Think about "Risk Management" when Outsourcing Information Security

Think about "Risk Management" when Outsourcing Information Security

Outsourcing information security risks.

I have never been a huge fan of outsourcing information security, especially when security operations and vulnerability management are intermingled with infrastructure outsourcing deals. I have had first-hand experience at previous companies dealing with the risks of all aspects of outsourcing from selecting ITO providers, migrating from one provider to another provider and actually working for an outsourcing provider. As a security professional involved with ITO relationships, I have never been satisfied with the major outsourcing vendors’ ability to manage security effectively with the goal of minimizing enterprise risks. There are smart ways to deal with security and outsourcing though.

In most large ITO deals, security is always promoted as a high priority, but the problem lies in the fact that once the deal is done, the low-level resources simply cannot deliver and there is always the inherent problem of conflicting priorities within the outsourcer. Geography challenges, skillset deficiencies, limited resource experience, lack of business knowledge and basic financials of the outsourcing deal do not allow security to flourish. Therefore, you should employ the concepts of enterprise risk management when embarking on an outsourcing agreement that includes information security outsourcing. If at all possible, security should be pulled out of the larger deal and treated as an independent initiative.

If security is not pulled out of the primary ITO agreement, there will always be conflicting priorities between the technology groups and security teams within the outsourcer. Let’s face it, the outsourcer needs to make money by functioning as effectively as possible, and if the security team is mandating additional requirements from their network or server support teams, it impacts the bottom line resulting in reduced profit.

Core information security leadership and enterprise risk management should always remain within the business, not the outsourcer. As the security guru, fight to have independence of your security outsourcing while still ensuring security responsibilities are embedded in the core ITO deal. This will allow you to choose a focused security partner who specializes in performing security work with the support of the outsourced technology teams who must meet a certain level of security support.

An information security certification program from an experienced security organization is the perfect overlay to an IT outsourcing deal. You receive top-tier security management capabilities with a third-party objective vendor who will not have a conflict of interest with the support teams responsible for implementing security improvements. Plus, in my experience, you will also save money for a much higher level of service.

Information security certification programs combine best practice reviews/direction with vulnerability management capabilities to ensure the outsourcer is implementing controls as contracted. Trying to get this objective level of security from an outsourcer who both handles the security and the infrastructure portions of the contract is not possible and it will undermine your IT risk management goals. There are simply too many conflicting decisions that must be made, and it is unrealistic to think this could ever work successfully.

As the security decision-maker, you must be strong and not be swayed by the outsourcer’s fancy presentations around security. It will never work out as they promise. Splice out IT security and cyber security from other risk management services. Then, choose a focused vendor, and you will experience much higher levels of service and a less-contentious ITO relationship.

Follow Avatier Chief Innovation Officer and Chief Information Security Officer, Ryan Ward, on Twitter at

Watch the 2013 HDI Conference Breakfast Briefing Video:

Get the Top 10 Identity Manager Migration Best Practices Workbook

top 10 identity manager migration best practicesStart your migration from legacy software with the Top 10 Identity Manager Migration Best Practices Workbook. Use this workbook to think through your information security risk before you transition to next generation identity manager software.

Click here to request the Workbook

Written by Ryan Ward

Ryan Ward is CISO at Avatier, responsible for security initiatives as well as strategic direction of IAM and security products. A sixteen-year veteran of the security industry, Ward comes to Avatier after five years with MillerCoors where he served as Enterprise Security Manager of the brewing company and USA Information Security Officer for the public company SABMiller. In those positions Ward was responsible for all Information Security initiatives for MillerCoors. Prior to MillerCoors, he served as Senior Information Security Leader at Perot Systems while supporting the Wolters Kluwer account. He previously held the position of Vice President of Information Systems for Allscripts.Ryan is also a Certified Information Systems Auditor (CISA) and a Certified Information Systems Security Professional (CISSP).