4 Things to Consider When Outsourcing Vulnerability Management

Security risks to information systems and sensitive data are expanding at a rate that can outpace an organization’s technical resources and expertise. Small to mid-sized companies without sufficient in-house resources to maintain an effective security program may consider outsourcing cyber-security to a managed security service provider (MSSP). Knowing exactly what security functions to outsource is a key decision.

What are managed security services?

Managed security services allow businesses to offload much of the burden of security to a trusted third-party provider. Functions of a managed security service may include round-the-clock monitoring and management of intrusion detection systems and firewalls, performing security audits, overseeing patch management and upgrades, and responding to emergencies. (See “Six Categories of Managed Security Services”) In return, the business receives guaranteed levels of protection without having to invest in internal security resources.

Some cyber-security tasks do not outsource well

Do not assume that outsourcing will solve all your IT security challenges. In our experience, organizations need to be very selective about what they choose to outsource. While some activities lend themselves to managed services, other tasks are not well suited if they are commercially sensitive, company specific, do not scale effectively, or are prohibitively expensive for a managed service provider to deliver.

4 key areas for consideration

1. Expertise – Successful vulnerability management demands a range of very specific skills, plus the experience to apply those skills in a timely, cost-efficient manner. This may be an obvious point but selecting a MSSP that implements security controls that meet or exceed your internal policy is critical. One of our customers brought outsourced security back in-house when their provider failed a rudimentary password audit.
2. Service Level Agreements – Service quality and security expertise may not always match your expectations. Be sure to formalize and negotiate service level agreements. This is particularly important for intrusion detection and compliance monitoring. In addition to SLAs you need to have concrete metrics and sufficient data to measure your outsourcer’s performance.
3. Legal Risk – Risk is never fully transferable. When security operations are outsourced the financial liability may also shift. You need to ensure that your outsourcer is insured against losses in the event of a catastrophic security breach. Moreover, outsourcers gain access to potentially sensitive corporate and personal data and this is not without risk to your company.
4. Cost –The argument for outsourcing is financial: a company can get the security expertise it needs more cheaply by hiring an outsourcer to provide it. Besides the expertise deficit that companies face when it comes to IT security, lowering the cost of ownership while meeting regulatory compliance requirements is cited as a primary reason for outsourcing. (See “Total cost of ownership for vulnerability management” for comparison purposes)

For more recommendations on how to develop a successful vulnerability management approach, download the Best Practices Guide: Vulnerability Management.