Outsourcing security: Would you turn over the keys to a third party?

Outsourcing security: Would you turn over the keys to a third party?

Years ago it would have been unthinkable to give up control to securing your most valuable assets. But for some companies the risk of handing the security keys to a third party is less than the idea of facing the daily barrage of attacks.

When asked why a company would cede control, many vendors said it depends on the level of staffing that company has. If the expertise is lacking, why take the chance. Or if it is a small to midsize enterprise, maybe there is just not a budget for creating a security staff up to the level needed. Therefore, partnering with a managed security services provider (MSSP) has become almost a must when faced with worries over data theft and the number of mobile devices entering the workplace.

MSSPs are specialists in IT security, said Alertsec’s CEO Ebba Blitz, and as they serve several clients they have the capability to be up-to-speed with advanced requests. “If a company is big enough to staff its own IT department, with the same capabilities, then they’ll most likely do that. However, if you are an SMB and don’t have the resources, then an MSSP may prove to be the better choice.”

However, Pat Patterson, vice president of strategic architecture at Optiv, wrote recently that choosing an MSSP should not be done simply to “throw the security responsibility over the fence.” “Hopefully the days are gone when security leaders believe they simply can hand their entire security monitoring and incident response programs off to third parties and expect to be successful. Engaging an MSSP will not fix a broken information security process. In fact, it can easily highlight poorly defined processes or areas where no process exists.”

Alvaro Hoyos, chief information security officer at OneLogin, said when debating outsourcing security it parallels the SaaS versus on-premise app argument, or the more recent IaaS versus build your own data center. Those two discussions are still being had, but the pendulum for a lot of companies has swung in the direction of cloud service providers.

According to a recent report from Trustwave, for a second consecutive year, the number of respondents reported that their security is installed and maintained entirely by their in-house IT staff and security teams dropped – this year to 67 percent. Twenty-six percent of respondent organizations are involved in a partnership between in-house teams and an MSSP. Another 5 percent delegate the entirety of their security solution set to an MSSP, and 2 percent answered “other.”

Trustwave’s report also stated as to their plans to partner with an MSSP, 43 percent already do, which rose from 39 percent in last year’s report. That stat is considerably more pronounced in the United States, where 53 percent of respondents already use managed security services – a 14 percent leap from last year. Another 40 percent overall plan to partner with an MSSP in the future, with 17 percent indicating such an arrangement appears unlikely.

Yitzhak (Itzik) Vager, vice president of cyber product management and business development at Verint Systems, said selecting managed security services versus in-house security is a matter of strategy before tactics. Management needs to decide whether it is better to invest in the in-house personnel and tools required to reinforce organizational security and ensure complete control over protection processes, or to invest the same dollars in a company whose sole focus is security, but who will not have the same focus on the business itself. “When investing the money in an MSSP, it is important that the MSSP will understand the business risk associated with specific assets within the organization to better prioritize their work.”

Amir Jerbi, CTO of container security company Aqua Security,  said MSSPs are a at a level of maturity that is often as good as or better than in-house security. The decision of whether to outsource some or all security to an MSSP should be based on several factors, including the level and skills of your own security staff (and whether you can maintain a high enough skill set), the sensitivity and compliance requirements of your systems and data, how strategic security is to your business (e.g., do you consider it to be a core competency), and of course costs.

“As a rule of thumb, large enterprises in regulated industries have a large enough and skilled enough in-house team and prefer to manage all aspects of security in-house. As you go down the midmarket and into SMB territory, it becomes a lot more sensible to use an MSSP for all or most of your security needs,” Jerbi said. “One thing to keep in mind when considering MSSPs is that their expertise is likely to focus on common, well-established areas, leaving emerging technologies such as containers in the hands of the user organizations themselves.”

Derek Brost , director of engineering at Bluelock, gave the pros and cons of both ways to attack security. He said for many companies, investing in procuring, developing, integrating, deploying, operating, and supporting security controls may not outweigh the total risk profile of their assets. For this type of organization, using managed security services is far more cost-effective, however, investing in enterprise risk management is still a required, ongoing expenditure. For organizations where in-house security might make sense, they likely have a robust risk management discipline and can forecast the loss potential effectively to demonstrate the value of bringing security activities in-house. This type of organization will have the maturity and discipline required to meet or exceed a managed security service value proposition with internal resources.

In Cisco’s annual security report, 21 percent of the survey respondents said they did not outsource any security services in 2014. In 2015, that number dropped to 12 percent. Fifty-three percent said they outsource services because doing so was more cost-efficient, while 49 percent said they outsource services to obtain unbiased insights.

