All organisations should have at least one appointed security role. While the person holding the role may not be dedicated to security, training should be provided to ensure a calculated level of skill. Any contracting of third parties to provide support services should be managed by that security role. Outsourcing security in its entirety is not viable.
To retain a level of assurance that security is being delivered as intended, a (relative) security specialist needs to define the checks and balances.Outsourcing security operations is achievable, but there is an overhead that needs to be taken into account. The operational tasks should be by design and not whatever the service provider can manage. Concessions may be made for a preferred supplier, but ensuring the target state for security operations is defined makes it possible to quantify the concessions and if necessary compensate elsewhere.
When a turnkey solution is being purchased from an integrator, it should be assumed that security has not been considered until proven otherwise. It is not to say that integrators are negligent, but their business focus is delivering what was requested for the lowest price. Typically, the security in a solution will not berequired to deliver the end user function and is consequently easily cut without complaint.
An independent party, whether internal or external, should be engaged to review the solution and ensure any risks it introduces are understood and formally accepted by the business prior to deployment.
Regardless of the security function being outsourced, testing should be an ongoing assurance measure. Operational teams should be subject to social engineering attempts and mock incidents, ensuring their response is appropriate. Known vulnerabilities should be built into applications before commencing penetration testing to ensure they are reported on. Testing is of course required even when security is wholly sourced from within, but does not need to include testing the competence of the outsourcer as competence of internal staff should already be well understood.
The major issue with outsourcing aspects of information security is that while intent may remain the same, assurance is greatly reduced. This is best illustrated by considering the two extreme cases.
In an organisation with a complete internal security capability, there would be an independent security group who reports to the highest levels of management if not the board.
Among other things the group acts as a watchdog, providing assurance that the health of different areas of the business is being reported correctly and completely. The network team should highlight security issues (among others) and the security team should ensure this happens. Security staff are contractually bound as individuals and given incentive through their remuneration to perform the tasks completely and correctly.
In an organisation where information security is wholly outsourced, everything is one step further away. The contract is with a limited liability company with unknown recruitment strategies and who potentially subcontract a number of functions. There is typically limited opportunity to evaluate the individuals doing the work even if they can be identified. The incentives given to the outsourcer's staff are unknown and may contradict the intent of the function being outsourced.
The security of any business area that doesn't have controls providing assurance is low. While having good assurance controls around the integrity of an outsource agreement is possible, the controls are typically more expensive than if the function was sourced from within. This is one of the overheads of effective outsourcing.
There is one major caveat that needs to be taken into account: People need to care about security. It sounds obvious, but this is often the largest influence on the quality of security services. Toyota does not put jacuzzis in its Hiluxs, because their customer base doesn't demand it. I am sure if you asked any Hilux owner if they wanted their truck to have a jacuzzi (with no cost or loss of function) they would welcome the feature. There is nothing like having a hot soak in the back country after a day of fencing. End users need to demand security and not simply accept the "brochureware".
They need to demand proof (assurance) that what they are getting is secure. When this happens companies will take note and react to the market demand. Company management also need to take responsibility if for no other reason than due to an ethical obligation. Management should demand more than a monthly pie chart and take an interest in the security of their organisation. When signing outsourcing agreements, security should be considered before signing on the dotted line.
Components of security can be delivered effectively by outsource partners, but it takes more than hoping for the best. Outsourcing security components, like any other business decision, should consider the whole impact. One needs to complete due diligence, the risks need to be managed, mitigations implemented and of course assurance controls built in. While it is easy to blame security firms for the distressing state of most companies, the reality is the blame lies a lot closer. Individuals need to demand security from suppliers and take responsibility for delivering it in the areas they control.
Simon Burson is an information security consultant. He has delivered policies, operating models, architectures and solutions in both internal and customer facing security roles. Email him at email@example.com