Many organisations faced with increasing in-house IT infrastructure and staffing costs look at other organisations with outsourced operations with envy.
I'm sorry to shatter the illusion but the reality is that the grass is rarely greener on the other side.
Outsourcing systems can be the right call, but it is not a decision that should be taken lightly and isn't something that should be done without security involvement. When a business takes the giant leap into the unknown security should be there all the way.
This will ensure they plan for the future rather than just react to mistakes or misassumptions. It's fair to say that once outsourced, your organisation will not look the same nor will you likely find the appropriate resource in-house to build a secure outsourced environment.
A truly outsourced environment will see your systems operating as services to you; but this can create your first problem. Your dedicated security controls will likely not fit in with your vendors' vision; indeed it is unlikely that they will even be willing to let you put your systems in their environment.
Many companies face this challenge with one of two responses – pay for the provider to do specific security things and receive reports from them, or pay the provider to import their own security devices into your outsourced environment. I suggest that both of these are wrong.
Organisations that wish to outsource their technology should realise the benefits of outsourcing their security too. Just like you pay for a stable and consistent electricity supply, you should expect your outsourced service environment to be secure.
Be very wary of providers that offer security as a bolt on extra. Those that seek to outsource their environment should complete a security due diligence check first; this should be fit for purpose assessment with the aim of understanding how they might provide security as a service.
Then, instead of mandating controls on a vendor, nor specifying how your outsourcing should work, you should look at holding them to account based on the service they supply.
Write your security schedules leaning heavily on international best practice. Ask your suppliers to adopt a risk management framework and then externally audit them appropriately and often. A sensible way of achieving this would be through the use of ISO 27001 and selected controls from Annex A. Running security in this fashion frees your provider to supply you with the service you require without the burden of trying to come to the same controls conclusion as you. This approach should not only be welcomed but also cheaper.
Of course, this cannot be the only part of your security schedule and both you and your provider will need to consider the external risk context. You will need to look at your regulatory and legal environment and ensure that your supplier is prepared to pay towards fines where they are at fault. This should be the easy part. Ultimately if a provider is providing a secure service they should underwrite this with a guarantee.
Finally, before you outsource your systems, you need to consider the impact that this will have on your operational security teams. Do you even need them anymore or do you need security supplier managers?
Once you've outsourced everything, what happens to the people who have been watching those dials for all those years? You could tupe them over, or you could find other jobs for them in your organisation that choice is yours. However, be warned that the business may not realise that this needs to happen but they will notice when a large cog of the organisation stops spinning without any impact.
IT infrastructure can and should be considered for outsourcing, just don't forget that security will change, both technically and operationally. It is an opportunity to embrace a lower cost security service and you don't need to compromise your security to do so.
Lee Barney CISSP-ISSMP is an information security risk management consultant