Request Your Free Report Now:

"Outsourcing Security Without Inviting Risk and Wasting Money"

Few enterprises have all the cybersecurity skills and resources they need in-house, making outsourcing a necessity. Rather than trying to build an internal kingdom, it’s often more beneficial for midsize and large organizations to build their core team and strategically outsource specific capabilities. Experts weigh in on how to select and work with third-party security service providers

Only the largest of firms have the budget and resources to  hire all of the cybersecurity expertise they need in-house. For everyone else, it’s almost impossible, especially for  highly skilled work. Outsourcing threat intelligence can be instrumental in and organization's security program because it receives a very detailed understanding in how new intelligence specifically relates to the enterprise, and frees threat intelligence teams to work on more strategic initiatives within the broader security program. Such motivations, rising regulatory demands, accelerating enterprise investments in digital transformation, and the need for cost-effective cybersecurity defenses fuel the current interest in outsourcing cybersecurity capabilities.

While organizations are making those outsourcing investments, the question remains: Are enterprises investing in the right areas and getting the most security they can with their budgets? Deciding what functions to outsource and what service providers to use to deliver those services involves a complex set of factors ranging from the risks an organization faces, the skills of current staff, and the organization’s longer- term perspectives.

When it comes to actual types of functions outsourced, some of the most common include:

• Security operations: Many organizations outsource their security operations, including managing security operations centers (SOCs), due to the high cost and complexity of running these operations in-house.
• Vulnerability management: This includes regular vulnerability assessments and penetration testing to identify and mitigate potential security weaknesses.
• Third-party security assessments: When hiring new providers, many industry best practices include vetting those vendors’ security as part of the due diligence process.
• Incident response: Tasks requiring considerable specialized technical training but not necessarily requiring deep insight into an organization›s operations, culture, or strategic initiatives may be ideal for short-term engagements.

Once the decision has been made to outsource, organizations need to consider what service providers to outsource these functions to:

• Does the provider have referenceable customers within your vertical market, of your organization’s size, and in your locale?
• Does the provider allow you to bring your own tools, or do they require you to purchase a tool under the umbrella of their services?
• Do the provider›s service-level agreements and service level targets (SLAs/SLTs) meet your needs? Can you negotiate SLAs/SLTs for some or all the services you are acquiring? What are the penalties if the provider misses the SLAs/SLTs?
• What do the provider’s security model and architecture look like? Does the provider have any certifications or assessment reports? These include the NIST CSF, ISO, CIS/CSC, and SOC2.
• Does the provider provide real-time support in regions you need?
• Does the provider provide professional services to assist with remediation, if desired?
• Are there penalties if you terminate service with the provider?
• Does the provider outsource functions to other downstream providers?
• Where is the provider’s staff based? Are there any geolocation risks you have to consider based on the provider’s location?

Read more to see what experts say about selecting and working with third-party security service providers.

Offered Free by: HID Global Corporation
See All Resources from: HID Global Corporation