Kris Budnik believes outsourcing information security is becoming more common because of a lack of access to in-house expertise.
Outsourcing the information security function is almost inevitable in the current business landscape.
This is according to Kris Budnik, MD of Slva Information Security, speaking at ITWeb Security Summit 2016, at Vodacom World in Midrand yesterday.
“We are starting to get used to outsourcing the information security function. There are many reasons for this but I think the biggest one is access to expertise. It is so hard to find security resources and it’s even harder to retain them.”
He said it’s difficult to find capable security people and the challenge is that it is also becoming increasingly more expensive.
“Daily I struggle to find security resources and I’m in the security business. It’s so difficult to put a good security team together, never mind finding the all-singing, all-dancing, Swiss army knife type of individual to fulfil the security function in the organisation.”
He said organisations need to understand how to deploy and when to deploy the relevant security team resource and also to acknowledge this is actually going to require a team – “you can no longer run security as a one man show”.
This is where outsourcing comes into play. However, he said there are many important things to consider when deciding whether to outsource the information security function. Issues to contemplate include how quickly the outsourced service will provide answers and how quickly security incidents can be identified and addressed.
“If the time-frame is longer than three months, then you are in the wrong direction. You need to expect fairly quick results or it’s not going to pay for itself.”
Keys to the kingdom
He said when debates over security outsourcing begin, invariably people argue companies can’t outsource because they are giving away the keys to the kingdom.
“But you do that every day. Every time you go to a mall to do some shopping, who is looking after your security there? It’s not the mall, it’s outsourced. Your armed response at your house is an outsourced function. Many important things are outsourced to specialist organisations that have scale. So why can’t we do that in the corporate environment?” he argued.
He also pointed out that even independent directors sitting on company boards are technically outsourced service providers.
“It’s strange that somehow that is ok, but we are uncomfortable outsourcing the IT security functions of an organisation. We must remember there is also value in having that independent perspective.”
Budnik said if done right, outsourcing can lower costs, but if done badly it will become very expensive.
He said once companies understand their in-house capabilities and capacity, they can consider the services they may wish to outsource – and there are many to choose from. These include application security testing and vulnerability management, secure Web gateway services, secure e-mail services and end-point protection.
“Security managed services are the quickest and most valuable service you can outsource.”
He pointed out many of these services can be more cost-effective and efficient if they are done through an outsourced group rather than in-house.
Budnik said there are many positives to outsourcing IT security, or at least portions of it, but in the end it is all up to individual organisations to make the decision based on their available resources
“A bad chief information security officer is worse than none at all.”
He did, however, advise against using the same service provider for outsourced management services and outsourced managed services, to avoid any conflicts of interest.
Budnik also warned against believing “brochure-ware” that is full of buzzwords but offers little value, and stressed how critical choosing an outsource partner is.
He said companies should not commit to long-term contracts with service providers, and vet them well by getting references and talking to existing users.
“At the end of the day, you outsource the activity but you still need to monitor effectiveness, so you need to be able to analyse what the service provider is doing for you.”