Many challenges arise for leaders in the technology and security sectors. Every day, we face decisions about cloud strategy, vendor choices, technology roadmaps and outsourcing. In terms of security, we need to determine if we hold those functions internally or if we should outsource them.
Interestingly, many of the standards used to conducted assessments reference internal and external resources equally (NIST SP 800-53 Rev. 4 and NIST Cyber Security Framework) and seem to assume there will be a balance of both to ensure the security of an organization. While a strong mix of internal and external resources is important in achieving an effective information security practice, the benefits of outsourcing assessments and other information security functions are noticeable.
There are three primary reasons why leaders look to outsource the functions of their information security practices: cost, lack of skill sets and independence.
While it may be a large expense up front to outsource your security initiatives, assessments and chief information security officer (CISO), it’s often small in comparison to the long-term costs of keeping these internally and continuously paying employee salaries, benefits, training, etc. Outsourcing security functions is often a great way to apply industry best-practices at a flexible cost and bandwidth.
Outsourcing information security functions also allows you to have this expertise on-demand. Security-related skill sets are difficult to acquire internally and even more difficult to maintain. We’ve mentioned before that the information security industry is projected to have a 1.8-million-person workforce shortage by 2022. The training and its cost typically create roadblocks for people attempting to begin an information security career. Because it’s challenging to find people to fill these roles, it can also be challenging to find people who excel at them.
Even if you can keep the skill set internally, there is always the concern that it is independent, or biased. An internal employee could make a biased assessment, withholding some potential issues because some of the findings could show themselves or coworker in a less-than-positive light. This is especially true if the findings show issues over time. The same concern about independence exists if leadership is looking to use their existing IT provider.
Using an external, security-focused firm answers all these questions. It lowers the overall cost by not having to continually house and train every information security function, it allows your organization the ability to have on-demand expertise in a limited talent pool, and it eliminates biases that your organization may or may not realize it holds.
Finding the Right Fit
When looking for a security firm to assist you in your initiatives, it’s important to do your due diligence. In addition to independence, the choice of an independent security firm should include criteria like time in business, depth of offerings (e.g. type of audits/assessments, penetration testing, vulnerability testing and incident response team), number of consultants, and more.
FRSecure’s focus on fixing a broken industry drives us to offer outsourced security services to suit your organization’s needs. We work with you to determine your security plan’s strengths and weaknesses, typically starting with an assessment. Through the vCISO role, we work to leverage internal resources, third-party vendors and FRSecure staff to produce a security plan that is appropriate for your organization. We work with the organization’s leadership to determine priorities and expected timelines to ensure projects are on track.