Following this article about why organizations should outsource security services, in this post I offer some further considerations.
Adding external IT service providers to your company’s IT service portfolio requires a lot of considerations and arrangements. While this post is not comprehensive, it offers important action items to consider when searching for a new security service provider.
Remote Access for Service Provider: Depending on where the IT infrastructure of the service provider is hosted and what other systems the service provider’s operational staff will need access to, you may have to arrange for remote access capabilities into your company’s network. Typically, all network traffic between the service provider and your company must be encrypted. You will usually not want the service provider’s operational staff to get access to other systems on your company’s network. Your company’s network management department should be able to provide an appropriate solution for this.
Non-Disclosure Agreement: Although the service provider’s operational staff will presumably not have access to your company’s business systems (e.g. SAP) or other systems storing company confidential information, the support staff will have visibility to information that should not be shared. Therefore a Non-Disclosure Agreement (NDA) should be a standard element of a service contract with external service providers. If the service provider makes use of freelancers or contracts third parties to deliver services to you, the provider is responsible for ensuring they adhere to the NDA. Your company’s legal department should be able to provide guidance and set up an NDA.
Outsourcing Consultancy Support: The process of engaging an external service provider and agreeing on a contract has many facets and pitfalls. Unless you have gathered sufficient experience in this business, you should consider hiring professional consultancy support to accompany you through this process. In particular, when it comes to formulating service descriptions and defining SLA targets, penalties and a cost model, consultants can draw on their experience with other clients to decide what makes sense for you.
Are you still unhappy?
Are you saying, you have basically followed the steps described above but are still not satisfied with the service?
While reasons for this vary from case to case, a few potential pitfalls are given below:
- You receive mainly technical output from the service, which is difficult to understand.
- You receive so much output from the service that you can’t distinguish between critical and unimportant issues.
- Your mailbox gets flooded with reports and other service-related messages and notifications.
- The agreed metrics for the managed security service have limited security value.
- The agreed service deliverables are no longer sufficient and need to be amended.
- The service delivers false positives but nobody identifies and eliminates them.
- You receive multiple services and have multiple points of contact, eventually in different geographical regions and time zones.
- The response time of the support staff for non-standard issues is slow.
- The quality of feedback of the support staff to non-standard issues and questions is bad.
- A change from your security service provider, which was not following your company’s change management processes, caused adverse impact to your production environment.
- You need technical assistance but your provider’s contact is purely commercial.
- You are dissatisfied with your provider’s support for and contribution to security incident handling, security investigations and audits.
The above are indications that you do not receive a fully managed security service.
A common approach for security service providers is to deliver “standardized” services, meaning deliverables that are the same or similar for many clients, that can be produced automatically by the capabilities of the security software, either by functionality provided out-of-the-box or by features added by subject matter experts and made available to the operational team.
The more the service is standardized, the less the cost for delivering the service, provided the client accepts the standard deliverables. On the other hand, security software with mature and ready-to-use out-of-the-box capabilities is usually more expensive than software, which may need additional engineering effort to tailor its output and behavior to your needs.
Another common approach is to leverage support staff and/or underlying hard- and software, depending on client security requirements and restrictions.
Another important factor to reduce the overall service cost is to use support staff from low-cost countries with less work experience. Their knowledge is often limited to the handling of the one tool providing the security service. Usually they have received basic product training, and their responsibility is limited to operating the tool and producing the output. They have no deeper knowledge about information security in general, and especially not about information security management.
This is acceptable and can produce the desired output of the security software, however it’s not sufficient for providing a professional security service with the objective of satisfying challenging clients.
Clients who choose to purchase security services need to get a better understanding of the risk posture of their company and to reduce that risk to a level acceptable to the board of directors. Having said that, a security service must never be limited to technical deliverables if it wants to be successful at providing value to the client. The service deliverables must fit into the risk management and security governance model, and this is the point where standardization efforts reach their limitations.
In a globalized world, with rapidly changing technologies, threat landscapes and legal and regulatory requirements, clients of a security service will need more and more assistance of security professionals who:
- Have a solid understanding of the fundamentals of information security and risk management, which enables them to understand the client security requirements;
- Are able to translate these requirements into the configuration of the security services;
- Work with the provider’s operational staff to set-up and operate the security services accordingly;
- Understand, interpret and correlate the output of the security services;
- Report and explain output to the client, and
- Derive and recommend to the client risk-mitigation and security-improvement strategies and activities.
In summary, a professional security service must include an additional “layer of intelligence” that acts as facilitator. On one side is client security and compliance requirements and client information security and risk management personnel; on the other side are the more technical-oriented security services of the provider.
This additional “layer of intelligence” should be part of the security service offering right from the beginning. How many human resources will be required to sufficiently staff this position depends on many factors, including the number of purchased security services and size and complexity of the client environment. Without such a capability the benefit of the security services for the client will be reduced and many expectations never achieved.