How to Pick the Right Security Outsourcing Partner (or, Don’t Bring a Knife to a Gunfight)
There are many reasons to consider outsourcing IT security. The success of the engagement is dependent on matching your stakeholders’ requirements against capability. A successful provider will satisfy both the technical requirements as well as meet expectations of the stakeholders.
The broad groups into which such projects fall are:
- Risk assessments: This requires the provider to be familiar with business drivers, and to determine the overall risk appetite of the customer and the regulatory environment that applies. It may also require expert understanding of security controls in the target domain, attack methods and vulnerabilities in underlying IT infrastructure.
-
Integration/Deployment: Thi
s requires expert understanding of deployment and configuration of the security technologies in consideration. - Incident alerting: Examples include breach confirmation and remediation analysis. Incident alerting requires expert knowledge of attack methods, containment and forensic techniques using the technologies in consideration.
The expertise required by these types of projects differs; risk assessment and penetration testing are both analytic projects, but require different skills and experience. Moreover, the audience for the output of each type of work is likely different: senior management for risk assessment; IT operations staff for incident alerting. Similarly, deploying security technologies requires different capabilities when the technologies must be broadly integrated into the IT environment, in contrast to security that is implemented as a stand-alone technology.
Companies that supply security outsourcing solutions tend to be focused in the following areas:
- Assessment-oriented: These are often audit consultancies that are focused on IT security assessment as part of a compliance or risk management engagement. They fit best when senior business management is the primary stakeholder. The analysis will put IT security in the context of the broader compliance or risk environment in which the enterprise exists.
- Solution-oriented: These are usually technology providers that are best suited when the domain their security technology addresses is involved, such as SIEM for security compliance, and the stakeholders are the security or operations groups related to those domains.
Of course, there are large providers that supply every service under the IT security sun, but midsize enterprises can often ill-afford them and then also suffer from the lack of focus.
As with any IT project, the steps to success are:
1. Ask yourself, “Who are the stakeholders, and what they are looking for?”
2. Select a partner that best fits these needs.
3. Measure twice and cut once.
A.N. Ananth is the CEO of EventTracker. EventTracker Cloud is a powerful System, Security and Application Monitoring service that enables IT Admins to easily monitor their IT operations from a Web-based platform. Guest blogs such as this one are published monthly and are part of MSPmentor’s annual platinum sponsorship.