Although a company will want to control their own security program, most cannot afford to run those elements themselves as it would require a 24×7 security operation center (SOC) such as an SEIM or IDS/IPS, said Asher DeMetz, manager, security consultant at Sungard Availability Services. “It is vital that companies – of a size and risk profile to need these services – have 24×7 monitoring as attacks can come any time of day or night. An attack at 9 p.m. that is not detected till 9 a.m. when employees come into the office can be disastrous.”

Additionally, MSS providers companies with the deep skills and experience needed to know what is a “real attack” and what is a false positive, DeMetz said.

Carl Herberger, vice president of security solutions at Radware, agrees stating that the speed at which the threat landscape is changing, and the fact that SMBs have become an increasingly frequent target of attacks with 43 percent of all cyber-attacks now focused on small businesses, all make in-house security challenging. “For example, a retail ecommerce business might not have the ability to invest in a robust, well-trained security staff to thwart attackers. Managed security services help to bridge the gap and let businesses focus on what’s at their core,” he said.

The sophistication of the information technology environment, types of devices or controls in place, location and type of data centers, breadth of geographic scope/global footprint, cost, skilled resources, and coverage needed during the week/year should be taken into account when deciding to go with a third party, said Viewpost’s CSO Chris Pierson.

Kennet Westby, president and co-founder of Coalfire

“It is critical to note that the people who best know the layout and operations of your company’s data flows are those people who created the architecture (either network or security) and understand the business processes and product. This ownership is really best achieved by having at least a central core team within the company,” he said.

Having managed security be a part of specialized devices that focus on Indicators of Compromise or behavioral forensics is a smart fiscal and operations move, Pierson added.

Kennet Westby, president and co-founder of Coalfire, said outsourcing is happening in other facets of technology such as hosting, cloud services and application service providers. “It really is more about understanding the scope of network security you look to third parties for. Your organization’s most valuable assets may no longer reside behind your corporate firewall with a network managed by your employees.”

He added that making a decision to handle corporate network security in-house or to leverage third parties should be based on a number of important criteria:

  •  Competency/cost – Like most functions in an organization a review of whether a service can be delivered at a higher competency level at a lower cost than can be done internally.
  •  Organizational compatibility –  Ensures that you have a partner that will work alongside your IT, security and management teams, and not just deliver vendor services behind an opaque wall of “security services.”
  •  Trust – This is a critical element of any third party handling sensitive functions but critical for a MSSP. You need to ensure a program for security controls is operating at even higher standards than your internal controls require. You may need to trust their employees more than your own.

Trust is a big issue, said Richard Henderson, global security strategist at Absolute.It can take a lot of trust and convincing to move to that model, but the simple fact that we’ve seen an incredible explosion in the MSSP space is proof that for those that use it, like it. Any security organization inside a small or midsized company should at the very least evaluate the possibilities of integrating some MSSP offerings into their world.” 

He also added that there is a reality that security human resources are often hard to find, hard to keep, and hard to keep happy. “Many security positions are thankless jobs, and when things go wrong, the amount of stress placed on these employees can be staggering. And if you’re a company located in a smaller ‘uncool’ city, it can be difficult or impossible to recruit top-quality talent.”

Cisco’s 2017 Security Capabilities Benchmark Study found that most organizations rely on third-party vendors for at least 20 percent of their security, and those who rely most heavily on these resources are most likely to expand their use in the future.

Rod Murchison, vice president of product management at CrowdStrike, said with the increased volume and sophistication of cyber threats that organizations must deal with, there is a value proposition to working with an MSSP, whether for all or part of your security operations. “Some MSSPs are able to work with security solution providers through APIs, creating truly unique offerings that unlock real value while minimizing complexity for the end user. This level of sophistication and integration can provide MSSP customers with the perfect combination of capabilities to protect their particular network.”

In some cases for companies struggling or for startups, Trish Tobin, FireEye’s director of product marketing, said MSSPs can assist security leaders in designing the overall program, building the SOC, training staff and providing incident response. “As their security programs evolve, organizations strive to improve threat detection and incident response capabilities. More often than not, they are constrained by a lack of skilled security expertise as well as lack of visibility into new techniques being used by targeted threat actors.”

Scottie Cole, network and security administrator at AppRiver, favors a well-trained in-house security team over a managed security service. In-house security teams understand the requirements for both the company’s security needs as well as the company’s goals. “The downside to an in-house security team for many companies is the cost to maintain the team. Well trained, quality talent can be expensive to employ. Another added cost is continuing education for the team, whether it be for trainings, seminars, or re-certification.”

