As I talk to CISOs and CIOs I find that there are many misconceptions about outsourcing security. Here are the most common ones that I come across:
- Outsourcing security is cheaper than doing it internally. Cost is usually the one of the reasons business gets interested to outsource but Forrester has consistently found that for security managers cost is not the primary reason they want to outsource. and outsourcing may not always lead to lower costs. In fact many companies end up spending more in the outsourcing scenario. They are willing to pay a higher cost because they gain competencies and get additional capabilities such as 24×7 monitoring or compliance reporting.
- Outsourcing security means transferring risk. You can transfer the responsibility but not the accountability when you outsource. A careful consideration must be paid to the risk management aspect of the outsourcing deal. You will never be able to transfer all the risk of data protection to your outsourcer but you can limit the amount of risk you take by developing right to audit clauses, Service level agreements and limited liability provisions in the contracts.
- Since security services are getting commoditized, hire an outsourcer with the lowest cost. The complexity, scope, duration, and business risk of an outsourcing deal dwarf most hardware or software procurement contracts. Handing over a critical business process or technology to a third party changes the risk profile of the firm. You have to look beyond the technical capabilities while evaluating vendors. Think of it more like a partnership where alignment in corporate cultures and philosophies plays a significant role in the success of the relationship.
- If my security operations are in a mess outsourcing security help. The famous adage garbage in – garbage out applies here. If your security processes and operations are a mess, outsourcing them will not solve the problem. It is important to establish security processes and strengthen your operations before you outsource security. Outsourcing may help improve operational control, but the chances of success are increased if the firm has a clear understanding of the processes, expectations and deliverables.
- Outsourcing security is the quickest way to get security controls implemented. Prepare for a marathon, not a sprint. Doing a security outsourcing deal takes stamina and persistence over a fairly long period of time that can sometimes be compressed, but usually with increased risk. Prepare yourself and your teams for the long haul by connecting first to the business strategies of the firm and building from there. It is appropriate to plan for some quick wins but it takes time for the outsourcing relationship to mature. Companies that have successfully outsourced security operations typically report that it takes them six to eighteen months to really normalize the outsourcing relationship.
Outsourcing security is not for everyone and for every scenario, so before jumping on the outsourcing bandwagon, pay careful consideration to the impact of outsourcing in a particular situation. More importantly have very realistic expectations of the relationship. It is important to do the due diligence and ensure appropriate provisions are part of the contract, but it is much more important to trust your provider and work on the relationship. Think of it as a marriage – you have work on it and have to be patient.