When Should You Outsource Security?
As evidenced by the many headlines about recent data breaches, its clear that some healthcare organizations are not practicing security fundamentals. Rather than improve their security efforts, these laggards typically have the following:
* Fragmented security efforts and no formally integrated oversight, governance or alignment with other risk functions within the organization.
* An ineffective, ongoing risk assessment process thats not consistently identifying internal and external threats and vulnerabilities, or systematically implementing basic controls.
* Unassigned ownership and accountability over security and compliance requirements.
When taking these into account, it is certainly no surprise that some healthcare organizations continue to struggle in transforming their information security activities, whether its ad hoc technologies and control-centric initiatives or more proactive programs that focus on continuous improvement.
For these organizations in urgent need of an information security program makeover, their best bet may be outsourcing. Outsourcing security can feel like you are relinquishing internal control to take advantage of the efficiencies and expertise of an external service provider. But it doesnt have to be this way if you are clear about your expectations for a security outsourcing engagement. By structuring a service-level agreement that reflects those expectations and defining the capability and cost aspects, you can make better informed decisions about whether outsourcing security is right for your organization.
There are a variety of reasons why healthcare organizations may choose to outsource all or portions or their security, but mostly is the desire to do the followingavoid additional hiring, reduce the risk of data breaches occurring and improve an organizations overall security posture.
Outsourcing decisions should be based on an analysis of required security and operational capabilities and, of course, cost. The IT decision maker also needs to understand the scope and boundaries of a potential outsourcing arrangement, and determine the internal resources required to achieve the desired level of security capability.
Here are the primary factors to consider when deciding whether or not to outsource security:
* Lack of security staffing resources - If your organization has a shortage of skilled security practitioners or you wish to focus your established security resources on specific tasks and activities, then you can use an external service provider to offload any or all operational functions. Outsourcing the management and monitoring of the network perimeter, for example, reduces your need to hire, train and retain security skills for that function. It also frees up existing security expertise for other security projects and activities.
* Lack of internal technical expertise - If your organization does not have established internal expertise in the foundational areas of managing an information security program, then your organization can benefit from an outsourcing arrangement. For example, external service providers can offer firewall and intrusion detection/prevention system management. Just be sure to have internal processes and internal staff in place to leverage the security information provided by the external service provider.
* Need for 24x7 security coverage - Bad things dont always happen during normal business hours. When your organization recognizes the need for 24x7 security monitoring, it must evaluate internal and external staffing alternatives needed to support this effort. Using an external service provider eliminates the need to add more staff. The case for this is most obvious where there are no established 24x7 operations for network management, systems management or security. Even if you have established 24x7 network and systems management operations, you still will need security monitoring capabilities to identify threats and determine their potential impact on the organization, regardless of whether it is insourced or outsourced.
* New security technologies - If your organization needs to acquire or upgrade a new technology, the insource vs. outsource decision can be cost-neutral because the external service provider will typically manage equipment and software that is owned or leased. One area that is not cost-neutral involves event correlation and management technology that is layered on top of firewall and IDS management. External service providers will typically use security management technology in their security operations center to gain economies of scale and improve the quality of service. To gain an equivalent level of service, your organization would have to make an additional investment.
It is important to be clear about your organization's expectation of a security outsourcing engagement and then structure a service-level agreement that reflects those expectations. If your organization has already outsourced other operational functions, such as network management, then it is likely to have the internal skills needed for vendor management, knowledge transfer to internal staff and performance measurement. Consider whether your organization is a candidate for outsourcing some or all of its security functions, and you just may find the perfect fit for your business.
Brian Evans, CISSP, CISM, CISA, CGEIT, is senior managing consultant for
IBM Security Services, North America