Outsourcing Information Security

Ben Rothke writes "Outsourcing information technology has been the rage over the last decade, to the degree that there are not enough bodies in Bangalore and Mumbai for companies such as Wipro, Infosys and Tata to hire. The problem is that many companies have gone down the road of outsourcing without performing the proper due diligence. Rather than saving money, many organizations have found that outsourcing ultimately is much more expensive than keeping security functions in-house, in addition to other negative consequences." Read on for the rest of Rothke's review of Outsourcing Information Security. Outsourcing Information Security author C. Warren Axelrod pages 248 publisher Artech House rating 10 reviewer Ben Rothke ISBN 1580535313 summary Examines security risks related to IT security outsourcing

When it comes to the outsourcing of information security functions specifically, the situation is even worse. Far too few organizations know the inherent risks involved with outsourcing security, and don't properly investigate what they are getting into. The same company that makes it nearly impossible for an employee to enter the office supply closet to get much needed toner cartridge will outsource their intrusion detection, email and firewall systems without a blink.

One of the many reasons companies turn to security outsourcing and managed security services providers (MSSP) is to use their limited internal security staff for more interesting areas such as web development, VPN and e-commerce applications. They will then outsource the boring activities such as firewall and IDS monitoring and maintenance to a MSSP.

Given that activities such as firewall monitoring and administering an IDS in large enterprise requires 24/7 support, it is not unusual for a company to want to outsource such activities; monitoring and administering are not core functions of most organizations.

The trouble comes from the lack of due care often given to choosing a MSSP. With that, Outsourcing Information Security is a long-overdue book that asks the questions that are necessary before an organization decides to outsource any information security function.

The author's general tone is against the outsourcing of information security; but provides readers with the various benefits and risks involved in outsourcing security, and let's them ultimate decide if outsourcing security is right for their organization. It is the reader who must define, evaluate and manage those risks and determine if outsourcing is a viable solution. These include technology, business and legal risks.

The book comprises nine chapters and three appendices totaling a bit under 250 pages. The first two chapters provide a good introduction to and overview of outsourcing and information security, and the associated security risks.

Chapter 3 details various reasons why outsourcing information security makes sense. The chapter includes various tables and references to the many reasons why a company would want to outsource security.

Chapter 4 takes the other side and analyzes the risks of outsourcing. The chapter details the traditional risks, in addition to other factors such as hidden costs, broken promises, phantom benefits and more. The book shows that while many organizations hand over information security responsibility to their MSSP, when things go wrong, they can't effectively blame the MSSP. When things go wrong -- and they will -- all of the fingers in the world can be pointed at the MSSP, but the ultimate responsibility falls on the organization itself. With outsourced security, if something goes wrong, those fingers will point back to the company's security manager, not the incompetent firewall administrator in Bangalore.

The chapter provides a balanced look at the risk of outsourcing, and while calm in its overall approach, the chapter should at least make the person considering outsourcing information security think twice. In fact, the author concludes the chapter by stating "when all of the risks of outsourcing are considered, one wonders how anyone ever makes the decision to use a third party." Nonetheless, there is plenty of evidence that many security activities are indeed outsourced to MSSP, and are often satisfactory from both the buyer's and seller's perspective.

Chapters 5 and 6 provide a thorough summary of the costs and benefits of outsourcing, and provides a method with which to categorize them. The chapter is well suited for a CFO with its discussion of direct vs. indirect costs, controllable vs. non-controllable costs, and much more. These two chapters show that creating meaningful financial numbers to see if outsourcing makes financial sense is not such an easy task. It is important to understand that outsourcing sometimes makes financial sense, but certainly not all the time. For those organizations that don't crunch the numbers seriously at the beginning, these costs can later come back to haunt them in a big way.

Chapters 7 and 8 detail the processes involved in commencing an outsourcing project, from requirements gathering to placing policy against the outsourced company. A mistake many organizations make is failure to ensure that the MSSP is abiding by the client's information security policies, rather than their own.

Similarly, one of the most overlooked areas of outsourcing information security functionality is regulation. A U.S. company may be under numerous regulations, from HIPAA to Sarbanes-Oxley, GLBA, SEC and more; when they outsource their security functionality, the remote technician may not be under the jurisdiction of the SEC; but the corporate data still must be protected according to those regulations.

The main part of the book concludes with chapter 9, which provides a 20-step process to determine if an outsourced security solution is appropriate. In seven pages, the author specifies the various events, tasks and steps that make up the typical outsourcing project.

Appendix A provides a breakdown of the various services that can be outsourced, with Appendices B & C providing brief histories of IT Outsourcing and Information Security.

The only downside to the book is its $85.00 price, which is at the high-end for technology and business books. While the price is high, the book is a huge value for anyone considering outsourcing security. The book asks the questions that are often never asked, and details how the outsourcing of information security is not the slam-dunk that the MSSPs often portray it to be.

For those who know what their security issues are and look to outsource their security functionality to a trusted MSSP, Outsourcing Information Security shows how it can be done. On the other side, for those who are drunk with the panacea that outsourcing security is supposed to provide, Outsourcing Information Security will be a sobering wake-up call.

You can purchase Outsourcing Information Security from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, carefully read the book review guidelines, then visit the submission page.

Re:But outsourcing is good and creates jobs.

[Cat_Byte]

Thank you. I've been saying the same thing for years to all of the Bush bashers who have short term memory and don't even remember most favored trade status to China or NAFTA.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Nobody wants your data.

[Rosco+P.+Coltrane]

No, nobody wants your data, get that through your head!

You my friend need to do a reality check. People out there want your data. However meaningless items of data. *BAD*.

* Spammers want your email, as you point out
* Marketdroids want your consuming habits
* Health insurance folks want your latest medical checkup and your average cigarette consumption
* Car insurance companies want your tickets and warnings
* Pedophiles want your kids' school timetables
* The IRS want your overseas banking records
* Bubba from da 'hood wants to know when you take holidays

Please get real...

Re:But outsourcing is good and creates jobs.

[earthforce_1]

Ultimately he may be right - somebody has to clean up the mess, and the lawyers will have a field day the first time an outsourcing agency loses, or loses control of your medical records.

Re:At 85$ a go

[Tablizer]

Good points. Mod up.

I remember reading about a US company that tried to prosecute a worker in their India subsidiary for fraud and gave up. The legal firm they hired appeared to be taking advantage of the company's naivity about Indian law and culture, and the courts were so backlogged such that it could take decades to prosecute.

As bad as our court/legal system is, India's is much worse. Part of it is also that inter-country lawsuits take longer to prosecute in general.

Re:But outsourcing is good and creates jobs.

[Crash6-24]

Outsourcing can be internal (to the United States) and almost as bad as moving the work off-shore. For example, a major contractor at a GOCO is replaced with 13 contractors, each of whom got their piece of the bid by offering to lower the costs of operation. How do they lower it? 3 companies kept the pay and benefits of the old contractor. In the other 10 companies the employees lost their pensions to start, then the cost of healthcare insurance went up 10x from the former rate. Any new work gets assigned to the outsourced companies while the 3 unionized companies think of ways to move more work to the outsourcers.
Outsourcing definitely can be done on-shore.

Re:outsourcing in America is dangerous enough

[sonictheboom]

I'd say that there is no way you could walk into a job like that in Pakistan, India or China. NO WAY at all.

You'd be interviewed and checked out at the very least. Someone would take a copy of your (official) ID card.