A number of colleagues have recently had to deal with outsourcing -- the outsourcing of information security itself.
CSOs often talk about defining an "appropriate" level of security. Appropriate security controls are not only effective in assuring the protection of assets/information -- they need to be cost-effective. I have a friend in Canada who once told me, "You don't put a $20,000 fence around a $200 cow." It is still one of the best pieces of advice I've ever been given. That is what information risk management is all about -- determining what controls will be appropriate.
Someone recently told me that I should encrypt all the Social Security Numbers on my internal network. I asked why and was told that it is customer non-public information (CNPI) and needed to be protected. We had just completed an audit of our internal network and the controls were found to be very effective in protecting customer information there. I asked how many of our employees had access to a customer's SSN as part of their normal duties. The answer was about 75 percent. Of the remaining 25 percent, probably 10 percent of those (or 2.5 percent total) had the ability to install a sniffer on the network and the skill to parse out SSNs as they went flying by. The cost of encrypting SSNs on our network would be about $2 million. So I asked why they wanted me to spend $2 million to prevent 2.5 percent of our employees from accessing information that was readily available elsewhere? The request was withdrawn.
I had a similar discussion recently around backup tapes. Controls around backup tapes were found to be extremely effective. So why spend several million dollars encrypting them when I could spend that money elsewhere and provide a much more significant return on investment?
So we constantly need to look at the cost of security and the value returned. We need to do the same when it comes to outsourcing security. A few short years ago, the technology skills required to install, configure and maintain network security devices like firewalls were in short supply. It made sense to have our own in-house expertise to do that. Today if we cannot do it for the same cost or lower we should seriously consider outsourcing it. That is true for a growing number of functions from assessing security at vendors, to provisioning access, to providing support for incident response.
I will need good vendor partners to help me -- ones that I can trust and depend on. I will need vendor partners that can help me whereever I need help. If I have operations in another country I will need them to be available there as well. I will need to look at what I am willing to offshore outsource, carefully assessing the risk and ensuring my ability to effectively monitor and assure the effectiveness of the controls I am allowing someone else to manage. But can it be done? Of course it can.
Do I like the idea? No. But I would rather decide what should be outsourced and define the requirements so I can be sure the outsourced functions are effective, than have it imposed on me as has happened to some of my colleagues.