SEARCH 
Global Services » Risk » Detailed Story
Thursday, April 19, 2007
Security: Inviting Threat?
RELATED CONTENT
ARTICLES
Outsourcing Managed Security: Risk and Rewards
Defining Security Expectations
Answering Services Call
Before Disaster Strikes
New Services Move More Security Into the Network Cloud
BLOGS
Is it time for "Diet" Lean Six Sigma ?
Managed Security Services Providers and the BPO / ITO Providers
The changing landscape – opportunities and challenges
Shootout at a BPO
Secure 'em to Secure Your Future


Outsourcing Security
In response to growing concerns about security and the ever increasing complexity of the management of these newly installed point devices, many companies turned to the same companies who managed their existing network infrastructure, or to the emerging band of managed security service providers. This seemed the logical response for any company seeking to offload the complexities of security management and to alleviate the need for highly priced technical talent.

The problem was that most of the contracts contained clauses in the fine print absolving the service provider of liability and accountability for security incidents. Many such contracts promised little more than notification of events, which could not be confirmed as false positives. This level of service put the onus on the customer to respond to and resolve the incidents reported. In many cases, this caused extreme distress to unprepared clients in their hour of need, especially when these same service providers were able to assist in the incident response for additional hourly fees.

Outsourcing security has been a hot topic of debate for some time. There is a strong argument for both sides and no sign of consensus on the horizon. The facts are simple, yet overwhelming for many and include the following:

• Addressing security and IT risk is not optional.
• Legislation and liability are driving security to the top of CIOs' priority lists.
• There is a real awareness of the problem in bridging the gap between business people and the technologists.
• Technology is ever changing; therefore, security is a moving target.
• Good security resources are difficult to find, and costly to hire and retain.
• Outsourcing security does not transfer accountability or liability to the service provider.

Regardless of whether organizations choose to outsource or go in-house for security, the challenge lies in getting executive support and alignment between the business units and the security function. At worst, these relationships are adversarial and conflict between groups results in a decrease in productivity. At best, the security officer understands the business and is able to communicate the threats to business operations clearly and show that effective risk management actually enables the business.

Many enterprises make the mistake of outsourcing their security as part of a generic outsourcing agreement before obtaining this alignment. The outsourcing then leads to a false sense of security or a 'tick in the box'.

Recommendations
Organizations that simply cannot afford the investment in resources need to be sure of the services that they are buying and specifically what exclusions are in their outsource contract. Frequently, outsourcers offer low bids to secure the business and then try to make up for it in change or out-of-scope orders.

It is a fact that organizations will need to continuously adapt their security practices to suit the ever-changing environment. Threats, vulnerabilities and mitigation procedures have changed dramatically over the years and organizations must be able to adapt their contract and the underlying security architectures used to keep pace.

If organizations have questions about the service level commitments or the verbiage in the contract, they should consult a trusted advisor. A technology partner, independent auditor or legal counsel can help them navigate the complexities. For international and multinational organizations, it is important to seek advice on compliance requirements in every individual country in which the organization is conducting business, and to find out how their service provider is addressing those requirements. Once organizations understand what the outsourcer intends to do, they need to figure out how to fill the gaps.

Considerations
Organizations should consider the following points when outsourcing security (either in its entirety or as part of a bigger infrastructure outsource contract):

  • Network access control and other integrity architectures are emerging to take their place in the self-defending network of the future.
  • Note that compliance is the responsibility of the company, not the outsourcer.
  • How does the service organization's purchase enable them to better manage risk?

What are the terms of the agreement? Check SLAs, limitations and exclusions. Organizations need to know exactly what they are getting for their investment.

Be prepared to respond when incidents occur-this means that organizations need an incident response plan and someone to deal with the response. The contractor must support post-incident review.

Verify that the outsourcer is compliant with all relevant legislation and verify the security procedures and best practices deployed by the service provider.

Define security-related roles and responsibilities clearly and completely and specify clear security objectives in the SLA for integrity, confidentiality, availability, accountability and use control.

Appoint a security officer, even if it is initially in a secondary role. The security officer should have a direct reporting line to an executive who is empowered to address tough questions and make decisions that impact the risk exposure of the company.
Retain the ability to monitor and audit the outsourcer's environment to independently verify fulfillment of all the objectives and expectations.

Ensure contract terms are flexible enough to allow for changes in a rapidly changing threat landscape, and to avoid being blocked by the organizational walls that outsourcing erects and the difficulty of anticipating all the contingencies in a contract.

Measure contractor performance through security metrics such as number of incidents, time taken to respond to incidents, best practices, benchmarking, etc.

Even if an organization is using best practices frameworks such as the ITIL or CoBIT for SLAs, do not rely on these for security - use security specific frameworks such as ISO 17799: 005.

Customers need to try and include infrastructure "Security Assurance Level Agreements" with their standard SLAs in outsourcing contracts in the future, and minimize the number of people managing the network components.

The outsourcers’ goal is to lock down and standardize to gain efficiencies and then sweat the assets. This is diametrically opposed to the adaptive nature required by modern day secure infrastructures.


Digg Del.icio.us E-mail 
   1 [2] 3 
TALK BACK
     Name:  *  Email:  *
  Subject:   
Comment:  *
  

About Global Services  |  Contact Us  |  Inquiry on Media Kit  |  Privacy Policy  |  RSS  |  Write for Global Services
PCQuest | Dataquest | Voice&Data | Living Digital | DQ Channels | DQ Week | CIOL | CyberMedia Events
Cyber Astro | CyberMedia Digital | CyberMedia Dice | CyberMedia | BioSpectrum | BioSpectrum Asia
Copyright © 2008 GLOBAL SERVICES all rights reserved