A few years ago, cybersecurity outsourcing was perceived as something inorganic and often restrained. Today, cybersecurity outsourcing is still a rare phenomenon. Instead, many companies prefer to take care of security issues themselves.
Almost everyone has heard about cybersecurity outsourcing, but the detailed content of this principle is still interpreted very differently in many companies.
In this article, I want to answer the following important questions: Are there any risks in cybersecurity outsourcing? Who is the service for? Under what conditions is it beneficial to outsource security? Finally, what is the difference between MSSP and SecaaS models?
Why do companies outsource?
Outsourcing is the transfer of some functions of your own business to another company. Why use outsourcing? The answer is obvious – companies need to optimize their costs. They do this either because they do not have the relevant competencies or because it is more profitable to implement some functions on the side. When companies need to put complex technical systems into operation and do not have the capacity or competence to do this, outsourcing is a great solution.
Due to the constant growth in the number and types of threats, organizations now need to protect themselves better. However, for several reasons, they often do not have a complete set of necessary technologies and are forced to attract third-party players.
Who needs cybersecurity outsourcing?
Any company can use cybersecurity outsourcing. It all depends on what security goals and objectives are planned to be achieved with its help. The most obvious choice is for small companies, where information security functions are of secondary importance to business functions due to a lack of funds or competencies.
For large companies, the goal of outsourcing is different. First, it helps them to solve information security tasks more effectively. Usually, they have a set of security issues, the solution of which is complex without external help. Building DDoS protection is a good example. This type of attack has grown so much in strength that it is very difficult to do without the involvement of third-party services.
There are also economic reasons that push large companies to switch to outsourcing. Outsourcing helps them implement the desired function at a lower cost.
At the same time, outsourcing is not suitable for every company. In general, companies need to focus on their core business. In some cases, you can (and should) do everything on your own; in other cases, it is advisable to outsource part of the IS functions or turn to 100% outsourcing. However, in general, I can say that information security is easier and more reliable to implement through outsourcing.
What information security functions are most often outsourced?
It is preferable to outsource implementation and operational functions. Sometimes it is possible to outsource some functions that belong to the critical competencies of information security departments. This may involve policy management, etc.
The reason for introducing information security outsourcing in a company is often the need to obtain DDoS protection, ensure the safe operation of a corporate website, or build a branch network. In addition, the introduction of outsourcing often reflects the maturity of a company, its key and non-key competencies, and the willingness to delegate and accept responsibility in partnership with other companies.
The following functions are popular among those who already use outsourcing:
- Vulnerability scanning
- Threat response and monitoring
- Penetration testing
- Information security audits
- Incident investigation
- DDoS protection
Outsourcing vs. outstaffing
The difference between outsourcing and outstaffing lies in who manages the staff and program resources. If the customer does this, then we are talking about outstaffing. However, if the solution is implemented on the side of the provider, then this is outsourcing.
When outstaffing, the integrator provides its customer with a dedicated employee or a team. Usually, these people temporarily become part of the customer’s team. During outsourcing, the dedicated staff continues to work as part of the provider. This allows the customer to provide their competencies, but the staff members can simultaneously be assigned to different projects. Separate customers receive their part from outsourcing.
With outstaffing, the provider’s staff is fully occupied with a specific customer’s project. This company may participate in people search, hiring, and firing of employees involved in the project. The outstaffing provider is only responsible for accounting and HR management functions.
At the same time, a different management model works with outsourcing: the customer is given support for a specific security function, and the provider manages the staff for its implementation.
Managed Security Service Provider (MSSP) or Security-as-a-Service (SECaaS)
We should distinguish two areas: traditional outsourcing (MSSP) and cloud outsourcing (SECaaS).
With MSSP, a company orders an information security service, which will be provided based on a particular set of protection tools. The MSS provider takes care of the operation of the tools. The customer does not need to manage the setup and monitoring.
SECaaS outsourcing works differently. The customer buys specific information security services in the provider’s cloud. SECaaS is when the provider gives the customer the technology with complete freedom to apply controls.
To understand the differences between MSSP and SECaaS, comparing taxi and car sharing is better. In the first case, the driver controls the car. He provides the passenger with a delivery service. In the second case, the control function is taken by the customer, who drives the vehicle delivered to him.
How to evaluate the effectiveness of outsourcing?
The economic efficiency of outsourcing is of paramount importance. But the calculation of its effects and its comparison with internal solutions (in-house) is not so obvious.
