Outsourcing your security services

In business, there's nothing unusual about outsourcing services that you don't have the time, resources or desire to manage yourself.

Human resources, marketing, and information technology are just a few examples.

In the last couple of years, Managed Security Service Providers, or MSSPs, have been the latest hit among industries that have been loaded down with new regulatory requirements.

While terms like HIPAA, GLB, and Sarbanes-Oxley create fear and loathing on the part of business managers, they are music to the ears of security consultants and MSSPs.

Seemingly overnight, new experts are everywhere, with providers springing up like stalls at a flea market.

Let's accept from the outset that security is different, and if you don't believe it, just ask companies in California, the first state to require businesses to inform customers when electronic data is compromised or unlawfully accessed.

Recently an organization named Hosting.com found itself on the pointy end of this obligation when it was required to notify 40,000 customers that their passwords had been compromised by hackers.

This is clearly the stuff of nightmares for businesses and is enough to send anyone running for help.

But the very nature of security compels us to clearly understand and avoid the disadvantages many companies miss when rushing to lower their risk profile by outsourcing security.

Here are a few.

Clearly identify needs before shopping.

Simply put, most companies outsource security because they have neither the time nor the sophisticated skills necessary to do it themselves.While MSSPs can bring a wide range of this talent to the table, it's still incumbent on the buyer to know what's needed.

Some companies may just need assistance managing VPN, firewall/router and intrusion detection systems, while others need support with internal issues such as password resets, server configuration, or policy compliance.

Are regular audit or vulnerability assessments necessary? What about virus protection? Regardless of organizational needs, it's important to clearly define where the line will be drawn regarding responsibilities; as a suggestion, policy decisions and governance should never be relegated to an organization outside of your own.

Ensure their policies don't become yours.

Clearly, any potential MSSP should be thoroughly vetted, including detailed reference checks and a clear understanding of how their internal structure will affect or merge with yours.

Consider this: You may be simply expanding the perimeter of your company to a group that has less internal control than yours, and ironically enough they'll be maintaining security for your organization.

Closely scrutinize internal policies and ask pointed questions - such as how access changes are managed when technicians leave their organization, or how internal controls are monitored.

How do they respond to violations of policy as it relates to customer information? Any MSSP that refuses to readily disclose this information should be shunned.

Get crystal clear expectations.

The service level agreement is an important contract between customer and provider.

Firm commitments are important.

The following are examples of what needs to be addressed for a successful relationship: What is the response time for security incidents following recognition? The MSSP must have a network or security operations center, staffed 24/7.

If an on-call or pager driven arrangement meets your needs, you don't need to outsource.

Staff must have certain qualifications and accreditation.

Review the credentials of individuals who will actually perform the monitoring, not just the public face of the company.

Do they have scalable and redundant infrastructure? What are their plans for business continuity or disaster recovery? Finally, what is the long-term viability of their company? Remember Pilot Network Services? They went out of business rather unexpectedly, stranding their customers, including the Los Angeles Times.

Accountability cannot be outsourced.

Regardless of outsourcing, all businesses are still responsible for maintaining the security of any information customers entrust them with.

Ironically, outsourcing security can increase litigation risk.

Let's say that ABC Company contracts out vulnerability assessments to XYZ MSSP.

XYZ delivers monthly reports detailing vulnerabilities that ABC Company never fixes.

ABC gets hacked and sensitive client information is stolen; subsequently, ABC gets sued.

The moral of the story: If you go to the trouble to outsource security, make sure it has the attention of appropriate management.

Don't assume this should be the IT department, as they are rightfully more concerned with keeping systems up and running than overseeing risk.

Final word.

There are many compelling reasons to consider outsourcing information security, but it should be noted security does not exist simply in products or policy.

People, processes, policy, education and technology must all work together.

No MSSP that can meet all of those requirements for your organization, nor should they be expected to.

Paul Singleton of Reno is an information security and compliance management professional with 20 years of experience as a hands-on practitioner, consultant, speaker and corporate trainer.

He can be reached at 996-1333.