Many challenges arise for leaders in the technology and security sectors. Every day, we face decisions about cloud strategy, vendor choices, technology roadmaps, and outsourcing. In terms of security, we need to determine if we hold those functions internally or if we should outsource them.
Interestingly, many of the standards used to conducted assessments reference internal and external resources equally (NIST SP 800-53 Rev. 4 and NIST Cyber Security Framework) and seem to assume there will be a balance of both to ensure the security of an organization. While a strong mix of internal and external roles and responsibilities is important in achieving an effective information security practice, the benefits of outsourcing assessments and other information security functions are noticeable.
There are three primary reasons why leaders look to outsource the functions of their information security program: cost, lack of skill sets, and independence.
Cost
While it may be a large expense upfront to outsource your security operations, assessments, and chief information security officer (CISO), it’s often small in comparison to the long-term costs of keeping these internally and continuously paying employee salaries, benefits, training, etc. Outsourcing security functions is often a great way to apply industry best-practices at a flexible cost and bandwidth.
Skills
Outsourcing information security functions also allows you to have this expertise on-demand.
Security-related skill sets and information security teams are difficult to acquire internally and even more difficult to maintain. We’ve mentioned before that the information security industry is projected to have a 1.8-million-person workforce shortage by 2022.
The training and its cost typically create roadblocks for people attempting to begin an information security career. Because it’s challenging to find people to fill these roles, it can also be challenging to find people who excel at them.
Objectivity
Even if you can keep the skill set internally, there is always the concern that it is independent, or biased.
An internal employee could make a biased assessment, withholding some potential issues because some of the findings could show themselves or coworker in a less-than-positive light. This is especially true if the findings show issues over time. The same concern about independence exists if leadership is looking to use their existing IT provider.
Using an external, security-focused firm answers all these questions.
It lowers the overall cost by not having to continually house and train every information security function, it allows your organization the ability to have on-demand expertise in a limited talent pool, and it eliminates biases that your organization may or may not realize it holds.
Finding the Right Fit
When looking for a security firm to assist you in your initiatives, it’s important to do your due diligence.
In addition to independence, the choice of an independent security firm should include criteria like time in business, depth of risk management offerings (e.g. type of audits/assessments, penetration testing, vulnerability testing, and incident response team), number of consultants, and more.
FRSecure’s focus on fixing a broken industry drives us to offer outsourced security services to suit your organization’s needs.
We work with you to determine your security plan’s strengths and weaknesses, typically starting with an assessment.
Through the vCISO role, we work to leverage internal resources, third-party vendors, and FRSecure staff to produce a security plan that is appropriate for your organization. We work with the organization’s leadership to determine priorities and expected timelines—ensure projects are on track and ensuring that information is protected.
If you have any questions about how you can improve your organization’s information security functionality, please contact us or see what FRSecure can do for you.
I like how you mentioned that outsourcing your IT security services and needs helps keep important decisions unbiased. My friend is actually majoring in business, so I think he’d benefit from reading this article. Do you have any tips for choosing an IT service other than making sure they have in depth knowledge and support?
There are several factors but I recommend looking like the size of the organization and certifications as a way to understand their ability to meet the needs you may have. I would also ask them how they will safeguard access to your systems. Many MSP’s fall down in their ability to ensure non-repudiation (who did what when and can I prove it). You want to know who is on your systems and what they are doing. Additionally, have they undergone a security assessment like FISASCORE. They need to do more than just a scan and call it good.