Outsourcing Information Security

Ben Rothke writes "Outsourcing information technology has been the rage over the last decade, to the degree that there are not enough bodies in Bangalore and Mumbai for companies such as Wipro, Infosys and Tata to hire. The problem is that many companies have gone down the road of outsourcing without performing the proper due diligence. Rather than saving money, many organizations have found that outsourcing ultimately is much more expensive than keeping security functions in-house, in addition to other negative consequences." Read on for the rest of Rothke's review of Outsourcing Information Security. Outsourcing Information Security author C. Warren Axelrod pages 248 publisher Artech House rating 10 reviewer Ben Rothke ISBN 1580535313 summary Examines security risks related to IT security outsourcing

When it comes to the outsourcing of information security functions specifically, the situation is even worse. Far too few organizations know the inherent risks involved with outsourcing security, and don't properly investigate what they are getting into. The same company that makes it nearly impossible for an employee to enter the office supply closet to get much needed toner cartridge will outsource their intrusion detection, email and firewall systems without a blink.

One of the many reasons companies turn to security outsourcing and managed security services providers (MSSP) is to use their limited internal security staff for more interesting areas such as web development, VPN and e-commerce applications. They will then outsource the boring activities such as firewall and IDS monitoring and maintenance to a MSSP.

Given that activities such as firewall monitoring and administering an IDS in large enterprise requires 24/7 support, it is not unusual for a company to want to outsource such activities; monitoring and administering are not core functions of most organizations.

The trouble comes from the lack of due care often given to choosing a MSSP. With that, Outsourcing Information Security is a long-overdue book that asks the questions that are necessary before an organization decides to outsource any information security function.

The author's general tone is against the outsourcing of information security; but provides readers with the various benefits and risks involved in outsourcing security, and let's them ultimate decide if outsourcing security is right for their organization. It is the reader who must define, evaluate and manage those risks and determine if outsourcing is a viable solution. These include technology, business and legal risks.

The book comprises nine chapters and three appendices totaling a bit under 250 pages. The first two chapters provide a good introduction to and overview of outsourcing and information security, and the associated security risks.

Chapter 3 details various reasons why outsourcing information security makes sense. The chapter includes various tables and references to the many reasons why a company would want to outsource security.

Chapter 4 takes the other side and analyzes the risks of outsourcing. The chapter details the traditional risks, in addition to other factors such as hidden costs, broken promises, phantom benefits and more. The book shows that while many organizations hand over information security responsibility to their MSSP, when things go wrong, they can't effectively blame the MSSP. When things go wrong -- and they will -- all of the fingers in the world can be pointed at the MSSP, but the ultimate responsibility falls on the organization itself. With outsourced security, if something goes wrong, those fingers will point back to the company's security manager, not the incompetent firewall administrator in Bangalore.

The chapter provides a balanced look at the risk of outsourcing, and while calm in its overall approach, the chapter should at least make the person considering outsourcing information security think twice. In fact, the author concludes the chapter by stating "when all of the risks of outsourcing are considered, one wonders how anyone ever makes the decision to use a third party." Nonetheless, there is plenty of evidence that many security activities are indeed outsourced to MSSP, and are often satisfactory from both the buyer's and seller's perspective.

Chapters 5 and 6 provide a thorough summary of the costs and benefits of outsourcing, and provides a method with which to categorize them. The chapter is well suited for a CFO with its discussion of direct vs. indirect costs, controllable vs. non-controllable costs, and much more. These two chapters show that creating meaningful financial numbers to see if outsourcing makes financial sense is not such an easy task. It is important to understand that outsourcing sometimes makes financial sense, but certainly not all the time. For those organizations that don't crunch the numbers seriously at the beginning, these costs can later come back to haunt them in a big way.

Chapters 7 and 8 detail the processes involved in commencing an outsourcing project, from requirements gathering to placing policy against the outsourced company. A mistake many organizations make is failure to ensure that the MSSP is abiding by the client's information security policies, rather than their own.

