IS outsourcing. Pros, cons, pitfalls

We consider the main advantages of transferring the function of ensuring information security to professionals “from outside”. We tell you what to provide for when concluding an outsourcing agreement for its maximum efficiency

The illusion of the security of personal and corporate data “by default”, which until recently reigned in the minds of the majority, is gradually beginning to dissipate. Increasingly, news about another hack, “leak”, successful computer attacks appears in the media:

Leaders large and small companies are increasingly beginning to ask the question: “Are we all protected?“. And it happens that in response, IT service specialists shrug their shoulders and shyly look away. Or deliberately loudly declare:It can not be in any other way!“, although the thought hovers in the minds:”No idea…“.

The task of ensuring the information security of a company is not trivial. There are several approaches to solve it:

1. The Elusive Joe Method.

“Compared to Microsoft and Google, we are small, which means that no one will attack us. Therefore, there is no need to invest in infobez. Plus he doesn’t make any money.“. Approximately such a logical chain is built in the head of many business owners. This approach to information security of the lion’s share of organizations is understandable, and it is difficult to challenge it. But you can. The problem is that it does not meet modern security threats.

In today’s world, a company will be hacked not because someone is interested, but simply because there is a critical vulnerability on the external perimeter or a remote user’s simple password. The issue of monetization of such a hack has also been resolved: information on computers, in 1C databases and network directories is dear primarily to the owner, so the hacker will simply encrypt it, leaving a message demanding a ransom.

2. Adding tasks to the IT service.

“It seems that there are computers here and there, which means they can handle it“. Yes, both IT and information security are all about computers, but each service has a different approach to them.

The task of the administrator is to make the system work. And, for example, processing e-mail with administrative rights and the password “qwerty” do not contradict this task in any way. The security guard knows how a hacker works, and for him such actions are a sure path to disaster. Because he faces a completely different task – to prevent intruders from penetrating the system that is working through the efforts of the administrator.

That’s why IT people and security people will never replace each other. And only the synergy of these two approaches allows businesses to be confident in the reliability of IT systems.

3. Creating your own information security service and entrusting it with the task of providing information security.

A classic of the genre in its various variations, a really working option. The only problem is that not every organization has enough resources and, most importantly, competent specialists to completely close all problems related to information security.

But we want to discuss in this article the fourth approach, which can work perfectly both independently and in conjunction with the previous two. It’s called outsourcingis often undeservedly deprived of attention and overgrown with many unfounded myths, which we will try to debunk.

Outsourcing is the transfer by an organization of certain functions (in this case, information security functions) to be performed by another company. Everything can be transferred (“Make us beautiful!”), or specific processes or tasks: setting up information security tools, monitoring information security events, keeping documentation up to date, and others.

If you abstract a little from the name and look more broadly, you can see that any service that a company buys, whether it is car maintenance, refilling cartridges or cleaning by a cleaning company, is actually outsourcing. That is, the performance of work for the organization by qualified personnel from the specialized contractor company.

There are many advantages to outsourcing information security:

1. Easier. The problem with the recruitment and evaluation of their qualifications remains in the past. Now it’s the contractor’s problem. In conditions acute shortage qualified workers in the field of information security, this plus has been and remains one of the most significant.

2. Cheaper. The price gain is due to the distribution of outsourcer resources among several customers, the absence of capital expenditures (purchase of equipment, software, etc.), flexible configuration of the service package.

3. Faster. All processes have already been worked out by the contractor – it remains only to implement.

4. More professional. Outsourcing provides access to a wide range of competencies. An information security outsourcer clearly has more of them than one full-time employee. Also, do not forget about the depth of expertise and breadth of experience that have been accumulated over the years in specialized companies.

5. More efficient. Access to the outsourcer’s experts is carried out “as needed”. For example, there is no need to constantly keep an engineer on staff to investigate computer incidents; you can apply for a service only upon the fact of an incident.

Of course, it is not without its downsides. Perhaps it would be more correct to call them “pitfalls” that can be successfully bypassed with proper preparation:

1. Service provider dependency. In the event of termination of the contract, the company may be left without protection. It is leveled by advance study of the process of changing the outsourcing company.

