Outsourcing is now very common among technology companies. Sometimes a whole function is delegated externally such as accounting, HR, marketing. Even R&D can be delivered by remote teams, often in other countries.
So what about information security?
There are many Managed Security Services Providers (MSSP) in the market. These services are normally tightly defined to take on a few specific functions, like virus and spam blocking, intrusion detection, firewalls, Virtual Private Network (VPN) management. But they do not actually take the reins on your Information Security program.
They may suggest that they can deliver everything that you need, but are they really tracking background checks and physical access controls? Are they performing an annual risk assessment that reflects your changing business objectives? Will they help you in defining the InfoSec budget for next year--balancing costs with risk appetite?
This is the realm of the virtual CISO service (vCISO). A vCISO outsources the leadership of your Information Security program and can execute as much of it as you need. Continue to use your MSSPs if you like—but only as part of an integrated, monitored, and managed approach to measuring and reducing risk.
Related: 7 Advantages of using a "virtual CISO" (vCISO)
Given the costs and challenges of hiring and retaining a full time Chief Information Security Officer, this approach is generally more budget friendly. It can also bring you a maturity of methodology and depth of experience that might be hard to justify in a full-time hire.
The layers of InfoSec
Staffing a comprehensive information security team requires a blend of skills to perform the various functions. For smaller companies, a full-time employee for each may not be required. These functions and skills can be grouped into three main levels.
So are you ready to hire and build out this team of specialists, managing careers, politics, personalities? Are you worrying about strategy and direction? Or would you prefer to just keep being excellent at what you do—what you founded your company for in the first place?
Outsourcing information security to a vCISO team (also called CISO as a Service) can take this problem off your plate. By bringing in the correct blend of skill sets at a price you can afford, you can manage the entire function under an SLA. And do not forget, it is much easier to ramp a service level up and down to respond to acute needs than it is to adjust a headcount with that kind of agility.
But is that safe? Are you not just handing over the keys to the kingdom to some external 3rd party? Well, sort of, but running a business is not about avoiding risks, it is about managing risks. And outsourcing anything is just another form of risk - just as hiring a full-time staff. You just need to manage the risk to the appropriate level.
First, do your due diligence on the firm that you are considering. Check references from other customers like you and interview the delivery staff--not just the sales and executive team. Ask about methodology and standards. Also ask for the staff and company’s certifications. Are they a CIS member? Are they a PCI DSS QSA? Do their staff have CISSP, CISA, CISM, etc.
Next, make sure you have your insurance cover set appropriately, but also make sure that they do the same. They should be able to produce a certificate showing a fidelity bond, general and E&O insurance, workers comp, and cyber insurance at a minimum.
Finally, ask them to articulate how the process will work from on-boarding through defining controls, mapping to compliance objectives, day to day management, escalation, planning, and reporting. This should be their bread and butter, so the answer should be comprehensive and compelling.
Any form of outsourcing is a risk, but so is having employees. The real question is how can you leverage your balance of risks and opportunities to best propel your organization on its mission.