Similarly, one of the most overlooked areas of outsourcing information security functionality is regulation. A U.S. company may be under numerous regulations, from HIPAA to Sarbanes-Oxley, GLBA, SEC and more; when they outsource their security functionality, the remote technician may not be under the jurisdiction of the SEC; but the corporate data still must be protected according to those regulations.

The main part of the book concludes with chapter 9, which provides a 20-step process to determine if an outsourced security solution is appropriate. In seven pages, the author specifies the various events, tasks and steps that make up the typical outsourcing project.

Appendix A provides a breakdown of the various services that can be outsourced, with Appendices B & C providing brief histories of IT Outsourcing and Information Security.

The only downside to the book is its $85.00 price, which is at the high-end for technology and business books. While the price is high, the book is a huge value for anyone considering outsourcing security. The book asks the questions that are often never asked, and details how the outsourcing of information security is not the slam-dunk that the MSSPs often portray it to be.

For those who know what their security issues are and look to outsource their security functionality to a trusted MSSP, Outsourcing Information Security shows how it can be done. On the other side, for those who are drunk with the panacea that outsourcing security is supposed to provide, Outsourcing Information Security will be a sobering wake-up call.

You can purchase Outsourcing Information Security from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, carefully read the book review guidelines, then visit the submission page.

For me...

[FiReaNGeL]

To me all the outsourcing problems can be resumed to a simple allegory : cooking.

Home-cooked and cafeteria; sure you'll eat just fine at the end of the day, but chances are the cafeteria food will taste bad, cost less in the short term (efforts + money) but more in the long term, and doesn't have the nice 'home' feeling.

And you're never sure if the cook is on a bad day and spit in your soup (security allusion, for those who don't get it).

Re:For me...

[JanneM]

But of course, if cooking isn't your speciality, then going to a real restaurant, which, while more expensive than cooking at home, will give you a dinner of a variety and quality in flavour and presentation you just wouldn't have been able to achieve by yourself.

Doing something like security badly may be far worse than letting someone else do it well.

Re:For me...

[fatjesus]

Interesting that you should say that. "Food" is tangible. Services are not. This is why so many American's have such a hard time understanding how outsourcing can improve the American economy.

The point I always try to emphasize to people is that the you can benefit from trade in services in precisely the same way that you benefit from the trading of goods. The law of comparitive advantage still applies.

Although, what you say is true. There are some added risks to "ordering out", but that doesn't mean that you should never do it.

Let the free market alone and it will cook for itself when that is most advantageous, and it will order out when cooking at home isn't as good an option.

Lasse Faire!

FUD

This is FUD, plain and simple. Outsourcing has happened and will continue to happen. Proper precautions must be taken in any business decision, but it is naive and sophmoric to eliminate outsourcing as an option based on the fears presented by the autor.

Re:FUD

[DJ+XpL0iT]

One of the first things you learn about properly securing any network is that a demarcation of responsibilities is critical.

I may be a gun security expert, who can design a bulletproof Firewall\IDS\Mandatory ACL schema\Managed virus control architecture for you, but AS A PERMANENT EMPLOYEE I am the last person you want deploying it and administering it.

Why?

Cos if I designed it and hold the keys to it, you know I am gonna eventually open up port 22 so I can futz about with my home machines. And then I might decide I really need to get the latest distro real quick and open up a few BT ports.

I can see how outsourcing security would help enforce that demarcation. Part of the outsourcing process would include determining who can authorise changes to the filters etc, and that means the organisation at least has to think about those issues.

And at the end of the day, around 80% of all data integrity\theft\leakage\etc issues originate from internal employess, not the black-hat external hackers everyone jumps up and down about.

Sure - use someone internal, with knowledge of your environment and needs to design the security posture, but let someone else deploy it and administer it.

Re:FUD

[parryFromIndia]

.... as they can't develop on their own.

Very true, makes a lot of sense. Although what did u actually mean by those underdeveloped economies will never be properly structured ?
Just curious.

This whole outsourcing thing is a big puzzle - it looks all the more confusing when you consider the social, economical and developmental aspects of it from the perspective of both countries. Does anyone have a genuine unbiased future view to share?