2. The need to customize the service package. As a rule, typical services are offered that are customized for a specific customer. Yes, the coordination of all the nuances will take time. But every day there are more and more offers on the information security services market, and they will be able to cover the needs of any client.

3. Inability to control all processes. The customer has only top-level control under the contract. But if you pay for the result, then it doesn’t really matter what is done inside the contractor. And even vice versa – with the right settings for interaction with an outsourcer, the ability to delegate some of the routine control functions can be considered more of a plus than a minus.

What stops companies from transferring information security to outsourcing? Objections and fears caused, as a rule, by the lack of experience with an adequate and professional contractor and irrelevant in practice:

• “It is expensive!“. It has already been mentioned above, due to which outsourcing outperforms a full-time team in terms of cost. Let’s add some specifics: you don’t organize jobs for staff, you don’t pay bonuses to them, you don’t send them to study, you don’t pay taxes on them. Yes, all these costs are included in the cost of outsourcing services, but they are distributed among many customers. It ends up being cheaper. By opinion of Jet Infosystemsoutsourcing is cheaper than the state by an average of 20-30%, and in some cases by 50%.

• “It is impossible to fully evaluate all processes, whether outsourcers will do it right“. The issue of trust is a cornerstone in the field of information security. But it is also impossible to evaluate the doctor who treats you, or the teacher who teaches you. In order to be confident in the contractor, you should thoroughly approach the issue of his choice. Finding a reliable company that you trust as yourself is not easy, but this game is worth the candle.

• “The outsourcer has access to our confidential information“. This “danger” is leveled by the signing of the NDA (Non-Distribution Agreement), the terms of the contract (what they should have access to and what they should not) and fine-tuning the access rules for the contractor’s specialists. With a competent approach, there will be no significant differences between the outsourcer’s staff and your hired employees. Moreover, everyone is familiar with stories when a retiring employee in anger removes (takes away to a competitor) the results of his work, which causes some damage.

• “The performer does not report directly, because of this, efficiency is lost“. To perform tasks under the control of full-time employees, there is a kind of outsourcing – outstaffing. You buy the time of a specialist, and he reports directly to you – no loss of precious time.

• “At first they serve normally, and then there is not a single exit to work, and you have to pay money“. To control the outsourcer, there is an SLA (service level agreement), which clearly spells out all his duties and deadlines for their performance. Violation by the contractor of the agreements fixed in the SLA means a violation of the outsourcing contract, which means that it removes payment obligations from the customer.

• “Outsourcers make insecure remote work“. Here the wording itself hints: if an information security contractor establishes insecure remote connections, he signs this for his unsuitability. You should refuse his services and look for a trusted company.

• “Constantly distracting our full-time IT staff“. This belief is the most difficult to refute, because the process of providing information security is really closely related to IT. And no matter how contradictory it may sound, information security is provided primarily by IT employees. Information security specialists are engaged in monitoring and developing measures that are implemented by IT. We can say that security officers are the head, and administrators are the hands of a single organism that ensures the information security of company systems. So, alas, nothing will work without “distracting IT people”. But your own information security specialist will work exactly the same. It turns out that this objection concerns not so much outsourcing as the work of the information security service in principle.

• “If the contractor leaves, it is difficult to figure out on your own what the outsourcers were responsible for“. If the contractor implements and operates an information security system for you, the outsourcing contract can and should include an obligation for him to document the system being implemented and create a set of work regulations for employees. It is worth noting that a responsible contractor, even after the end of the contract, will advise his client and will not leave him with a broken trough.

Summing up, we can say that information security outsourcing is a responsible business that requires the attention of the customer at the initial stage. However, with the right approach, it has a lot of advantages and in many respects is more effective than the content of its own information security service. Especially for small companies. We hope that we were able to convey the full benefits of outsourcing in the implementation of the information security system and debunk the most common fears associated with it. The main thing in this business is to find “your” outsourcer: a responsible expert, with whom you and your company will feel comfortable and calm.