Outsourcing is now very common among technology companies. Sometimes a whole function is delegated externally such as accounting, HR, marketing. Even R&D can be delivered by remote teams, often in other countries.
So what about information security?
Managed Security Services Providers
There are many Managed Security Services Providers (MSSP) in the market. These services are normally tightly defined to take on a few specific functions, like virus and spam blocking, intrusion detection, firewalls, Virtual Private Network (VPN) management. But they do not actually take the reins on your Information Security program.
They may suggest that they can deliver everything that you need, but are they really tracking background checks and physical access controls? Are they performing an annual risk assessment that reflects your changing business objectives? Will they help you in defining the InfoSec budget for next year--balancing costs with risk appetite?
Enter the vCISO
This is the realm of the virtual CISO service (vCISO). A vCISO outsources the leadership of your Information Security program and can execute as much of it as you need. Continue to use your MSSPs if you like—but only as part of an integrated, monitored, and managed approach to measuring and reducing risk.
Given the costs and challenges of hiring and retaining a full time Chief Information Security Officer, this approach is generally more budget friendly. It can also bring you a maturity of methodology and depth of experience that might be hard to justify in a full-time hire.
The layers of InfoSec
Staffing a comprehensive information security team requires a blend of skills to perform the various functions. For smaller companies, a full-time employee for each may not be required. These functions and skills can be grouped into three main levels.
- Strategic Leadership - this is the office of the CISO. Responsible for setting strategy, agreeing on a budget for information security, and reporting to the executive staff on risk metrics and progress against plan. There are also those special customers who are or will be strategic relationships for the organization and may need that special hug of reassurance from a CISO who can talk to them at their level.
- Tactical Leadership - this is often a position such as "principal security analyst." Supervising the operation of the information security team, performance of procedures, and effectiveness of controls. These are the people whose opinions are trusted on a day to day basis without having to escalate every issue. They perform risk assessments, participate in customer calls, perform audits and reviews, and often deliver security training to staff especially developers. This is your powerhouse for developing procedures and policies that will make routine operations run smoothly.
- Security Analysts - here, the rubber meets the road. Crawling through data from a myriad of sources and investigating alerts, filling out customer questionnaires, performing vendor risk management and vulnerability management, and generally monitoring controls and compliance.
CISO as a Service or vCISO
So are you ready to hire and build out this team of specialists, managing careers, politics, personalities? Are you worrying about strategy and direction? Or would you prefer to just keep being excellent at what you do—what you founded your company for in the first place?
Outsourcing information security to a vCISO team (also called CISO as a Service) can take this problem off your plate. By bringing in the correct blend of skill sets at a price you can afford, you can manage the entire function under an SLA. And do not forget, it is much easier to ramp a service level up and down to respond to acute needs than it is to adjust a headcount with that kind of agility.
Concerns outsourcing information security
But is that safe? Are you not just handing over the keys to the kingdom to some external 3rd party? Well, sort of, but running a business is not about avoiding risks, it is about managing risks. And outsourcing anything is just another form of risk - just as hiring a full-time staff. You just need to manage the risk to the appropriate level.
First, do your due diligence on the firm that you are considering. Check references from other customers like you and interview the delivery staff--not just the sales and executive team. Ask about methodology and standards. Also ask for the staff and company’s certifications. Are they a CIS member? Are they a PCI DSS QSA? Do their staff have CISSP, CISA, CISM, etc.
Next, make sure you have your insurance cover set appropriately, but also make sure that they do the same. They should be able to produce a certificate showing a fidelity bond, general and E&O insurance, workers comp, and cyber insurance at a minimum.
Finally, ask them to articulate how the process will work from on-boarding through defining controls, mapping to compliance objectives, day to day management, escalation, planning, and reporting. This should be their bread and butter, so the answer should be comprehensive and compelling.
Any form of outsourcing is a risk, but so is having employees. The real question is how can you leverage your balance of risks and opportunities to best propel your organization on its mission.