Let’s start with
outsourcing. It’s one of the 10 year cycles in the IT industry: outsource
non-core functions, then discover that they actually are core and bring them
back in. Wash, rinse and repeat. For security this can make more
business sense than for IT in general, as most businesses are not set up to
support security 24×7, can’t retain the specialists they would need to do so
anyway, and aren’t in the security business. So outsourcing isn’t
inherently a problem.
But maybe they
aren’t talking about staff. Maybe it’s just infrastructure that’s been
outsourced. The Cloud Security Alliance has an entire body of knowledge
on how to do this well. So having infrastructure managed by a third-party
isn’t inherently a problem either.
So does having
your security outsourced make you inherently more secure? According to
the Verizon 2012 Data Breach Investigations Report, the answer is no. An
organisation is just as likely to have had a data breach if the assets are
managed internally as externally. This is a disappointing result, but
hardly surprising as managing IT is not the same as managing security.
What many
businesses really think they are outsourcing is accountability for security,
and that isn’t possible. Businesses need to define their own security policy,
and then select an outsourcer based on their capability to meet it, and then
keep them honest. Otherwise they end up with the outsourcers risk
appetite, which might be quite different from their own.
In the end, you
really do get only what you pay for. If your outsourcer is certified to
an recognised international standard, such as ISO27001 then you will pay more,
but you will get a secure result. If you go down the cheap and cheerful
route with security outsourcing, unfortunately you probably won’t end up either
cheap or cheerful.
This myth is
plausible, as it is possible to successfully outsource security, but it isn’t
easy.
Phil Kernick Chief Technology Officer
@philkernick www.cqr.com
Phil Kernick Chief Technology Officer
@philkernick www.cqr.com
