Data breaches are getting more sophisticated, more common, and more expensive; the average cost of a breach has reached $4 million, up 29% in the past three years. No organization, regardless of size or industry, can afford to ignore information security. The shortage of qualified cybersecurity personnel, combined with modern organizations preferring to outsource ancillary functions so they can focus on their core competencies, has resulted in many organizations choosing to outsource part or all of their cybersecurity operations, often to a managed security services provider (MSSP).
There are many benefits to outsourcing information security, including cost savings and access to a deeper knowledge base and a higher level of expertise than is available in-house. However, outsourcing is not without its pitfalls, and there are issues that organizations should be aware of when choosing a cybersecurity vendor. This article will discuss five best practices for outsourcing information security.
1. Never use an offshore cybersecurity provider
The bargain-basement prices offered by offshore cybersecurity providers are tempting to budget-conscious organizations, especially since many other IT functions, such as mobile app and software development, are routinely offshored.
However, mobile app and software development do not necessitate allowing contractors to have access to your organization’s network or sensitive data, and the work can be reviewed by an internal team before deployment. Due to the nature of the work, cybersecurity contractors have full access to your organization’s internal systems and data, in real-time. Meanwhile, there is no way to verify the education, skills, or experience levels of the offshore company’s employees, nor is there any way to ensure they have undergone comprehensive criminal background checks. Finally, if a breach occurs, you may have little or no legal recourse against the offshore provider even if you have proof that the breach was due to negligence or a malicious insider at their company.
Information security is simply too important to entrust to an offshore contractor. There is also a practical matter to consider: Offshore providers are unable to provide on-site security staff at your location, which leads into our second best practice.
2. Steer clear of providers that suggest solutions that are completely remote-based
Some cybersecurity companies provide services that are strictly remote, conducted entirely via telephone and the internet. However, a remote-only solution cannot fully protect your organization, especially since over half of all data breaches can be traced back to negligence, mistakes, or malicious acts on the part of company insiders. An MSSP can protect your organization from the outside and the inside through a hybrid solution that combines remote security operations center (SOC) monitoring with on-site security personnel who can work in tandem with your existing staff or function as a standalone, embedded SOC. These on-site personnel can help your organization establish cybersecurity policies and employee training, as well as immediately respond to security breaches.
3. Beware of providers that claim their solutions provide 100% protection against breaches
When evaluating cybersecurity vendors, you will inevitably come across providers who claim that their solutions are foolproof and will prevent all breaches. This is impossible. Cybersecurity experts are engaged in a never-ending war against hackers. As soon as one vulnerability is fixed, hackers devote themselves to finding the next one, and every new technology that is introduced presents brand-new vulnerabilities.
While a comprehensive cybersecurity solution will protect your organization against most breaches, the cold, hard reality is that there is no such thing as an impenetrable security system. Steer clear of providers who try to tell you otherwise. Not only are they being dishonest, they may also be unable to effectively respond when a breach does occur.
4. Ensure that the provider’s team has real-world experience in cybersecurity
Some cybersecurity providers hire recent college graduates or certificate-holders with plenty of classroom training in information security theory but little or no actual work experience protecting critical infrastructures. Cybersecurity expertise cannot be honed within the confines of a classroom. Entry-level trainees lack the experience to fully grasp the nuances of real-world information security procedures and challenges, which means they are far more likely to make mistakes than enterprise security professionals with years of experience. Make sure that your provider hires only seasoned security experts.
5. Beware of providers who talk about “magic hardware” and little else
Enterprise security hardware platforms are a hot topic in the information security industry right now, and many exciting new developments are being made in this area. However, security hardware is not a standalone solution, and you should be wary of any provider that tries to sell you on a “magic hardware” platform that will purportedly address all of your security needs. Security hardware is a tool for human security professionals; it does not replace them.
Outsourcing your organization’s information security is serious business. You are handing the keys to your kingdom – your company’s internal systems and sensitive data – to a third-party vendor. Asking critical questions and following best practices during the evaluation and selection process will ensure a successful, long-term relationship between your organization and your cybersecurity provider.
Mike Baker is founder and Principal at Mosaic451, a bespoke cybersecurity service provider and consultancy with specific expertise in building, operating and defending some of the most highly-secure networks in North America.