In recent years, numerous high-profile attacks and countless more unreported security breaches have placed cyber security front and centre in IT discussions. Every CEO wants to hear a resounding “yes” from their CISO in response to this critical question- “Are We Secure?”
Unfortunately, as much as I wish I could say otherwise, I know with full confidence from my extensive time in the security domain that there’s no simple answer to this question.
For organizations that are not IT security focused or large enough to afford all the dynamics of running a Security Operations Centre (SOC), outsourcing security could be an option to reduce the possibility of a breach and address regulations. However, the thought of an external entity having access to your most crucial infrastructure and logs could make an CISO uneasy. There’s always the fear that an external entity could cause embarrassment to the organization. Hence it is an important decision which must be made only once multiple vital factors have been considered and addressed.
When you are contemplating engage the services of an outsourced security partner, consider the items listed below:
By outsourcing security, you may be addressing certain regulations while moving away from others. For instance, a regulation may require (most do) you to monitor your environment 24/7, hence by engaging an 24/7 Security Monitoring Service, you will address the requirement. Whereas other regulation may restrict you to push ‘your data’ outside the country, ensure you have reviewed such applicable restrictions and engage with the player which addresses it.
The unfortunate reality of cyber security today is that no system can be 100% secure and security breaches are inevitable. Hence Incident Response with “boots on the ground” is a must. Consider how soon (hours/days) your “Incident Response” partner can mobilize and ensure availability of experts at your premise.
3.Permissions and Accountability
To successfully deliver security services, your partner will almost definitely need to login to your environment remotely. What kind of visibility you can expect your auditor to require and can you to provide evidence of such access? Also, can you see what your partner is doing and when?
As you’ll now be dealing with an external provider, you need to have a well-defined method of monitoring the quality and effectiveness of the services. This means determining how do you see the service, incident reports, weekly/monthly reports, customer portal etc. Ensure this matches your business requirements.
All humans are different and so are the security analysts delivering the service. But a varied service experience is not something which any organization is up for. What measures / technology does the partner have in place to ensure all security incidents are handled with quality and consistency?
You get better result when things work together! How well does your partner enable technologies to talk to each other – share intelligence, enable orchestrated actions?
This list could get bigger and bigger, but these could be a good starting point to consider while evaluating a partner for the service.
Remember, just because it’s been outsourced, doesn’t mean it can be out of mind!
Majid Khan, MSS Architect at Help AG