An increasing number of organisations are outsourcing security to reduce costs and meet security standards.
Businesses have various options for outsourcing security – including managed and hosted services, ideal for organisations without the necessary tools, resources and budgets to tackle this problem.
A common way to outsource is to use a managed security service provider (MSSP) that can provide a range of services including enterprise grade content filtering, VPNs and data backup. We look at the best practices for outsourcing security and the steps on where to begin.
February 28, 2018
1. Take your costs into account
Some businesses lack resources, budget and the skills to perform numerous security functions.
Reviewing the budget is vital for developing a security plan as it gives organisations better control of its overall costs and how much security protection they can afford.
Collaboration with finance executives and the security team, if you have one, can highlight areas of improvement while also shaping an effective outsourcing strategy, which won't break the bank.
The use of an MSSP can mean the organisation has 24/7 coverage from a highly trained professional, while also protecting the company, employee and customer information.
Businesses need to weigh the cost of a security breach against the cost of outsourcing. In some organisations it may be worth hiring an MSSP that can keep operational costs down while bringing in specific skills your organisation might be lacking.
4. Have regular penetration tests
According to a 2017 Harvey Nash survey,
a third of organisations have been subject to a major security incident in the past 24 months.
The term 'penetration testing' refers to an authorised simulated attack on a computer or network which evaluates the security of the system.
Before security is outsourced, these tests should be carried out on a regular basis to help gather information on areas of improvement or problems raised. This will help an MSSP to get a better overview of the system as well as breakdown security by identifying serious threats or simple fixes.
Telefonica, British Red Cross and Brussels Airlines regularly run penetration tests on their applications, platforms and systems to ensure security levels are high.
Last year, British Red Cross developed a digital platform to help make donating easier with security being high on the agenda at the charity organisation.
Rosie Slater-Carr told CIO UK: "Before the donation platform went live we went through a stress test exercise. We have penetration testing on every project we do, and regularly looking at wider ways of a possible cyber attack.
"It is not about doing security once, it is a constant vigilance because donation data is hugely important to the people we help. We have somebody in our team whose role is solely IT security and every project has to go through an IT security gateway. Security keeps changing so what we do this week might be different to what we do next month so we can't ever tick the box of security."
5. Invest in skills
An MSSP combining security skills, experience and understanding of the organisation’s security history will offer the best results. However, security teams should have up-to-date skills to ensure they can keep up with the MSSP as well as ever-evolving security threats.
Developing the relevant skills in-house can lead to a better relationship with outsourcing companies while also developing better employee attitudes to security within the organisation.
According to Spiceworks,
62% of IT professionals plan to develop their security skills in 2018. Trainline, Greenwich Borough Council and Leeds Building Society are currently developing their team members' security skills. Trainline CTO Mark Holt said in his 2017 CIO 100 response: "Security is a critical concern and we want this to be a key element of our culture. To this end, all our developers are trained in secure coding practices, we have 'MacGyvers' in all clusters: individuals with additional security training who are responsible for identifying and raising security concerns, as well as being a super-local centre of excellence for security skills."
6. Decide what to outsource
An MSSP provides a range of different services depending on the needs of your business.
Businesses can shortlist their MSSP through reading reviews and researching their previous experience to help determine if the MSSP can meet its security requirements.
Firewalls and VPNs are commonly outsourced to MSSPs as they can be monitored 24/7.
Newer firewalls are capable of analysing network traffic behaviour and application-layer data. However, organisations moving resources into AWS and third parties can find it more difficult stay secure. AWS has a request rate limit which is calculated per account so multiple user resources will be restricted. Firewall and VPN management can be an effective way to reduce the workload of a security team while focusing on other aspects of security.
Security monitoring is one of the most time consuming tasks for security teams. Maintaining and reviewing security logs can be outsourced to MSSPs that offer log aggregation to more advanced services such as analysing full security incidents and security information and event management (SIEM).