Following the first article about why organizations should outsource security services, in this post I would like to address some further considerations.
Adding external IT service providers to your company’s IT service portfolio requires a lot more considerations and arrangements. It is not the intension of this article to be comprehensive in this regards, because many aspects are outside the information security scope. Therefore the below covers just a few more but important action items when searching for a new security service provider.
Remote Access for Service Provider: Depending on the decision, where the IT infrastructure of the service provider is hosted, and what other systems the service provider’s operational staff will need access to, you have to arrange for remote access capabilities into your company’s network. Typically all network traffic between the service provider and your company must be encrypted. In addition you will usually not want, that the service provider’s operational staff gets access to other systems on your company’s network than the one in-scope for their service. Your company’s network management department should be able to provide an appropriate solution for this.
Non-Disclosure Agreement: Although the service provider’s operational staff will presumable not have access to your company’s business systems (e.g. SAP) or other systems storing company confidential information, there will be information visible to the support staff which you do not want them to share with anybody else. Therefore a Non-Disclosure Agreement (NDA) is a standard element of a service contract with external service providers. If they should make use of freelancers or contract other 3rd parties to deliver the service to you, they are responsible that also these staff adhere to the NDA. Your company’s legal department should be able to provide guidance and set-up such NDA.
Outsourcing Consultancy Support: As it is getting obvious by the many aspects discussed within this article, the topic of engaging an external service provider and agreeing on a contract which shall deliver a security service with good quality, has many facets and pitfalls. Unless you have gathered sufficient experience in this business you should consider hiring professional consultancy support, who accompanies you during this process. In particular when it comes to formulating service descriptions and defining SLA targets, penalties, and a cost model, they have usually gathered a lot of experience with other clients of what makes sense and what not.
Are you still unhappy?
Are you saying, you have basically followed the steps described in this article, but you are still not satisfied with the service, that your security service provider delivers to you?
The reasons for such complaint vary from case to case. A few potential reasons are given below, a combination of which may eventually match your experience.
You receive mainly technical output from the service which is difficult to understand?
You receive so much output from the service that you can’t distinguish between critical and unimportant issues?
Your mailbox gets flooded with reports and other service related messages and notifications?
The agreed metrics for the managed security service have limited security value?
The agreed service deliverables are no longer sufficient and need to be amended?
The service delivers false positives but nobody identifies and eliminates them?
You receive multiple services and have multiple points of contact, eventually in different geographical regions and time zones?
The response time of the support staff for non-standard issues is slow?
The quality of feedback of the support staff to non-standard issues and questions is bad?
A change from your security service provider, which was not following your company’s change management processes, caused adverse impact to your production environment?
You need technical assistance but your provider’s contact is purely commercial?
You are dissatisfied with your provider’s support for and contribution to security incident handling, security investigations, and audits?
All the above are indications, that you do not receive a fully managed security service.
A common approach of security service providers is to deliver services, which are “standardized” as much as possible. “Standardized” in this context means that the service deliverables are the same or similar for many of their clients, and that as much as possible of the deliverables can be produced automatically by means offered by the capabilities of the security software, either by functionality provided out-of-the-box, or by features added by subject matter experts and made available to the operational team. The better the service is standardized the smaller the cost for delivering the service, provided that the client accepts the standard deliverables. On the other hand security software with mature and ready-to-use out-of-the-box capabilities is usually more expensive than software, which you need to put additional engineering effort into to tailor its output and behavior to your needs.
Another common approach to offer cost competitive services is to leverage support staff and/or underlying hard- and software, depending on client security requirements and restrictions.
Moreover another important factor to reduce the overall service cost is to use support staff from low-cost countries with less work experience. Their knowledge is often limited to the handling of the one tool, from which the security service is provided. Usually they have received basic product training. Their responsibility is limited to operate the tool and produce the output, which subject matter experts have implemented at the point in time when the service was designed. They have no deeper knowledge about information security in general and especially not about information security management. In particular their job description and their lack of professional experience with working in global and complex IT operational environments does not foresee, that they are in a client facing position.
This is acceptable and not to criticize for the purpose of producing the desired output of the security software, however by far not sufficient for providing a professional security service with the objective to satisfy challenging clients.
The main reason, why clients chose to purchase security services, is the need to get a better understanding of the risk posture their company is operating at, and to reduce this risk to a level acceptable to the board of directors. Having said that, a security service must never be limited to technical deliverables if it wants to be successful with providing value to the client. The service deliverables must fit into the risk management and security governance model of the clients, and this is the point where standardization efforts reach their limitations.
In a globalized world with rapidly changing technologies, threat landscapes, and legal and regulatory requirements, clients of a security service will need more and more assistance of security professionals who
have a solid understanding of the fundamentals of information security and risk management, which enables them to understand the client security requirements,
are able to translate these requirements into the configuration of the security services,
work with the provider’s operational staff to set-up and operate the security services accordingly,
understand, interpret and correlate the output of the security services,
report and explain them to the client, and
derive and recommend to the client risk mitigation and security improvement strategies and activities.
In summary, a professional security service must include an additional “layer of intelligence” that acts as facilitator between client security and compliance requirements and client information security and risk management personnel on the one side and the more technical oriented security services of the provider on the other side. This additional “layer of intelligence” should be part of the security service offering right from the beginning. How much human resources will be required to sufficiently staff this position depends on many factors, such as number of purchased security services and size and complexity of the client environment. Without such a capability the benefit of the security services for the client will be reduced and many of his expectations never be achieved.