Is Outsourcing Security Management safe?

Written By Todd Mitchell

The Pros of outsourcing security management functions to another entity may increase the overall security posture of an organization. An entity that specializes in security may have more experience and better access to tools to provide a more secure environment (Boyle, Boglewicz, & Lovass, 2014). Besides having expertise, a smaller organization may not have or be able to acquire easily, outsourcing provides economies of scale and other breach detection and prevention services (Hui, K., Hui, W., & Yue, 2012).

One major con to outsourcing security functions is that if the vendor uses a certain set of tools and those tools are compromised all organizations they service may have the same vulnerability (Hui, K., Hui, W., & Yue, 2012). A recent example is the SolarWinds hack that affected most of the Federal Government and many huge defense contractors. Another con is aligning the goals of the organization with the goals of the vendor is not easy and may not happen (Boyle, Boglewicz, & Lovass, 2014). 

I recommend outsourcing to a cybersecurity company familiar with the controls and standards the organization decides to use. Furthermore, the organization must have the personnel and expertise in place to maintain oversight and be able to independently verify and validate the implementation of the security measures.

I do not recommend a company outsource part of the security function and compromise confidentiality and possession of data. Without the ability to hold a single vendor responsible for security it leaves the organization vulnerable (Boyle, Boglewicz, & Lovass, 2014).

Avaya outsources security functions but not oversight and management which is successful for them. Prudential Financial also outsources and runs frequent oversight audits to verify the effectiveness (Network World, 2008). BP outsourced IT security and the vendors found the fast pace of technology changes difficult to maintain. This resulted in BP reducing the amount of vendor contracts (Wright, 2004). Pilot Network Services had over 8 years in business and over 400 employees. Its customers included PeopleSoft, VisionTek, The Washington Post Co. and several large health-care institutions and banks. They went out of business almost overnight and left the customers with no network security (CIO, 2001).

Cybersecurity4biz will change your business culture so that you can be responsible for your own cybersecurity on the day to day level with no effort or cost. This is the safest way to protect your data now and in the future.

References

Boyle, K., Boglewicz, M., and Lovass, S. (2014). Outsourcing and security.  In S. Bosworth, M. E. Kabay, & E. Whyne (Eds.), Computer security handbook (6th ed.). New York, NY: John Wiley & Sons.

CIO. (2001, Aug 1). Outsourcing: What You Can Do If Your Security Vendor Fails. Retrieved from CIO: http://www.cio.com/article/2441402/outsourcing/outsourcing--what-you-can-do-if-your-security-vendor-fails.html

Hui, K., Hui, W., & Yue, W. T. (2012). Information security outsourcing with system interdependency and mandatory security requirement. Journal of Management Information Systems, 29(3), 117-156. Retrieved fromhttp://ezproxy.umuc.edu/login?url=http://search.ebscohost.com.ezproxy.umuc.edu/login.aspx?direct=true&db=bth&AN=85985315&site=eds-live&scope=site

Network World. (2008, Mar 20). Outsourcing security tasks brings controversy. Retrieved from Network World: http://www.networkworld.com/article/2284703/lan-wan/outsourcing-security-tasks-brings-controversy.html

Wright, C. (2004). Top three potential risks with outsourcing information systems. Information Systems Control Journal, 5. Retrieved from http://www.isaca.org/Journal/archives/2004/Volume-5/Documents/jpdf045-TopThreePotentialRisks.pdf

Todd Mitchell
Previous

can you survive the data breach?
Next

What are the Weaknesses of Our Cybersecurity?