How to secure an outsourcing or an offshoring deal is a challenge for most cybersecurity teams today. I was fortunate enough to be part of one of the largest IT outsourcing deals in Australia and see it evolve over a decade.
There are two roles typically security professional maybe involved in, one as a cybersecurity professional to embed cybersecurity controls (contracts to operating controls) in the outsourced arrangement and second as a security services owner to insource or outsource cybersecurity services.
Given the threats and the risks are not siloed into neat domains, typically a security professional is required to cover a large number of areas in performing the above roles. Hence,I have chosen to use the words cybersecurity here to mean all aspects of information security, protective security (physical and personnel security), regulatory requirements, and controls required to protect against fraud.
The five key elements that needs to be considered in any outsourcing /offshoring engagement :
1. Accountability vs Responsibility
In the late 1990s, a quick solution to build capability was to have an internal contract owner and outsource the entire IT function. As the term suggests, the contract owner was just responsible for governing the contract and not the services. In such a scenario, the partner was both accountable and responsible for delivering the services. Since then, IT has significantly moved away from this model, but this model is still in use for many smaller security functions. Accountability for the service always resides with the parent organisation and the responsibility with the partner. To successfully discharge, these obligations requires an internal team to have the necessary expertise to define, implement, govern, and refine a service, without which there can only be unmet expectations on both sides.
2. Right Sourcing or Right Operating Model
Outsourcing and offshoring maybe perceived to provide access to a large pool of skilled and cheap resources. Scarcity of local cybersecurity resources means that outsourcing is a very attractive proposition. Whilst this may appear to be simple to accomplish however, the reality is far more complex.
In one case, a set of security services were initially outsourced with a reasonable sized internal team required to govern the outcomes. However, as cost pressures increased, the size of the internal team was reduced. Outsourced onshore activity was offshored and converted into a managed security service. On paper, the costs significantly reduced however, quality dropped and internal teams had to compensate to achieve the same business outcomes. Overall, the Total Cost of Ownership (TCO) had increased.
Another consideration is onshore vs offshore, not only is it far easier to derive value from an onshore team, however from a cybersecurity perspective the data stays onshore.
A successful outsourcing
Arrangement either for it services,
Business or cybersecurity services
Requires a good understanding of
Your own business outcomes
In an offshored model, there are multiple options - the offshore development centre (ODC) model wherein offshore teams use local tools and development centres that need to be secured. Or the other model is a remote access model wherein data can only be accessed from offshore but cannot reside offshore. Given a plethora of options, a deep understanding of internal outcomes and a match with partner’s capabilities is necessary to have a successful operating model.
3. Culture and Values
The alignment of the partner values and culture to the outsourcer is critical and this is not limited to the ethnic culture only. An organisation with innovation, design thinking, and agile culture cannot just expect the same culture from its partner with merely some contract statements. Some of these practices rely on face to face interactions, contribution from every member of the team in daily huddles. Certain online cybersecurity (social media policies, regulatory policies) and safety practices maybe part of the fabric of an organisation, however to embed them in a partner organisation requires changing unconscious behaviour in the partner staff which cannot be underestimated. To harness true value, the outsourcer and the partner need to have a synergy which sees them operating as one, both from a culture and value perspective.
4. Service Definition, Integration, and Measurement
Most services are rarely standalone, they need to operate in an ecosystem which could be operated by multiple service providers (either internal or external). To ensure delivery of a consistent and effective business service requires the underlying service level objectives (SLOs), service level agreements (SLAs), and key performance indicators (KPIs) of all the supporting services to be aligned. Anything that cannot be easily defined, chances are it cannot be measured and cannot be delivered to expectations. A key aspect of measuring a service requires focus on leading and lagging quantitative metrics (such as response times, availability of services) as well as qualitative metrics (% of certificates with no service owners).
5. Cybersecurity Considerations
Cybersecurity functions are not any different to IT functions that are being outsourced and as such they are faced with the below options, each with their trade-offs. Below are some considerations –
• Completely outsourced – this model is suited for highly commoditised activities that are static and easily measurable, examples would include help desk /Level 1 support or monitoring of services (eyes on glass). These can include some infrastructure services such as email, internet, elements of network security.
• Hybrid – this model is suited to services that have a commoditised component but also a large business engagement and continuous change component. Identity &access services that have continued onboarding or significant business engagement such as data protection, segregation of duties would fall in this category.
• Insourced – this model is suited for services going through a high degree of change, with substantial number of internal service integration points and significant business involvement. This model is also suited for services that are nebulous, hard to define, measure and once engaged, hard to disengage.
So far, most of the above considerations have been focussed on managed services, however, there are cyberspace governance services that are particularly relevant in providing assurance over managed services. These services particularly, security architecture and design, security reviews, penetration testing, supplier security assessments in conjunction with the service ownership function are essential to derive value from an outsourced arrangement.
In summary, a successful outsourcing arrangement either for IT services, business or cybersecurity services requires a good understanding of your own business outcomes, what is on offer and the value-cost-risk trade-offs that you are comfortable embracing.