To begin with I think the underdeveloped nations reaping the benefits of outsourcing will continue to better their infrastructure and living standards at the least. If there arent many jobs (Manufacturing, Software etc) in the country which does outsourcing, people will be less and less capable of buying what those outsourcing companies sell. What hopes does an educated American have when it comes to jobs? What have been the effects of outsourced Manufacturing (to China, Taiwan) which has existed long before. How did the average American cope with it?

No flames please, just balanced views. Thanks!

Re:FUD

You have obviously never been on the end of making the decision regarding outsourcing confidential customer information. Your information is no safer here than in another country but there is one major difference - CULPABILITY and LIABLILTY.

Wells Fargo recently had 4 laptops stolen from a payment processing center in Georgia that contained 300K SS numbers and subsequent addresses. And what do they have to say? "WHOOPS! Our bad. Sorry, we'll try not to do that again." When in all actuality, it's happened twice in 12 months.

Do you think you would be hearing anything about this if it was in India or China? I think not. Maybe they would tell you it happened (thanks to SB1386 and GLBA) but details would be non-existent.

I will never think of outsourcing confidential customer data. The potential risks just outweigh the savings and overall costs.

Re:FUD

[parryFromIndia]

Very well put. "Slavery" was the right word since it is very comparable to a slave being dependent on his master for the money and the work both. But if we take your question and apply it to the US - if all software development and manufacturing operations were pulled out of the US right away will not its impact be similar to what would have happened in India? Aren't the people who have jobs in US also part of this slavery? Do you think developed country and undevloped country matters here? In this case the company is the master - it doesnt matter if it's Indian or American. The company will pull out if it doesn't see any value add or benefit and it will have the same effects as far as I can think. I totally agree with your thought on psychoeconomical effect. Don't get me wrong - I am just trying to sight the differences and make a guess as to where this thing is heading to - plainly out of curiosity.

At 85$ a go

[Timesprout]

Those books should be pretty secure on the bookstore shelves.

That aside though I think its about time people quit whining about how inherently evil outsourcing is. Many companies outsource everything from cleaning and security to payrole and management advise.

Of course if you outsource security there is a risk, just the same as you risk one of your own employees fucking you over if you keep it in house. Proper investigation and dilligence are required. Thats not to say outsourcing is an inherently bad thing. In many cases companies will gain from outsourcing to specialist companies who can offer greater competency than could be achieved inhouse.

Re:At 85$ a go

[Not_Wiggins]

You're oversimplifying the risks.

There are substantial differences between an outsourcing company and a local employee:

1)
The laws governing an outsourced company are the laws of their native country. Forgive me for saying so, but most of the "popular" outsourcing countries have weak fraud/theft protection for American companies.
-vs-
With a local employee, they steal from you, they're going to lose their job, go to jail, and suffer serious consequences.

2)
With an outsourcing company, they generally pay their workers a fraction of what you pay your local employee. So, given the guy who works for $6K a year (American) or the guy who makes $80K a year, which one is going to be more tempted to steal $10K worth of data? Combined with the penalties of point #1, that only adds to the temptation for the foreign worker and dissuades the local worker from stealing.

Outsourcing has its place... but, you have to add "consequences for breaking trust" to the equation.

Methinks security is the MOST important problem with outsourcing!

Secrets for Sale.

Ask yourself this. Were do you want your secrets to reside?

Who do you trust to watch them?

The companies are now multinational not national

No matter where the seed lies now a days companies have gown much bigger than the nation itself. Companies have become multinational trananational and their products and suppliers are all intetwined spanning multiple countries. So like it or not work is also going to be distributed and spread over many nations. Protection of intellectual properties and the like has to be developed within the organisation in consultation with the service provider or third party vendors. Taking an lazy outsiders look into the internal workings of an multinational company will not help to understand the extent of globalisation in every activities.

Re:Danger of China

[Rosco+P.+Coltrane]

If you want to protect yourself, always ask your bank, medical clinic, etc. whether it outsources information processing to China or India. If the answer is "yes", then find another place to do business.

