring methodology.
Key information security considerations that should be tracked as part of this stage include:
- Information Security Policies
- Audit Results and Methods
- Standards and Certifications
- Technical Controls
- Security Architecture
- Local Regulatory Compliance Requirements
- Law Enforcement Practices
Does the vendor count among its customers your key competitors?
Based upon the CISO’s understanding of business requirements and risk acceptance levels a standard set of assessment questions can be developed that encompass the above information security considerations.
It is acceptable at this stage to simply pre-screen the vendors by requiring that they self-assess against the questions.
The CISO should define any high risk areas that may require in-depth assessment and review later in the process.
Contract Support in the Procurement Stage
Any vendor contract governing a relationship whereby the 3rd party will have access to corporate data and/or systems should have language that requires adherence to information security standards, data privacy regulations and corporate policy.
This is especially important when considering an information security outsourcing relationship.
CISO’s should engage the legal department to develop boilerplate language that the business can plug into contracts to address information security concerns.
Before signing off on the services agreement the CISO should make certain that high-risk areas identified in the vendor assessment are addressed.
The approach and frequency of verifying that the vendor remains in compliance with the information security clauses in the contract should also be contemplated and included. More on this in the next section.
Ongoing Assurance
Once a vendor is selected and the organization enters a security outsourcing relationship the CISO will have to treat the outsourcing partner as an extension of the organization.
The CISO should build a process whereby ongoing assurance is maintained that the vendor remains in compliance with information security standards and contractual requirements.
The assurance process should have a method of tracking and verifying that remediation controls are implemented. The assessment process can take on one or more of the following forms:
- A formal audit of the vendors’ information security controls, standards and processes
- Technology and control assessments
- Onsite assessment to verify implementation of remediation controls and activities
- Automated security control monitoring
In most instances it will not be practical for the organization to perform all of these activities; however the CISO should determine who will conduct them, define a timetable/frequency schedule and ensure that this understanding is memorialized in the contract.
Often 3rd party outsourcers will provide a SAS70 report to customers at some regular interval.
If a CISO is going to rely on a SAS70 report for ongoing assurance they will want to be sure that the outsourcer provides a SAS70 Type 2 report from a qualified 3rd party.
Workflow Integration
Once the security outsourcing relationship evolves into a day-to-day working partnership with the vendor linkages must be established between organizational control functions and the vendors operations.
CISO’s should take the lead in developing a rapport with the vendor in several key areas.
Change control will become important as both sides will need a device to vet and process changes to information security & privacy polices, business continuity workflows, regulatory requirements and staff responsibilities.
The incident handling and response process will need to be aligned with the security outsourcing relationship and responsibilities should be mapped between the two organizations.
The security outsourcing vendor will need to be integrated into business continuity and disaster recovery plans.
Disaster recovery plans may need to be reworked in light of the outsourcing arrangement and the vendor should be involved in tests or exercises.
Just as embedding security into the early stages of the development process and ensuring controls at major milestones can avoid costly pre-deployment changes, the CISO’s involvement at these stages of the security outsourcing rollout can ensure that effective controls are part of the post-relationship management routines.
Daniel Wallace is a Detroit, MI based information security consultant who has been assisting executives and advising organizations on compliance issues for over 15 years. He can be reached at dwallace@growforwardllc.com
Linkedin - http://www.linkedin.com/in/wallacedan
Twitter – http://twitter.com/dpwallace
* * *
Stay Informed With ISR News Feeds and Email Alerts Here:
The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com
Filed under: Breach, D&O Liability, Daniel Wallace, FEATURE ARTICLE, Financial, ISR News, Insider Threat, Sarbanes-Oxley, Uncategorized, due diligence, hackers, identity-theft, malware, privacy
Comments
3 Comments on A CISO’s Guide to Security Outsourcing
-
Mark on
Mon, 20th Jul 2009 9:14 am
-
Outsourcing News Round Up : Outsourcing Opinions on
Wed, 22nd Jul 2009 6:36 pm
-
Latest Outsourcing news – A CISO’s Guide to Security Outsourcing : Information Security … | Special Resources for Google Conquest Members Only on
Sun, 25th Oct 2009 1:25 am
Very insightful article. I read it twice because it was so powerful.
[...] The set of circumstances, the choice of provider and the choice services to a third party are unique to each enterprise or corporation. Learn more about this persistent trend toward consolidation and specialization in the security services market here [...]
[...] A CISO’s Guide to Security Outsourcing : Information Security … [...]
Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!
