September 28, 2016 12:43 pm | Updated 1 month ago.
Outsourcing of Information Security services
It is a common belief that given the sharp rise in the information security related breaches, a rapid growth is taking place in the information security market size, especially relating to network related cyber security. To the contrary, while the companies in the right market segment like anti-virus software are doing extremely well, most of the information security services, software and equipment vendors are going through times. This is because most CIOs consider the budget for information security as discretionary spend and in tough business situations they cut back on this budget thinking that nothing bad will really happen, even though there may be a need to establish the most secure environment. This then leads to a number of external attacks and internal misdeeds that we see from time to time.
In D2E’ opinion it, therefore, makes a lot of sense for the US companies to outsource parts of information security services to competent offshore IT outsourcing services providers, for these companies to be able to provide the users with a highly secure environment at reasonable costs and without significant impact on the bottom line of the company. We will now analyze which parts of information security services are more suitable for outsourcing to offshore IT Outsourcing services vendors.
There are two aspects to Information Security – the threats and vulnerability. The threats can come from internal sources of the company, or from external sources like hackers, viruses, and even cyber terrorists. It is, therefore, necessary to analyze the vulnerability of the company’ systems and processes to these threats before deciding on what to outsource and who to outsource. While the Client may choose to outsource part or whole of the Information security functions to an offshore outsourcing partner, the client organization will still be accountable and held liable should the information security services be compromised.
It is, therefore, D2E’ recommendation that the client organization needs to first have a comprehensive set of policies, procedures and operational guidelines towards information security prior to deciding what functions to outsource and who to outsource. It is also recommended that only operations-related security functions like virtualization, security, identity and access management etc. are outsourced rather than governance-related security functions (GRC). Further, the outsourcing needs to create value for the client organization. Outsourcing of Forensic Security Services, for example, can significantly reduce the cost of having an expensive in-house team by the client organization. A careful analysis of the security policies and procedures referred to above, can bring out which services are the best candidates for outsourcing, giving maximum value at a manageable risk.
Having looked at some of the criteria for deciding what to outsource, let us take a brief look at the factors that need to be considered to decide who to outsource. Clearly, the outsourcing partner needs to be reliable, competent and have a proven track record etc. But in addition, the outsourcing partner needs to have competency in most of the state-of-the-art information security tools available in the market to be able to put together a highly secured IT infrastructure with best-of-breed products and tools and be able to manage the same in a “Managed Security Services” model.
D2E’ Offshore Outsourcing Aggregator platform has several specialty partners meeting the above criteria for outsourcing of IT security functions.