An increasing number of organisations are outsourcing security to reduce costs and raise security standards.
Research figures from
PA Consulting found that 68 percent of organisations see cost reduction as the top reason for outsourcing, while 57 percent say access to resources.
Businesses have various options for outsourcing security – including opting for managed and hosted services. These are ideal for organisations without the necessary tools, resources and budgets to tackle these issues in-house.
A common way to outsource is to use a managed security service provider (MSSP) that can provide a range of services including enterprise-grade content filtering, VPNs and data backup. We look at the best practices for outsourcing security and the steps on where to begin.
Additional reporting by Hannah Williams.
July 30, 2018
1. Take your costs into account
Some businesses lack the resources, budget and skills to perform all security functions in-house.
But before deciding on a particular security plan, reviewing the budget is a vital step. This gives organisations a better understanding of their overall costs and how much security protection they can afford.
A necessary part of this step is collaborating with both finance executives and member of the IT team, as well as the dedicated security team - if you have one. This process can highlight important areas of improvement in the area of security, while also shaping an effective outsourcing strategy within budgetary limits.
The use of an MSSP can guarantee the organisation 24/7 coverage from highly trained professionals, while also granting maximum protection for company, employee and customer information.
Businesses need to weigh the cost of a security breach against the cost of outsourcing. In some organisations, it may be worth hiring an MSSP that can keep operational costs down while bringing in specific skills your organisation may be lacking.
4. Have regular penetration tests
According to a 2017 Harvey Nash survey,
a third of organisations had been subject to a major security incident in the past 24 months.
The term 'penetration testing' refers to an authorised simulated attack on a computer or network which tests the security of a system.
Before security is outsourced, these tests should be carried out on a regular basis to help gather information on areas of necessary improvement and other potential weaknesses. This will help an MSSP to get a better overview of the system and security requirements.
Telefonica, British Red Cross and Brussels Airlines regularly run penetration tests on their applications, platforms and systems to ensure security levels are high.
British Red Cross CIO
Rosie Slater-Carr told CIO UK: "Before the donation platform went live we went through a stress test exercise. We have penetration testing on every project we do, and are regularly looking at wider ways of a possible cyber attack.
"It is not about doing security once, it is a constant vigilance because donation data is hugely important to the people we help. We have somebody in our team whose role is solely IT security and every project has to go through an IT security gateway. Security keeps changing so what we do this week might be different to what we do next month so we can't ever tick the box of security."
5. Invest in skills
An MSSP combining security skills, experience and understanding of the organisation's security history will offer the best results. However, security teams should be well tasked to keep on top of the work of the MSSP and ever-evolving security threats.
Developing the relevant skills in-house can lead to a better relationship with outsourcing companies, while also developing better employee attitudes to security within the organisation.
According to Spiceworks,
62% of IT professionals plan to develop their security skills in 2018. Trainline, Greenwich Borough Council and Leeds Building Society are currently developing their team members' security skills. Trainline CTO Mark Holt said in his 2017 CIO 100 response: "Security is a critical concern and we want this to be a key element of our culture. To this end, all our developers are trained in secure coding practices, we have 'MacGyvers' in all clusters: individuals with additional security training who are responsible for identifying and raising security concerns, as well as being a super-local centre of excellence for security skills."
6. Decide what to outsource
An MSSP provides a range of different available services depending on the needs of your business.
Businesses can determine if the MSSP can meet its security requirements
by reading reviews and researching their previous experience.
Firewalls and VPNs are two areas commonly outsourced to MSSPs because they can be monitored 24/7.
Newer firewalls are capable of analysing network traffic behaviour and application-layer data. However, organisations moving resources into AWS and third parties can find it more difficult to stay secure. For example, AWS has a request rate limit which is calculated per account so multiple user resources will be restricted.
Security monitoring is one of the most time consuming tasks for security teams. Maintaining and reviewing security logs can be outsourced to MSSPs that offer log aggregation, to more advanced services such as analysing full security incidents and security information and event management (SIEM).