Are you really this naive?

Your bank will answer "Sir, we are doing everything in our power to protect your privacy", or "the contractors with work with are fully accredited by us to handle your personal data" or something sybilline like this. They'd never admit flatly that they outsource to a shitty data center in a third world country. If they did, there'd be no problem since people would walk out the door without a second thought.

Re:Slashdot

Slashdot is overwhelmingly workers versus executives and business owners so it is not surprising that they have a protectionistic and socialist outlook on employment. To the Slashdot crowd, full employment is a "right" and an "entitlment." This fits in well with the Slashdotters love of any other country than the U.S. Of course, their love for another country is a love of convenience as it gets retracted quickly if that country does something to help itself such as seek jobs.

Due Diligence

[Agilis]

Do it yourself, or pay someone else to do it, since when did either case not involve doing your homework properly? The only bad thing about outsourcing security is that managers think they can get away with doing less homework than doing it in house. Otherwise, it's a perfectly valid option.

Re:Bring the boys...er...Jobs...back home!

[Marxist+Hacker+42]

Nah- Bush got re-elected. The Cheap Labor Movement is here to stay for at least another 4 years. (note, I would have said nearly the same about Kerry, but it would have been longer and more complex to get around the extra taxes).

Re:But outsourcing is good and creates jobs.

[LaCosaNostradamus]

True, the outsourcing method did start achieving refinement in the 1990s. It was in no small way due to the pervasiveness of the Internet, which convinces people that they have more managerial control across the world ... but it is undeniable that the Clintonesque business environment also offered significant advantages for those willing to become global instead of national.

But, outsourcing really swelled as a fad after the 911 attacks. I think of outsourcing and offshoring now as a businessman selling short on America ... by drawing down his investments in America and moving them to safer areas ("safer" = safer for growth and safer for profit retention). Any Socialist movement whatsoever in America will continue to repulse businessmen in this new mentality, and hence cause even further capital flight.

Re:Nobody wants your data.

Sorry to say, but this is incorrect at all, ive seen so many cases in where that "worthless" information has been used by enemies and competition from a company to do real public media and sector media damage.

As i alway remind everyone around, any kind of edge/extreme is incorrect.

Cheers.

Re:But outsourcing is good and creates jobs.

[I_Love_Pocky!]

did you ever pause to think that our President knows more about the economy than you do?

So, is that what he knows about? I was wondering if there was any knowledge lurking in that cavernous brain of his.

He won the electoral vote and the popular vote for a reason: people believe in his vision for the economy.

He won the election because some people believe in his vision for the economy, and a whole lot more people are terrified of homosexuals.

Misusing offshoring

[Tablizer]

Although I think offshoring will eventually gut our economy[*], if a company is going to offshore, then they should do it more effectively. Communicating business requirements to offshore teams can be tricky and time-consuming in itself.

I realize during recent programming projects that there are often little things that can be outsourced in order to help a developer deal with business logic more and technical issues less.

For example, a program crashes and you cannot figure out where it crashes. These kinds of tasks would be served well by somebody offshore. You only have to give them the program and ask them to find out why it crashes. They don't have to understand the business logic, only how to debug that language.

Another time we needed some test data. The developer could create a sample pattern and then offshore the data entry of similar entries.

Thus, a horizontal division of labor may be more effective than a verticle division.

[*] So will the alternative. I think the US does not offer anything economically special anymore, and we will become an also-ran economy. "Innovation" does not help much because much of the actual development of ideas can also be offshored these days. Thus, the source of innovation no longer generates as many local jobs as it used to. For every good idea there may be say 200 people bringing it to fruit. Now maybe only 50 of these remain local, for example.

Re:Slashdot

[Doomdark]

Your first statement is true, for the simple reason that there are many, many more workers than executives in the world, if not for anything else. But otherwise it's just incoherent rambling.

Could it be that many Slashdotters have also seen big problems with quality, related to off-shoring? And although much of it can be attributed to lack of normal decent oversight, resulting from greedy optimism, there are also some inherent problems... at least with the common system of half-ass transitioning of "boring" tasks to remote countries like India (remote as in having significant timezone different to US).