When evaluating the effectiveness of an information security solution, one may use the following rule of thumb: in projects for 3 – 5 years, one should focus on optimizing OPEX (operating expense); for longer projects – on optimizing CAPEX (capital expenditure).
At the same time, when deciding to switch to outsourcing, economic efficiency assessment may sometimes fade into the background. More and more companies are guided by the vital need to have certain information security functions. Efficiency evaluation comes in only when choosing a method of implementation. This transformation is taking place under the influence of recommendations provided by analytical agencies (Gartner, Forrester) and government authorities. It is expected that in the next ten years, the share of outsourcing in certain areas of information security will reach 90%.
When evaluating efficiency, a lot depends on the specifics of the company. It depends on many factors that reflect the characteristics of the company’s business and can only be calculated individually. It is necessary to consider various costs, including those that arise due to possible downtime.
What functions should not be outsourced?
Functions closely related to the company’s internal business processes should not be outsourced. The emerging risks will touch not only the customer but also all internal communications. Such a decision may be constrained by data protection regulations, and too many additional approvals are required to implement such a model.
Although there are some exceptions, in general, the customer should be ready to accept certain risks. Outsourcing is impossible if the customer is not prepared to take responsibility and bear the costs of violating the outsourced IS function.
Benefits of cybersecurity outsourcing
Let me now evaluate the attractiveness of cybersecurity outsourcing for companies of various types.
For a company of up to 1,000 people, IS outsourcing helps to build a layered cyber defense, delegating functions where it does not yet have sufficient competence.
For larger companies with about 10,000 or more, meeting the Time-to-Market criterion becomes critical. But, again, outsourcing allows you to solve this problem quickly and saves you from solving HR problems.
Regulators also receive benefits from the introduction of information security outsourcing. They are interested in finding partners because regulators have to solve the country’s information security control problem. The best way for government authorities is to create a separate structure to transfer control. Even in the office of the president of any country, there is a place for cybersecurity outsourcing. This allows you to focus on core functions and outsource information security to get a quick technical solution.
Information security outsourcing is also attractive for large international projects such as the Olympics. After the end of the events, it will not be necessary to keep the created structure. So, outsourcing is the best solution.
The assessment of service quality
Trust is created by confidence in the quality of the service received. The question of control is not idle here. Customers are obliged to understand what exactly they outsource. Therefore, the hybrid model is currently the most popular one. Companies create their own information security department but, at the same time, outsource some of the functions, knowing well what exactly they should get in the end.
If this is not possible, then you may focus on the service provider’s reputation, the opinion of other customers, the availability of certificates, etc. If necessary, you should visit the integrator and get acquainted with its team, work processes, and the methodology used.
Sometimes you can resort to artificial checks. For example, if the SLA implies a response within 15 minutes, then an artificial security incident can be triggered and response time evaluated.
What parameters should be included in service level agreements?
The basic set of expected parameters includes response time before an event is detected, response time before a decision is made to localize/stop the threat, continuity of service provision, and recovery time after a failure. This basic set can be supplemented with a lengthy list of other parameters formed by the customer based on his business processes.
It is necessary to take into account all possible options for responding to incidents: the need for the service provider to visit the site, the procedure for conducting digital forensics operations, etc.
It is vital to resolve all organizational issues already at the stage of signing the contract. This will allow you to set the conditions for the customer to be able to defend his position in the event of a failure in the provision of services. It is also essential for the customer to define the areas and shares of responsibility of the provider in case of incidents.
The terms of reference must also be attached to the SLA agreement. It should highlight all the technical characteristics of the service provided. If the terms of reference are vague, then the interpretation of the SLA can be subjective.
There should not be many problems with the preparation of documents. The SLA agreement and its details are already standardized among many providers. The need for adaptation arises only for large customers. In general, quality metrics for information security services are known in advance. Some limit values can be adjusted when the need arises. For example, you may need to set stricter rules or lower your requirements.
Prospects for the development of cybersecurity outsourcing in 2023
The current situation with personnel, the complexity of information security projects, and the requirements of regulators trigger an increase in information security outsourcing services. As a result, the growth of the most prominent players in cybersecurity outsourcing and their portfolio of services is expected. This is determined by the necessity to maintain a high level of service they provide. There will also be a quicker migration of information security solutions to the cloud.
In recent years, we have seen a significant drop in the cost of cyber attacks. At the same time, the severity of their consequences is growing. It pushes an increase in demand for information security services. A price rise is expected, and perhaps even a shortage of some hardware components. Therefore, the need for hardware-optimized software solutions will grow.
Featured Image Credit: Tima Miroshnichenko; Pexels; Thank you!