FREEDOM AND SAFETY
Security teams need more advanced people than they can find or afford. For many, outsourcing has become key to bridging the skills gap and addressing tasks they lack budget or talent to do.
Dark Reading's report "Surviving the IT Security Skills Shortage" found 45% of businesses don't outsource any of their security functions. Nearly 30% outsource a few hard-to-find skills and services, and 22% outsource some security functions while relying on third-party service providers for others. Six percent outsource most of their security tasks to third parties.
It's possible to outsource just about any security function, says IP Architects president John Pironti, but just because you can outsource doesn't mean you should. The question, he says, is where do you want your team to focus its time and attention?
"You have to calibrate expectations of what a third party will provide," he explains. "They will not have the same interest or passion in your world as you will."
Some security functions are best left in-house, Pironti adds, because they require intimate knowledge of business infrastructure and processes. Organizations will continue to master this balance as security threats evolve and multiply.
Outsourcing is more involved than simply passing off responsibilities to other people, adds Ryan LaSalle, global managing director for growth and strategy at Accenture. You have to work with providers to manage the functions you're outsourcing and how they're being performed.
No matter which functions you outsource, it's critical to define expectations and processes for your partner firm, says Pat Patterson, VP of enterprise security solutions at Optiv. Most of the time, companies end up disappointed because they didn't communicate what they needed.
"The better you as a customer can define expectations and requirements, the more prepared you will be to leverage that relationship," he explains.
Which functions to outsource, and which to handle in-house? Read on to see the experts' list of the most common and beneficial security functions to outsource, as well as the tasks that should be kept in-house.
As businesses prioritize their security functions, they'll try to offload the highest-volume operations that are furthest from the core business, says LaSalle. Many security teams strapped for resources extend coverage by outsourcing all or part of their security operations center, paying outside firms to monitor their networks so internal staff don't have to.
"We still see a lot of people outsourcing their eyes-on-glass functionality when it comes to network and security monitoring," explains Patterson. Larger companies have full-time staff for lesser-skilled positions like these, but most businesses can't afford to have eyes on the network 24 hours a day, seven days a week.
"It's a no-brainer to have a third party do that," he adds. "It's hard for a lot of CISOs to justify having a security operations center around the clock, and it makes more sense to have a firm do it."
In a legacy security environment, customers received a daily list of 12 to 15 events, says LaSalle. Now businesses process millions of events, 10 of which will be worth investigating, and eight of which might be false positives. It's a lot of tedious work to justify allocating to full-time employees.
Security monitoring is gaining popularity with college students, who Patterson says are increasingly common sources for security teams to monitor their networks. Many students are learning if they can work in the SOC with a strong security team in college, they'll have an easier time getting a job with that company, or another company, after they graduate.
If a critical flaw is found on the network, companies may outsource help in managing and resolving it, says LaSalle.
"It's not just the scans but the process of resolving high-priority vulnerabilities," he explains. "Most companies aren't good at that. Finding a partner who can help with fixes is a big help in getting the basics right."
Pironti adds that when collecting and processing threat intelligence, there are some situations where it's better to redact log data before you send it to a sourcing provider. While you want to have some degree of trust they can do it better, "you want to reduce areas where data can be compromised as much as possible," he explains.
LaSalle speaks to the evolution from application security testing to DevSecOps, which more companies are outsourcing as application security becomes more important.
With legacy testing, each application would go through a series of tests to weed out the bugs. There were milestones in the dev process: the development team would get a bug report, figure out how to fix problems, get the app working again. Companies would release about two or three versions of the application each year, he says.
Now businesses are moving to DevSecOps, a more continuous process driving releases up to 400 each year. The scanning and testing of each application, and integration with developers, is faster and more incremental. Businesses have to be more data-driven so they can communicate their needs to outsourcing providers and understand what's coming through the pipeline.
"The security team can't possibly scale to the size of a digital team, and in order to really provide metrics and testing tools, the security team needs a partner," LaSalle explains. "If the security team has 30 people and the CTO has 1,500 developers, how do you possibly keep up with the pace of what they're trying to do?"
The outsourcing spectrum is bookended by high-volume functions like network monitoring on one end, and low-volume, specialized functions like forensics on the other. It's common to have an outside firm handle the latter because it requires pricey experts.
"Highly skilled positions, where someone needs to get into the guts and forensics, that's where talent is hard to find and expensive," says Patterson. As with high-volume operations, some large corporations have staff for this but most small- to medium-sized businesses can't afford it. For many, it helps to trust advanced pros rather than try to handle everything themselves.
"It's easy to hand off something that's highly skilled because they know what they're supposed to be doing better than you do," he adds. However, even if you don't have a forensics expert on your team, you'll need an engineer with intimate knowledge of your network to provide information to third parties.
If you're going to be doing anything that involves litigation, it's better to have a third party helping with it, says Pironti. It's better to have a vendor contracted through legal side counsel, as well as an element from internal staff to reduce the insider threat and insider activity. Businesses engaging in litigation must ensure everything is kept under privilege, he adds.
Security teams are looking to outsource identity governance to limit access rights and privileges, so employees only have the access they need to do their jobs. Businesses can't keep up with this, says LaSalle, and their shortcomings are driving security risk.
"They're not good at it, they don't prioritize it, and it's probably the attackers' best insertion point to get access to people who have more privilege than they need," LaSalle explains. "It should be the manager's job to make that happen, but the outsourcer's job to make sure that process is as easy as possible."
Experts agree it's beneficial to consult outside sources for incident response but should avoid fully outsourcing breach remediation. In-house staff will always need to be involved because external sources don't have the same familiarity with your business, Pironti explains.
When a security breach or virus outbreak hits, a third party can alert you to suspicious activity but can't figure out the network design and jump-start remediation, says Patterson. That's something only your internal engineers can do because they deeply know the network. Remediation is not so much about technical skills as it is about knowledge of the environment.
"You have to have some institutional knowledge of your own environment on staff," he says, explaining how a business can hire one outside firm to build its network and another to monitor for an intrusion. If it doesn't have someone to glue those things together, however, it'll increase the time it takes to remediate in the event of a breach.
Anything that requires the business judgement of the risk you're taking cannot be outsourced, says LaSalle. Core functions like security strategy, architecture, and policy should be kept in-house, as should the responsibility of managing and executing programs through completion.
"At the end of the day, the security team has to handle business risk," he notes. "You can't outsource that."
If you need help with architecture and design, Pironti advises consulting resources rather than outsourcing the entire job. "Decision-making around security should never be outsourced," he adds. "Anything you source, you should be able to bring back in-house if you have to."
Businesses will increasingly outsource a variety of specialty skills like threat hunting and managed detection and response.
"We see customers trying to build their own hunt team, looking analytically from a threat perspective and seeing threats already present," says LaSalle. "But it's a hard thing to do well, and more customers will come to an outsourcing provider to do that for them."
Going forward, artificial intelligence and machine learning may eventually take over some more basic functionalities, Patterson anticipates. Attacks aren't going away, and responsible companies want eyes on their networks 24/7.
"I think some of the automation and orchestration functionalities coming into technology -- tools that can automate tier 1, as well as some artificial intelligence and analytics -- some of those pieces are going to reduce the need for eyes on glass," he says.