Personally I'm not all that afraid of losing my job (either the current one, or in general) -- I'm good enough to earn my living, with my talent, skills and experience, even with lower-paid competition. But I despise most of current off-shoring efforts, since as an engineer, it's obvious to me why they have problems. And although I could work on improving it (there are many things that could be done to improve things), there's little benefit. I can get things done using local workers, to be profitable, it's less hassle (out of sight, out of mind...); and on top of that, I can see competitors wasting good money on bad ideas. What's not to like?

Re:A book about information technology

[vsprintf]

cannot be complete without chapter 11.

Which is what you're likely to get if you turn the keys to the company over to people without any personal interest in the company or its future. Of course the CEO will then use his/her golden parachute and retire to spend more time with their family after all that exhausting CEO-ing.

Trusting Strangers...

[DataDragon]

Keep in mind, outsourced security firms aren't domestically regulated like banks or other groups. If you can't "sue", "arrest" or otherwise influence the people watching you, then why give them the keys?

Outsourcing security seems like a good paradigm at first, but trust is earned. Here, we have serious certifications (clearances, CISSP, credit ratings, background checks, bonding, etc.) and there's a definite degree of employer influence over their employees.

Maybe its just me, but whenever someone I don't know says, "Trust me! C'mon, take a chance, live a little, all the cool CEOs are doing it" I'd conclude right away that these guys are going to ruin me. Mostly because, up until now, "TRUST ME" hasn't been too much of a necessity in outsourcing.

Anyway, outsourcing security could be one of the next "Great" phishing scams, after all -- why go for the salad when someone can go for the five course meal.

Re:But outsourcing is good and creates jobs.

[vsprintf]

When it gets to the point that companies have laid off enough workers, they will realize that the workers are customers of the economy and without jobs people don't buy much.

Companies don't outsource jobs, company executives outsource jobs. Companies don't "realize" anything, and the CxOs don't care. Why don't people understand that the so-called *leaders* of corporate America (and government) don't care about anything except personal fortunes? Once they've got theirs, they couldn't care less what happens to the company or the "workers". How many executives have to be indicted or jailed before it's obvious? (And those are only the ones stupid enough to get caught.)

The Problem With Outsourcing: Results

[BartulaPrime]

What we really need to have are results of outsourcing. Sure, we've heard of Dell and a few other companies pulling work back to the US, but I doubt we'll ever hear of the failures or, for that matter, how bad it failed in terms of money and effort. I find it amazing that no investigative work has been done on reporting about the real effectiveness of outsourcing. My friend works for an IT recruiting company and they were told that Chase and another bank were quietly restaffing their US workers after moving most of their work overseas. The recruitment is for 4,000 workers for Chase alone. After the effort, move, and training, it turns out that they were getting the work at the same price, but now the quality sucked and were getting complaints from customers.

Employees are Perceived as a Greater Risk

[yintercept]

I think many firms think outsourcing security is safer as they see their employees as their worst risk. I've watched managers knowingly do horrible things to employees...then they become paranoid that they employees with act in retribution.

To a large extent, employees are a worse threat since they will learn the company's weaknesses. The growing distrust between management and workers is scary.

Anyway, my experience is that managers who perceive themselves in a different class than workers don't like delegating secutity to members of the class they disparage.

Practiced in the Art of Deception....

[rewinn]

Just finished Mitnick's "The Art of Deception". It gives me mixed feelings about outsourcing security. 1. Security should never be outsourced offshore, 'cuz offshore entitites are really beyond reach of our law. 2. Outsourced (onshore) security may be a good thing since the staff may be more immune to social pressure.

not so bad - medical outsourcing

[Statman]

Dont you think the people in India, China and Pakistan are concerned about sercurity as well? I mean think about it. If there is a continuous lapse in secrurity and you they caught, they go out of buisness. The fact is that to stay in business these offshore companies need to ( and some do) realize that we might loose buisness if we let all this personal information be readily available for our employees to view and share.