CISO Challenges: The Build vs. Buy Problem (2:2)

Wh1t3Rabbit| October 17, 2012 - last edited October 16, 2012

In part 1 of this 2-part series we discussed a few things including when to decide whether to outsource or build in-house your security-related activities... this post continues by answering the question of what to outsource and how to know you're making the right decisions for the business...

What to Build, What to Buy

The big question is what to outsource and what to keep in-house on your own expertise.

While the question of when you should outsource depends heavily on talent, time, and priority, the question of what to outsource depends on 3 lightly overlapping questions.

I find that it breaks down to core competencies. There are 3 basic questions that have helped me make the decision in the past, and while I grant you that was a while ago - they're still very relevant.

Do you have available expertise in the activity subject?
Does the activity critically contribute to goals of the business?
Is the activity a commodity that is transferable to a 3rd party without incurring additional risk?

The first one is the big question, because you can't stand up a software security program with full development & testing integration if you don't have anyone in-house who is an expert in software security and can write/understand/speak in the code language of your business... it's simply not going to happen. In that case you'll need to hire someone - but how will you know an expert from someone pretending to be, if you don't know the subject yourself? Do you have additional budget to cover the new headcount? And if so ...what will you have to give up if you proceed with hiring?

The second question is very important because it speaks to the question of "What does security actually do in the business?" More importantly, "what does information security do for the business?" You see, when I worked at GE all those years, nearly everyone in IT was a contractor (outsourced) because GE wasn't in the business of IT... my organization was in the business of building and maintaining power generation equipment and facilities. IT was simply an enabler to that goal and not a core competency...thus easily transferable to another organization to perform the work on our their behalf. The point was that the contract of the 3rd party contracting firm could be cancelled at any time, new workers could be brought in and minimal disruption would occur to the business. Now, in reality it's a good bit more complex than that, and we all knew it - but that was the perception. Now, the engineers who build the steam turbines could not be outsourced as that was part of the company's core competency, and clearly contributed to the business goals.

Final question then - "Is the activity a commodity?" and can it be transferred to a 3rd party without incurring additional risk to the business? In Information Security today, most everything is becoming a commodity - but not everything can be easily transferred to a 3rd party without incurring additional risk to the business. This is key- additional risk to the business. Examples of this include things like forensics capabilities. Clearly, most SMEs cannot afford to have a full-time forensics team in-house, but when they outsource the work it's clear that a significant amount of intellectual property and company secrets are walking out the door. In order to not incur additional risk to the business, the organization being outsourced to must be heavily vetted, and contractually obligated to maintain secrecy and integrity. It can be done, but it's tricky, and requires additional work in due-diligence to ensure that the result isn't a train wreck during a worst-case scenario.

There you have it - whether you build it, or buy it (or even rent/lease it!) now you're armed with some great questions to ask yourself when making those key decisions. For the typical SME, outsourcing isn't just a question, it's often an answer for survival, and knowing what to build and spend your precious capital dollars on, versus what to buy/outsource is key to having a coherent and sustainably strategic Information Security program.

Thanks for reading! I invite you to leave a comment on this 2-part series, if you have questions, thoughts or maybe even some additional things that work for YOU in your SME? If you leave a comment, don't forget to leave your Twitter handle, so we can continue the conversation. You can find me @Wh1t3Rabbit or by using the hashtag #SecBiz for the SecBiz community.

Labels: CISO| Enterprise security

Labels:

Comments

I think that there is at least one aspect of outsourcing that the article missed.

Every article promoting clound in every of its *AAS incarnations, MSSPs, etc, focuses on the conservation aspects - ie. the vendor is cheaper than an internal function that achieves the same role, it makes more sense to pay the vendor and realize savings by cutting the internal position(s). This makes sense when if the IT services are fungible.

In most other cases, a whitepaper outsourcing strategy should focus on the leverage (sic!) effect when existing teams use contracted services as tools. For example, rather than attempting to outsource app sec, an organization could hire SecHat company to perform continual assessment of their perimeter, and retain proffessional services for assistance with remediation efforts. Next, rather than being fired, the two app sec analysts review and manage remediation of validated scan results, and ensure propper coverage and accuracy. When an issue pops up, the vendor jumps in, and provides malware RE/forensiscs/architecture review/product selection assistance.

This approach definitely will not save money, but at manageable cost, it offers realistic security benefits at a rate that grows much faster than funding. It's a risky approach, as it breaks with the traditional roles and responsibilitis of IT geeks and administrators, and forces the very technical field to understand the business and adopt its ways.