If cost is an issue, then a managed security service is the next best thing, Cole adds. “There are many companies that offer high quality, well-trained individuals who can come into a client’s location and immediately assist with the client’s security needs.  The plus side to using a managed security service is that the service usually has a larger pool of talent to draw from. Depending on the client’s wants or regulatory requirements, the managed service can find an expert or team of experts to support the client’s needs.”

Boaz Shunami, CEO of Komodo Security Consulting, said one area MSSPs can be an advantage is in red team exercises (real attack scenarios), red vs. blue team exercises. penetration testing, threat intelligence centers and incident response and forensics capabilities. “Replacing these with internal employees will usually prove to be less effective, with larger learning curves and, in general, less value over longer periods of time.”

Tom Bain, vice president of marketing at CounterTack, believes organizations want to “collapse the stack” and move to fewer providers and platform offerings. They want less agents and ultimately not as many providers under the hood. “Taking technologies into a managed deployment gives an enormous advantage to MSSPs who can remove the burden from operators, monitoring and responding to threats on their behalf,” he said.

Not so fast

While those interviewed do see pros to MSSPs, they also have some issues with blindly giving up security.

Westby said as with most services, “there are many that over market and under deliver on true security service. Taking the time to get under the covers of how the service is provided and validate how they will protect your company is important in vendor selection. Maintaining security leadership and program/vendor oversight in-house is also very important. “

It’s important to factor in the overall requirements and needs of the organization, said Javvad Malik, security advocate at AlienVault. For example, if a company has many custom apps that need customized monitoring, then in-house may be more appropriate than an MSSP. Other considerations can include whether there’s a preference for dedicated personnel or regulations that require data to be stored locally.

“If a company does choose to opt for an MSSP it’s important to evaluate them for effectiveness and their ability to execute on their methodology. Finding the right type of MSSP that is a good cultural fit with your organization is just as important as finding one with technical the right technical skills.”

Malik said there’s no easy or right answer to this – both approaches have their own challenges and benefits. But it’s best to make an informed decision based on budget, expertise, and desired outcomes.

Salim Hafid, product manager at Bitglass, believes that for many of the most security conscious industries and organizations, in-house security is a must. An in-house security team with specialized knowledge of the security capabilities necessary to achieve compliance and that can evaluate multiple security solutions against their needs, can be very effective.

Having in-house security allows you to build on tribal knowledge that is not easy to export to a third party, Hoyos said. “Your internal team will better understand the risks you face, including internal risks from your own personnel, which is something that an MSSP simply cannot do without boots on the ground.”

He suggested having a mix of in-house personnel and an MSSP; the MSSP can cover the basics, while the in-house security team can focus on the more complex or nuanced issues that an MSSP doesn’t have the sufficient background to understand. “Having the MSSP cover those basics also provides meaningful challenges for your team, thus reducing turnover and augmenting your security program organically with more skilled personnel.”

Companies might not want to use an MSSP if they already have vendor contracts in place and an in-house team that knows the ins and outs of your particular environment. “MSSPs are more one-size-fits-all, so you have to account for that when planning a migration to an MSSP. You also need to be cognizant that all your data will be going through an MSSP, so confidential agreements and concerns with proprietary or customer data need to be considered as well,” Hoyos said.

Neal Bradbury, senior director of business development, Intronis MSP Solutions by Barracuda, also offered the option of “as-a-service” that allows companies to pick and choose what they want implemented.

Stu Sjouwerman, CEO, KnowBe4, said one factor to consider is the complexity of your environment when determining whether to keep security in-house. Very complicated environments can be a challenge for MSSPs, especially if they have a high employee turnover rate, however they may also have a more diverse skillset to tap in to.

“It takes time to learn about complex environments, so you want to minimize repeated learning curves,” he said.

Another factor is a company’s geographic location. Is there a local talent pool for security professionals, or are they in short supply? If your organizations salaries, benefits and perks are focused on lower-level positions, it could prove a challenge to retain a security individual that is being courted by other organizations, Sjouwerman said.

Advantages to in-house security are that you have a dedicated resource that will know the ins and outs of the environment better than most MSSPs because they are immersed in it daily. “You are free to leverage the in-house security resource for any number of projects or advice that you may not want to bring an outside organization into,” Sjouwerman said.

“Ultimately, you also need to research any MSSP or direct hire before you make a step either way. These people will be the guardians of your information and will likely have a lot of access to your customer data. A company or individual with a strong track record and proven trustworthiness are critical,” he added.