There are all kinds of reasons to insource operational tasks, especially ones of the IT persuasion. But when organizations choose to insource activities that should instead be outsourced services, that’s what I call wrongsourcing.
To be fair, there’s a lot of confusion associated with the term ‘information security’. In my world, that’s the realm of information risk, the potential for harm against intangible valuables. What is already a broad scope is not helped by the overuse of the term to describe everything from fluffy online scanners to whatever it is that over-eager product marketers think they can provide a guarantee of. Buy this product and your security is guaranteed! (heard that one before? I hope you asked to see more evidence of effectiveness than a carousel of parading client logos can provide).
Wrongsourcing is the misguided notion that by empowering someone (read: making them responsible for things they can’t really control) you’re managing security. Assign an employee to it and it’s as good as done! Delegation being one of the hallmarks of able leadership I’ll be the first to tell you that it’s a sound and essential practice… Just not when it comes to in-sourcing security.
The seductive rationalization that it’s just too intimate and important an aspect of your business to oursource doesn’t hold water. You don’t know how vulnerable you are until you’re on the other side of that breach, and by then your reputation and finances have taken a hit. It’s nice to feel that you know your systems and your data better than anyone else, especially if you deployed them yourself, but there’s no substitute for looking at the problem from the outside in, through fresh lenses and experienced eyes. Inviting the risk of a false sense of security is precisely the reason you want to avoid wrongsourcing it, and fast! Let me spell things out, in case you need a few bullet points:
1. Security is not your core business
Stick to what you do best. Anytime you force your company to internalize operations it doesn’t specialize in, you assume a risk. That risk is arguably manageable for a great many things, from designing brochures to having an HR department. But security risks are different. And the more you manage security internally, the stronger the case for outsourced expertise becomes.
2. Security is not I.T.
Let me spell that out: ‘information security’ is not ‘information technology’. You can handle IT – at least I hope you can – but security is a different beast altogether. The ‘security’ most companies think of is actually ‘installation’, ‘integration’ and ‘configuration management’. The role of the IT professionals in your organization is to keep things running smoothly, not to be experts at tinkering with security controls, each of which can bring your operations to a grinding halt. In that sense, the role of the security function is antagonistic to that of the IT support function in your organization. What often leads decision-makers towards wrongsourcing is that these two functions work very well together, and the existence of the latter is critical to the well being of the former.
3. Security is a profession, not a product.
Security products are indeed things you can buy, but knowing what to get requires professionals that ‘get it’. That may very well be a competent member of your IT team, but that doesn’t buy you security. That product is merely a control. It’s something that helps you manage risks at key points in your processes. And it better do a good job, because preventing, detecting, monitoring, correcting or compensating for a growing universe of threats to your information assets is no trivial matter. Your entire organization may depend on it, so choose wisely. And implement your controls effectively.
4. Security is not a trivial matter
Certainly, no one said it was, right? You put your best people on the job and even gave them a discretionary budget for education. But that’s not what I’m talking about. Information risk requires authority, access, visibility and a top-down approach to managing risk across many dependencies from privacy to business continuity. It’s a management discipline and you don’t have time for it. You understand process, but why would you want to review your own processes? You carefully crafted the message you want to communicate, but what does the look of a web site have to do with the strength of its underlying foundation? And when you’re done answering questions like these, consider this: Information security is not just about IT but also includes two other domains: physical security and administrative policies, procedures and other documentation. In turn they require specialized expertise, training, communications and a credible dose of deep expertise backed by solid credentials.
5. Security starts in the boardroom
Strategy and implementation are two entirely different disciplines. To drive security management you don’t use a desktop support technician any more than a traditional project manager. What you do is wrap a budget around a solid plan and get on with the business of transforming culture, systems and processes from the top down. The security program needs to scale along with the ensuing change, so seasoned managers with a wide lens are just what the doctor ordered. If you have someone in your boardroom qualified to address its many facets, you’ve arrived. Otherwise get a board-level advisor you can trust.
6. Security knowledge must not be compartmentalized nor monopolized
Knowledge transfer is a fancy word for the absolute necessity of learning something from every exercise. The well-worn cliché that an organization’s security is only as good as its weakest link is unfortunately true. Every employee and manager needs to be on board and their training must be consistently applied across the workforce. Awareness, vigilance, accountability and authority are all notions that no security program can do without and no system can enforce. It is knowledge that comes from the outside and finds a home in every brain within the organization. It burrows and settles until the culture changes and with it, the risk maturity level of the organization. Aim high.
7. Security doesn’t like politics
Here’s a good reason to outsource security advisory and even program management: politics. These internal dynamics can be vicious in organizations small and large. The real risk is that internal pressures can take the focus off areas that need an intervention and water it down or otherwise affect the deployment of a comprehensive approach to information risk management. This happens a lot with privacy initiatives, for instance and is due primarily to the small footprint of authority that privacy has in the organization. Delays, detours and deflections all work to erode the effectiveness of a sound program for risk management. On the other hand, a good risk advisor will remain unaffected by all friction and negative influence. A risk advisor’s primary focus is always on the assets in scope so the open dialogue with the highest levels of management is absolutely crucial. The rest will fall into place naturally.
8. Organization size is not important – risk maturity is
Many businesses assume – but really do know better – that security programs fall into the realm of large enterprises. Although those firms couldn’t do without big-name audit firms, those providers are largely there in name only (“you can’t get fired for buying Big Blue” as the saying goes). For in-depth capabilities on multifaceted aspects of risk management one must look for risk advisors with subject matter expertise. Perhaps counterintuitively, the smaller the company the more likely it is to lack the internal expertise to manage risk. Unfortunately, smaller companies also tend to have smaller boards of directors, thus lacking the dialogue that should occupy agendas on a frequent basis. Smaller organizations also tend to harbor a false sense of security that they themselves create through the application of discredited approaches to data protection such as secrecy (security by obscurity) and a disproportionate reliance on often-misconfigured security products. By bringing in an expert, the risk maturity profile of these organizations instantly increases, their budgets are adequately spent and proven concepts such as defence-in-depth can be immediately deployed.
Information security is a functional area that depends on perspective, specialization and standardization. Unless it is one of your organization’s core competencies, no matter how much of it you can pick up, you won’t stay on top of it. Trust me, it’s all we do, all the time. Security management needs structure, discipline and real-world expertise. Find a model that works for you and plan it out, make sure you can afford it in the medium to long term and work only with experts you absolutely trust with your most intimate business information and strategic details. Question whether the discomfort you feel is based on a need for control or a theoretical breach of trust. One last important note: all security services should be delivered confidentially. Your business is not a prize to be flaunted. Your situation should not be dragged through the news and its lurid details exposed to the spotlight. However, good security may enhance the trust of your customers and grow your business, so be sure to always frame your investment and commitment in the proper context.
Contrary to popular belief, the reason for outsourcing security is not so you can have someone to blame. It is to engage a qualified professional whose passion and knowledge can be applied to the direct benefit of your organization. Don’t settle for wrong-sourcing. Do your homework. Check qualifications and references. Choose an organization or professional you trust, and trust them. Trust, but don’t forget to verify.
Full disclosure: As Informatica’s principal Risk Advisor, the self-serving nature of this article isn’t lost on me, but given the sheer amount of strategic mistakes I see every week, I thought it best that you heard it from me, because over the past 24 years, I have seen it all.