Last week, we started off this two-part roundtable discussion with a talk about the current cybersecurity threat landscape and an overview of the growing demand for high-quality outsourced services. Today, our three industry experts continue their conversation.
Matt Wilson is an Information Security Advisor with over 15 years of experience in network security, policy assessment and development, penetration testing, and network assessment for clients ranging from Fortune 500 companies to small local businesses. David Menichello is Director of Advisory Services. He helps clients design, implement, and maintain information security programs that are practical, effective, commensurate with the risk, and aligned with business strategy. Kevin Walter also weighed in. As the Director of Security CX, he leverages his extensive experience in security operations to help clients expand their cloud presence.
Q: What advice do you have for business and security leaders who are thinking about which security operations functions to outsource? When does it make sense to keep something in-house?
Matt: Start by asking yourself what your team has the time to focus on, but recognize that ensuring that you have the expertise in-house to accomplish the task at hand is also critical. Tapping into external expertise can make a big difference. Sometimes you don’t know what you don’t know. Here’s an example: our team often completes questionnaires on behalf of our clients to meet due diligence requirements. Before we got there, someone within the client organization was completing those questionnaires, and they were doing it to the best of their knowledge and ability, but they’d read and respond to those questions in a very different way than we would. Because we eat, sleep, live and breathe security.
Dave: I think it would be difficult to outsource something that requires a high level of institutional knowledge, or perhaps an in-house understanding of the value that a company’s data has their processes and how they use data, and the reputational risk that’d be incurred in case of a breach. That’s something that an internal team might have the ability to do better than a third party, but in that case, a third party could do the security monitoring, which to a certain level is business-agnostic. You don’t need a high level of institutional knowledge to research, investigate and respond to alerts.
Kevin: I agree. There’s only so much institutional knowledge you need to be a really effective defender. A SecOps team should know which assets are most critical and understand the threat landscape, but we really want to be able to protect everything a customer has. Any asset might be an entry point that attackers could use as a beachhead or jumping-off point to get to a critical asset. When a SecOps team is mature, they widen their focus. The goal is to ensure we can catch things as early as possible.
Dave: Time is a consideration as well. Incidents are going to happen, and they require colossal amounts of time from everyone involved. No team has infinite resources, so you’ve always got to look at what’s available to you and make good decisions about how you’re going to get things done efficiently. If an incident occurs, working on it can’t be avoided. It’s a good idea to say beforehand, “If an incident were to happen, and we needed to divert internal resources to work on it, what are the things that we could outsource so that we could still maintain operations and keep working on our most important initiatives?” Because an incident will happen.
Matt: Another thing I’d say is that if you have no appetite for failure, you’re going to be less inclined to outsource. Because you’d say, “I want my own people to be responsible if things go wrong. I want it to be under my direct purview. That way I can control it.”
Matt: Track record matters, too. If you have a high-performing internal team that has a strong track record of success, you’d be more inclined to leave them in place.
Q: How do you know if your team is high-performing? What does “quality” look like when it comes to security operations?
Dave: Predictability and consistency are important. You need to be on the same page as your vendor about what your objectives are, and then ensure that the vendor is consistently helping you meet those objectives. You’re relying on your vendor to stay current with the threat landscape, with tools and technologies and how they’re changing. Attackers are constantly upping their game. The vendor should be anticipating the clients’ needs in the face of current threats, so that the client can focus on their business.
Matt: Objective measures of quality are really difficult. Someone could be meeting all of their service level agreements (SLAs) without really bringing expertise or concern for quality to the table. A few years ago, I had knee surgery. My surgeon did somewhere between ten and 20 knees every Friday. Would you rather go to a surgeon who does 20 knees every Friday or 20 knees a year? So, experience carries weight. But so does doing the work with care and concern.
Kevin: Taking a risk-based approach is critical. That means having everyone – from your outsourced security vendor to your in-house security architects, to executive leadership – all be on the same page in terms of what results you expect from the security operations program. And asking what security improvements a CISO advisor could make to improve your security posture overall. Of course, that’s a circular thing. It’ll always be evolving as security trends change and better tools and more effective attack techniques come into being.
Dave: When you think about security operations being outsourced, it’s not usually cost that’s the primary driver. It’s usually access to expertise. Expertise and technology need to be applied to actually solve a problem rather than just making something cheaper. In my opinion, quality will always be one of the higher priorities when it comes to outsourcing security.
These days, we’re starting to see senior leadership take their responsibilities more seriously. They’ve long been responsible for ensuring that controllership is sound and that fiscal responsibility is being exercised. Now, they’re realizing that they have an obligation to inquire and challenge to make sure that security is being managed properly in their organization. Because, regardless of SLAs, contractual letdowns can happen if the approach is derelict. It’s crucial for the leadership team to know that the business is managing risk appropriately.
Growing amounts of research confirm that companies that operate with strong controls tend to perform better financially than those that are not investing in security. There are very few situations where some degree of outsourcing doesn’t just make good business sense.