Outsourcing is now very common among technology companies. Sometimes a whole function is delegated externally such as accounting, HR, marketing. Even R&D can be delivered by remote teams, often in other countries.
So what about information security?
Managed Security Services Providers
There are many Managed Security Services Providers (MSSP) in the market. These services are normally tightly defined to take on a few specific functions - virus and spam blocking, intrusion detection, firewalls, Virtual Private Network (VPN) management. But they are not taking on leadership of your Information Security program. They may suggest to you that they can deliver everything that you need, but are they really tracking background checks, physical access controls and performing an annual risk assessment that reflects your changing business objectives? Will they help you in defining the InfoSec budget for next year balancing costs with risk appetite?
Enter the vCISO
This is the realm of the virtual CISO service (vCISO). A vCISO outsources the leadership of your Information Security program and can bring with it as much of the execution as you would like. Continue to use your MSSPs if you like, but as part of an integrated, monitored and managed approach to measuring and reducing risk.
Given the costs and challenges of hiring and retaining a full time Chief Information Security Officer , this is generally a more budget friendly approach which can also bring you a maturity of methodology and depth of experience that would be hard to justify in a full-time hire.
The layers of InfoSec
Staffing a comprehensive information security team requires a blend of skills to perform the various functions - though for smaller companies, a full-time employee for each may not be required. These functions and skills can be grouped into three main levels.
- Strategic Leadership - this is the office of the CISO. Responsible for setting strategy, agreeing a budget for information security and reporting to the executive staff on risk metrics and progress against plan. There are also those special customers who are or will be strategic relationships for the organization that need that special hug of reassurance from a CISO who can talk to them at their level.
- Tactical Leadership - this is often a position such as "principal security analyst". Supervising the operation of the information security team, performance of procedures and effectiveness of controls. These are the people whose opinions are trusted on a day to day basis without having to escalate every issue. They perform risk assessments, participate in customer calls, perform audits and reviews and often deliver security training to staff especially developers. This is your powerhouse for developing procedures and policies that will make routine operations run smoothly.
- Security Analysts - here, the rubber meets the road. Crawling through data from a myriad of sources and investigating alerts, filling out customer questionnaires, performing vendor risk management and vulnerability management and generally monitoring controls and compliance.
CisoAAS or vCISO
So are you ready to hire and build out this team of specialist, managing careers, politics, personalities and worrying about strategy and direction? Or would you prefer to get on with being excellent at what you founded the company for in the first place?
Outsourcing information security to a vCISO team (also called CISO-as-a-Service) can take this problem off your plate. By bringing in the correct blend of skill sets at a price you can afford, you can manage the entire function under an SLA. And don't forget, it's much easier to ramp a service level up and down to respond to acute needs than it is to adjust headcount with such agility.
Concerns outsourcing information security
But is that safe? Aren't you handing over the keys to the kingdom to some external 3rd party? Well, sort of, but running a business is not about avoiding risks, it's about managing risks. And outsourcing anything is just another form of risk - just as hiring a full-time staff. You just need to manage the risk to the appropriate level.
First do your due diligence on the firm that you are considering - check references from other customers like you, interview the delivery staff - not just the sales and executive team, ask about methodology and standards. Also ask for certifications of the staff and company. Are the a CIS member? Are they a PCI DSS QSA? Do their staff have CISSP, CISA, CISM, etc.
Next make sure you have your insurance cover set appropriately, but also make sure that they do the same. They should be able to produce a certificate showing a fidelity bond, general and E&O insurance, workers comp and cyber insurance at a minimum.
Finally, ask them to articulate how the process will work from on-boarding through defining controls, mapping to compliance objectives, day to day management, escalation, planning and reporting. This should be their bread and butter - so the answer should be comprehensive and compelling.
Any form of outsourcing is a risk, but so is having employees. The real question is how can you leverage your balance of risks and opportunities to best propel your organization on its mission.