Outsourcing Security Operations ? Some basic considerations.
- Outsourcing Security operations is commonly discussed and desired, but security departments lack understanding of their business function aligned with the needs and expectations of the organization.
- Security departments have no clear understanding of the components that could be outsourced and lack in-depth understanding of the actual impact to overall organization.Recommendations
- Achieve proper insight towards the business security requirement of your organization and define what purpose will the security organization serve
- Encompass your current and planned security operations capabilities as foundation towards the decision on what to outsource or operate in-house
How to identify the optimal operational model for your security Operations functions
Nowadays most organizations heavily rely on information technology systems supporting their day to day operations. These systems must be available and should support the requirements for integrity, confidentiality, availability and auditability for the information they process and hold.
Security Operations should provide insight into applications, systems and networking infrastructure behavior and activities. To achieve this outcome, Security operations departments rely on supporting technology and proper skilled resources to run, maintain and monitor these assets, supported by adequate processes. These resources can be fully owned and managed in-house (on-premises or in a cloud) or outsourced to external services providers.
Every organization will have specific demands and will face unique (and not so unique) challenges. These challenges are defined by their line of business, geographical and geopolitical requirements and other various external influences. It is crucial to find the right balance between outsourced and in-house operation of the security capability components.
A key element, before making any decision, is to understand your business goals towards security operations. Frequently there is no clear or communicated mission, security operations are regarded as an “IT-Problem” not as a business risk.
Business leaders should realize, as business is increasingly digitized, it is exposed to a growing number of threats. They need to understand the impact of a business damaging or interruptive security event.
This clearly shows:
Business should be involved in the decision on how to find the proper mix of outsourced and in-house operated security operations functions.
Achieve proper insight towards the business security requirement of your organization and define what purpose will the security organization serve
Before we can start looking towards to the tactical options on how to define an optimal solution, it’s imperative to understand some core elements of your organization and to map available resources to meet your goals. The function should be able to provide proof of due diligence towards security operations including but not limited to supporting regulatory and audit requirements. Also, it can timely detect and respond to attacks and has the responsibility to reduce negative impact on the organization including the reputation.
Typical Core Elements to look at
Often security operations are positioned in the company’s IT Department. Security operational functions are often financed utilizing shared available funding. It’s important to understand how this funding is calculated and that security operations functions are already considered sufficiently. Ensure you identify enough sponsors and stakeholders, check if other projects can contribute or support. Acknowledge that developing an in-house capability will require higher capital expenditures during the realization phase. Assets need to be acquired or build and will consume operational expenditures once they are in service. Outsourcing leans on operational expenditures resulting in a much lower in-house investment. Additionally, other internal and external factors will have influence on the available budget. A recent breach or high-profile attack targeting your industry is often a great motivator leading towards an increased budget. Nevertheless, the economic health of your organization is often leading.
Organizational facts that have influence on your decision
-The organizational culture, size, location and sector are important factors.-
Culture matters and in combination with other facts, like the organizations sector and size they are operating in, it will define what approaches are achievable. An organization with a strict hierarchical setup like Defense, Intelligence or Law-Enforcement will display a different culture based on their sector versus an organization operating in a creative industry. Therefore, fitting security controls will have to be designed in a different way. These controls will have a strong influence on the possible operating models that are feasible. -Figure 1-
The size of your organization and the geographic distribution are relevant factors. Larger organizations are more likely to have a larger variety of security requirements like 24x7 operations, a larger budget can be expected. Smaller companies will probably require a reduce scope while utilizing a limited budget. Also, depending on the organizations sector, various regulatory and compliance needs, call for special security controls. When you consider outsourcing select a provider that can demonstrate their experience and can confirm a proved track record providing services to your sectors peers.
Identify your in-house expertise and interfaces
It is of minor significant whether you build an in-house capability or opt for a partial (hybrid) or fully outsourced model, you will have to determine what level of expertise is available.
Resources that can demonstrate a clear understanding of your organization are mandatory. These resources know how to create interfaces between the business and your security operations capability. Many managed security providers can bring excellent security expertise and experience to the table. Nevertheless, they are limited to their catalogue of standardized services. It’s your responsibility to identify the tasks and processes that are optimal for outsourcing. Make sure your provider can deliver best value while internal existing resources wil connect the dots together. An example of a high-level hybrid solution model is shown below in -Figure 2-
Existing technology, suppliers and relationships
In the circumstance that your standard IT operations are already (partly) outsourced, you should verify if security operations services are also part of their overall offering. The benefits here are that many aspects required for proper collaboration have already been evaluated. It’s to be expected that your IT- MSSP will have excellent insight in the technology they provide. They can serve as a SPOC regarding the data you need for security operations in relation to their services, hence minimizing alignment and communication overhead. When your provider does not offer security operations services, they can support you with the selection of a proper vendor as they will have a track record with peer organizations. It’s also worth checking with your upstream management. There could be a preference for a certain supplier, based on relationships they developed over time, additionally this will support you in finding sponsors and stakeholders.
Future demands for security operations
After analyzing your environment and your current needs, you must realize that these must be constantly aligned to the changing demand of your organization. Also, your security operations department will undergo permanent changes due to the ever-evolving threat landscape. In-house or outsourced capability should be ready to scale with your changing needs.
Encompass your current and planned security operations capabilities as foundation towards the decision on what to outsource or operate in-house
Insight and planning are the keys to success. Before you decide on an operational model, select the services you are going to provide to your organization as these are the stepping stones that determine all your needs.
Security operations cannot be built in one day and not all capabilities are necessary in the beginning. Achieve a solid basic operation before moving towards the more complex and advanced parts. A step by step maturity roadmap will support you here. Start with elemental foundational components and processes. They are the foundations where the more advanced functions will be deployed on.
Your overall strategy might be to outsource your entire IT operation, but you will stay accountable and owner of all related risks.
Most security operations service providers will offer standardized services like security monitoring and parts of security engineering and some can actively support with incident response activities. Additional services like staff augmentation, emergency response support, forensics and malware-analytics are offerings that can add extra value when needed. All further customization or deviation from the offered standard services will create extra overhead and complexity. Security operations service providers will charge these to the customers.
The selection a suitable model for your security operations introduces complexity. Its beyond looking at the financial aspects and available resources. You need to define the various aspects that need to be considered that work best for your organization’s individual situation.
Recommendations and action points:
Its important to understand that every organizations will bring unique demands to the table and cannot be directly compared to an industry peer or an organization with a similar size.
- Achieving proper insight in your current and future operation, this is the starting point in making the right choice.
- In-house capabilities are complex and expensive, but they are much closer aligned to the business as the resource know characteristics of the environment. Nevertheless, many organizations will benefit from a proper mix of outsourced and in-house capabilities.
- Start developing basic standardized and repeatable tasks and processes before you continue with the more advanced topic.
- It’s crucial to bring business stakeholders and their needs into the equation.
- Evangelize that providing quality security is not a sole technical IT task.
- Evaluate your services one a regular base and make sure you can switch to a more fitting your operational model that suits your needs best. Avoid long term vendor lock-in.