Outsourcing information security

The unfamiliar territory and complexity of security often results in a typical human response: make it someone else’s problem

The need to keep information secure is not a recent development. To satisfy this need, most organisations construct a list of security requirements based on common sense. This has proven fairly effective with simple and well understood media such as pen and paper. As information management (and its security) has become more complex in nature, the likelihood of a gap in that common sense list of requirements has increased.

The relative decrease in common understanding of how an organisation's information is recorded, manipulated, stored and erased makes it difficult to identify a complete set of security requirements to protect it. The unfamiliar territory and undesirable complexity often results in a fairly typical human response -- make it someone else's problem.

Effective outsourcing: An introduction

Effective outsourcing of any business function requires that said function is defined, appraised and its inputs/outputs established. Using this information an organisation can approach the market and clearly specify the scope of what it needs and what deliverables are expected. Understanding the value of the function facilitates the cost/benefit analysis. Said analysis should justify the outsourcing and take into account the cost of selecting the better provider.

Defining all attributes in monetary terms is difficult, but if this could be done any business function should net a positive return and the best provider of that function is the one (internal or external) that provides the highest positive return.Well defined by Wikipedia, "Information security means protecting information and information systems from unauthorised access, use, disclosure, disruption, modification or destruction".

Given information systems are increasingly of a technical nature, the solution that protects them often involves technical security products such as antivirus, firewalls and intrusion detection; or technical security services such as security event management, penetration testing and incident response. While products and services can be a significant component in an organisation's security solution, they alone should not be what defines it.

Buying something that "does" security, is like buying something that does food preparation. You may be lucky and stumble across the one tool that meets all your needs, but most people would like more influence over what they have for dinner than, "I bought a fork".

The problem

The domain of information security is the aggregate of subsets of all other domains. It arises from the need to have controls in place that ensure all domains operate correctly. It is empowered through governing documents such as policies, standards and guidelines; and is funded ideally through an organisation's executive committee.

Often (particularly in smaller companies) security is instead funded indirectly by the department under which it resides. Due to the nature of the information security domain, it is extremely difficult to outsource.

Outsourcing components of information security is achievable, but often there is a significant gap between the intent of an outsourcing and what it results in. As information systems have become more technical in nature, the number of ways in which they can operate incorrectly has increased. The methods for detecting incorrect operation require more specialist knowledge and thus are less widely understood.

If George writes down a request for product on a purchase order and signs it, most recognise the order is as good as the signature and so require that it be validated by a witness or prior knowledge. (Not to mention the common law supporting correct practice).

If, however, George emails a purchase order number, most will not appreciate that email can be forged unless signed using a valid asymmetric cipher and a key of appropriate length, validated by a PKI hierarchy of suitable repute. If a malicious party is controlling George's PC, there certainly isn't a courtroom that will be able to review all of George's countermeasures and decide whether he is to blame or not for the fake purchase order. (Risking inconsistencies and flawed reasoning in common law).

In short the appropriateness of information security practices are harder for the masses to understand. (Adequate legislation would simply provide another authority no one understands.) As with all other domains, businesses need to decide what is their suitable level of investment in information security.

Factors that contribute to such decisions include legal obligations, cost/benefit analysis, risk analysis and less tangible benefits such as ethical obligations. Unfortunately, applying each of these factors to technology requires an understanding of the technology and the operational practices that support it. A person with this level of understanding is rarely empowered with significant delegated financial authority.

To allow delegated financial authorities to effectively fund information security without having to understand the underpinning technology, relevant factors are often translated into commonly understood currency such as risk and money. This translation is however often incomplete and always requires further interpretation.

It is very difficult to place a dollar value on publishing an advisories page on your website to decrease the possibility of a phishing attack. If risk analysis is used then the likelihood of a phishing attack is largely irrelevant as the impact could be the total loss of all information assets (Impact = "Catastrophic") and thus the risk rating is "Extreme" for all but the rarest of events.With such a hobbled method for decision making and an apparent risk to the business, it is commonplace to take the view that it is better to do something rather than nothing.

Firewalls are purchased and IDS installed at great expense. A lot of the countermeasures purchased may meet an obvious requirement to the trained engineer, but the level of investment is often not balanced. In the interests of doing something an appliance may be purchased. The level of risk may warrant a significant allocation of funds, but it often isn't achievable to distribute those funds across all desirable initiatives. Initiatives can be complex in themselves or the impact of them difficult to grasp (for example the advisories page).

Delivering an appliance gives the business something tangible for its money and doesn't require further explanation. The appliances demonstrates that something is being done and gives a line item on a budget demonstrating that the business is addressing security. All organisations at one time or another need to reduce costs or at the very least review expenditure. Information security is not exempt from this (and nor should it be) so a delegated financial authority once again looks at the line item for the appliance that was purchased to "do security".

Due diligence requires that cheaper alternatives such as outsourcing be considered. Often outsourcing appears a cheaper alternative to said appliance and so is selected as the path forward.Information about what justified the appliance in the first place is incomplete and the additional controls [potentially] required to outsource its function aren't quantified. And so a cheaper, rounder peg is used to fill an ill defined square hole. It is of little surprise that information and information systems are not well protected in a lot of organisations.

Join the CSO newsletter!

Error: Please check your email address.

Tags outsourcingManaged security servicessecurity

More about etworkToyota Motor Corp AustWikipedia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Simon Burson

Latest Videos

More videos

Blog Posts