Outsourcing Security: Do the Benefits Outweigh the Risks?
Today’s security landscape has made it difficult for all but the largest organizations to keep security functions in-house. Outsourcing security has grown more common, especially among companies struggling to keep up with the ever-changing cybercrime community and operate numerous enterprise security products by themselves.
Many companies lack the bandwidth to perform necessary security functions with any adequacy. An IT department with limited staff is particularly unlikely to have all the specialized security skills the organization would need to protect itself against modern threats.
For organizations of any size, even those that prefer to keep security in-house, outsourcing makes sense during periods of rapid growth. Without outside help, it would be nearly impossible for even the largest firm to ramp up a dedicated information security department in a short amount of time.
The Pros and Cons of Outsourcing Security
Outsourcing at least some basic security functions to a managed security services provider (MSSP) has become increasingly popular for a number of reasons — one of the biggest being the amount of time it can save.
Outsourcing gives a company, no matter how limited its internal resources, access to 24/7 coverage from trained security experts. Most enterprises cannot provide the same level of service on their own because they have to confront other technical issues related to security, such as penetration testing, spam filtering, log monitoring and awareness training across the company — all of which were considered among the most frequently outsourced tasks by growing IT shops, according to CIO. Outsourcing also reduces risk, especially for organizations with only one person (usually the chief information officer) dedicated solely to security.
Of course, outsourcing security also has its drawbacks. An outsourced security provider can lack important insight into the organization when examining its risk. Without guidance from someone within the company, an MSSP may not understand typical user behaviors. They may also have trouble discerning between noise and real security problems that need to be addressed.
Filling Outsourced Security Gaps
How can an organization navigate the drawbacks of outsourcing security? To start, it’s critical to select the right service provider, as switching to another vendor if things don’t go well isn’t always easy. Look for a provider with experience in your specific industry. Make sure the provider’s toolsets are expansive and its employees are trustworthy — you might solicit a recommendation from another non-competing vendor for this purpose.
Next, implement processes and communications channels to provide the MSSP with the right context for evaluating alerts. Internal teams should be prepared to explore and troubleshoot more events. If possible, assign someone internally to serve as liaison with the MSSP. It’s great to have someone to hold the provider accountable, but the role can quickly become a full-time job if not managed properly. If done well, however, these steps can help your company get the most out of its security investment.