Which security functions outsource poorly and which outsource well

The IT security industry’s skill shortage is a well-worn topic. Survey after survey indicates that a lack of skilled personnel is a critical factor in weak security posture. If the skills are not available in your organization then you could: a) ignore the problem and hope for the best, or b) get help from the outside. Approach “a” is simply a dereliction of duty, and approach “b” has some negative connotations associated with the word “outsource”. It throws up images of loss of control and misaligned priorities.

As a service provider, we agree, and prefer to describe our SIEMphonic services as co-sourcing. Is it a panacea? Not really. Nothing is ever a silver bullet. There are security functions that do well when co-sourced, and then there are those that really must be performed internally. How do you know which is which?

This opinion from a Gartner Analyst breaks down defines defense as requiring deep knowledge of what to defend and how to defend. The former requires detailed knowledge of your IT environment, business processes, assets, systems, application, personnel, company culture, mission, and other knowledge of your IT, business and culture. The latter requires detailed understanding of threat actors, attacks methods, exploits, attacks, vulnerabilities, security architecture, and other security domain knowledge.

Using the above general guideline as a touchstone, here are two areas that can be done outside:

• Network Monitoring: It’s a process that requires specific expertise, but is usually far away from the core processes of the company. Most businesses can’t afford to have eyes on the network 24/7. In legacy security environments, customers received a daily list of 12 to 15 events. Now businesses process millions of events, 10 of which will be worth investigating, and eight of which might be false positives. It’s a lot of tedious work to justify allocating to full-time employees.
• Vulnerability Management: Vendors release updates constantly, and the consequence of not patching internal systems is now painfully clear to Equifax and the victims of WannaCry. Patching is like doing the dishes, a never-ending task, but one that lends itself well to co-sourcing.

Here are two tasks that should remain in-house:

• Incident Response & Breach Remediation: When a security breach or virus outbreak hits, a third party can alert you to suspicious activity, but they can’t figure out the network design and jump-start remediation. That’s something only your internal engineers can do because they deeply know the network. Remediation is not so much about technical skills as it is about the knowledge of the environment.
• Security Strategy, Policy, and Architecture: Anything that requires the business judgement of the risk you’re taking cannot be outsourced. Core functions like security strategy, architecture, and policy should be kept in-house, as should the responsibility of managing and executing programs through completion. These functions are all about business risk, and require a knowledge of risk appetite — things that cannot be done by an outside party.

If your organization is affected by skill shortage, then consider co-sourcing. Just be mindful of what does well vs. poorly with this model, and plan accordingly.

EventTracker’s co-sourced solutions can provide your organization with advanced tools, backed by world-class experts that monitor your network 24/7.