Risk
9/29/2017
02:45 PM
Kelly Sheridan
Kelly Sheridan
Slideshows
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Best and Worst Security Functions to Outsource

Which security functions are best handled by third parties, and which should be kept in-house? Experts weigh in.
Previous
1 of 10
Next

(Image: 3D_creation via Shutterstock)

(Image: 3D_creation via Shutterstock)

Security teams need more advanced people than they can find or afford. For many, outsourcing has become key to bridging the skills gap and addressing tasks they lack budget or talent to do.

Dark Reading's report "Surviving the IT Security Skills Shortage" found 45% of businesses don't outsource any of their security functions. Nearly 30% outsource a few hard-to-find skills and services, and 22% outsource some security functions while relying on third-party service providers for others. Six percent outsource most of their security tasks to third parties.

It's possible to outsource just about any security function, says IP Architects president John Pironti, but just because you can outsource doesn't mean you should. The question, he says, is where do you want your team to focus its time and attention?

"You have to calibrate expectations of what a third party will provide," he explains. "They will not have the same interest or passion in your world as you will."

Some security functions are best left in-house, Pironti adds, because they require intimate knowledge of business infrastructure and processes. Organizations will continue to master this balance as security threats evolve and multiply.

Outsourcing is more involved than simply passing off responsibilities to other people, adds Ryan LaSalle, global managing director for growth and strategy at Accenture. You have to work with providers to manage the functions you're outsourcing and how they're being performed.

No matter which functions you outsource, it's critical to define expectations and processes for your partner firm, says Pat Patterson, VP of enterprise security solutions at Optiv. Most of the time, companies end up disappointed because they didn't communicate what they needed.

"The better you as a customer can define expectations and requirements, the more prepared you will be to leverage that relationship," he explains.

Which functions to outsource, and which to handle in-house? Read on to see the experts' list of the most common and beneficial security functions to outsource, as well as the tasks that should be kept in-house.

(Which functions do you outsource, or which are you considering outsourcing? Let's keep the conversation going in the comments.)  

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance & Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Previous
1 of 10
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/14/2017 | 3:04:33 AM
Re: Outsource?
> When the CEO criticizes the leadership openly in end of the year meetings, the end is near.

Bad leadership begets bad leadership, sounds like to me.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
10/13/2017 | 3:23:57 PM
Re: Outsource?
Glassdoor review of IT at Abbott Laboratories --- 10 year veteran of the trench wrote this and it is ruthless to the extreme but I agree with it fully.

 

Core IT is a disaster. The old, tired women leading the BTS are overwhelmed and under qualified. They outsourced large portions of the business and have never had experience in this type of environment. They yell a lot but give little direction. Layoffs all the time (more today). No job is safe and hours are long. It's a total mess. Ask any one of the hundreds they've erased in the last 12 months. Advice to Management Dump the current IT leadership and get someone with experience. Preferably someone who can control their weight and their behavior. When the CEO criticizes the leadership openly in end of the year meetings, the end is near.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/13/2017 | 3:20:19 PM
Re: Outsource?
@REISEN: Wipro is a particularly apt example for you to bring up, given how workers there allegedly scammed TalkTalk customers, as reported here and elsewhere: bbc.com/news/technology-39177981
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/13/2017 | 3:16:45 PM
Re: Outsource IT Projects
Moreover, @REISEN, I'm not even speaking of American outsourcing to dirt-cheap Asian vendors. Even intranational outsourcing can be deleterious if you're talking about a large country with a vendor in a totally different and far away part of the country compared to the customer.

I saw this relatively recently with an east-coast customer and a west-coast vendor (albeit outside of the security context, but I believe the point may hold true all the same). West-coast vendor had no clue and was making all kinds of screwups that wouldn't even occur to a local or even semi-local vendor. Simply because they didn't know the area. (And, conversely, I imagine the same could be true vice versa.)
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
10/13/2017 | 8:29:57 AM
Re: Outsource IT Projects
Vendor location is important but how many American firms have huge footprints for their offices in India?  Wipro, Tata, Infosys and now IBM of all things.  That implies time issues and also knowledge content.  There ARE a few smart folk in every outsource firm - they are rare.  Outsource to American management means lower salary expense, lower benefit expense and cheap labor PERIOD. 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/11/2017 | 4:53:57 PM
Re: Outsource?
To be fair, Equifax's data-protection issues are clearly so great that it doesn't matter WHO the vendor is or even the fact of the existence of a vendor.

Echoing earlier comment, vendors can be fine if you choose wisely, work with them, and don't just hire them to forget about things so they can clean everything up with no input from you as the client. I suspect that Equifax took a set-it-and-forget-it attitude with security.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/11/2017 | 4:50:29 PM
Re: Outsource IT Projects
@REISEN: Obviously, it depends on the context, but yes, that's why it pays to be careful about outsourcing.

One friend of mine recent took a new job. Since taking it last year, she's spent that time insourcing almost everything within her purview because of the inadequacies and problems of the vendors and how the company dealt with its vendors. Now, things are much more streamlined, and the vendors that she has kept (albeit for much less) have been able to deliver better because of how she has improved communications and workflow with the vendors.

The worst vendor relationships/productivity tend to come from the idea of just hiring a vendor so as to forget about something entirely or near entirely. Hiring a vendor means that vendor is now a part of your team to manage. And the vendors who market themselves as "just hire us and forget it" tend to be the worst to work with.

Moreover, localization is important. In my experience, it's often beneficial to stick with a vendor that has a meaningful geographical presence in or near the area.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
10/11/2017 | 3:06:51 PM
Re: Outsource IT Projects
DISAGREE - Came out of an outsourced office locally.  It took 9 days for Wipro to route one ticket from ONE end of the office to me.  if 3 calls were made to users to resolve and not picked up, then the issue was closed.  Helpdesk knew nothing.    All the outsource firm cares for is GETTING PAID on time.  
Synergy360
50%
50%
Synergy360,
User Rank: Apprentice
10/11/2017 | 3:42:19 AM
Outsource IT Projects
It is good to have your projects outsource to a third party. The benefit will be unbiased decisions, skilled and knowledgeable people handling your project. For any sort of IT and 

Business Consulting Solutions, Contact Synergy 360 Consulting. Visit https://synergy360.com.au/services/ to know our services.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
10/3/2017 | 2:02:52 PM
Re: Outsource?
Agree - i was part of an outsource effort at Aon (140 staffers fired for Computer Science Corp) and THAT was a train wreck (ongoing this day) ---and just left a Wipro outsourced shop in Georgia.  There, a small office of 45 people ---- nice people too --- and it took the Help Deslk NINE DAYS to route a ticket from one user to me.  If the helpdesk called a user 3 times and did not connect, they consided the issue CLOSED out.  It gets worse of course.

OUTSOURCE FIRMS are interested ONLY in being paid and having CHEAP LABOR
Page 1 / 2   >   >>
Hacked IV Pumps and Digital Smart Pens Can Lead to Data Breaches
Dawn Kawamoto, Associate Editor, Dark Reading,  12/4/2017
Tips for Writing Better Infosec Job Descriptions
Kelly Sheridan, Associate Editor, Dark Reading,  12/4/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.