The last several years have seen a growing trend toward the outsourcing of various facets of enterprise IT. Outsourcing data center operations to the public cloud is easily the most common example, but it is far from being the only form of IT outsourcing. Organizations have also been successfully outsourcing help desk operations, systems monitoring and even security. Indeed, organizations are looking to outsourced security as a way to cut costs while adding protection, but, in practice, the model on its own doesn’t always work out that way.
While there are plenty of good reasons for outsourcing an organization’s security, there are just as many valid reasons for continuing to handle security in house. As such, it is easy to fall into the trap of believing that outsourced security has to be an either/or decision. Sometimes the best option is to outsource part, but not all, of your security operations. This approach is sometimes referred to as a hybrid security model, where some security functions are handled in house while others are performed in the cloud.
For those who are considering using a combination of in house and outsourced security, the first thing that you should do is pin down what you hope to gain by outsourcing part of your security operations. While this may seem like an overly simplistic thing to do, there is a very important reason for doing it: Identifying your goals up front will help you to create a plan that will allow you to achieve those goals.
Once you begin outsourcing portions of your organization’s security operations, there will likely be pressure from vendors and/or management to outsource everything else that is security-related. Having a solid plan in place ahead of time can help you avoid caving to pressure and making a bad decision.
The next step in the process is of course to begin figuring out how outsourced security can help you achieve your stated goals.
For example, suppose that an organization is considering security outsourcing as a way to save money. For many years now, cloud vendors have been working overtime to try to convince us that operating in the cloud is the inexpensive way of doing things. As such, there might be a natural tendency to assume that the simple act of outsourcing will save money.
In reality, security outsourcing can be quite expensive. Therefore, if the organization’s goal is to reduce costs, it would be a good idea to identify the security-related costs that are most likely to be reduced through outsourcing and focus on those. Many organizations find, for example, that they can save money by outsourcing compliance-related tasks.
Incidentally, if you are considering outsourcing a portion of your organization’s security as a cost-cutting measure, then make sure that your chosen vendor can provide you with security that is at least as good as what you can achieve in house. After all, you don’t want to weaken your organization’s security in the name of saving a few bucks.
Of course, cost isn’t the only factor that can motivate an organization to outsource a portion of its security. Another reason is to provide an extra layer of insulation against attacks. For example, if an organization is concerned about the potential for a DDoS attack, it might choose to outsource its internet traffic filtering so that DDoS attacks are dealt with before they can reach any of the organization’s assets.
IT staff can also offload some of the more mundane security functions, thereby freeing up staffing resources to focus on more pressing matters. In these types of situations, there may be several services that are good candidates for outsourcing. A few examples might include vulnerability scanning, firewall services, VPNs, Web content filtering and mail filtering.
For organizations that decide to take a hybrid approach to security, there are at least a couple of best practices to follow. First, choose a provider that focuses on the specific security function that you are outsourcing, rather than going with a security generalist. In most cases, you will find that the integration process is easier, and the service may be more comprehensive than what you would be able to get from a more general-purpose security provider.
Another best practice for transitioning to a hybrid security model is to avoid doing too much, too fast. If, for instance, you decide to outsource three different security functions, don’t attempt to transition all three services at the same time. Instead, start with one service, and don’t move on to the next one until you are absolutely sure that the first one is working. Transitioning multiple security services at the same time can make it extraordinarily difficult to troubleshoot any problems that may occur--and may leave an organization more, rather than less, vulnerable.