Does outsourcing information security make business sense?

in #business7 years ago

0.jpg

Think about it like this: Today, there are millions of smartphones, internet users, connected devices, and the number is just increasing by the hour. There is a historic shift in the way digital is becoming a part of our lives – from digital payments, to the way we shop or even interact with each other.

Fueled by technologies such as Artificial Intelligence (AI), Cloud, Internet of Things (IoT) and Blockchain – this new era of digitization is producing data which is outstripping human capacity to understand the meaning and value hidden within that data. In such a scenario, it becomes even more vital for organizations to secure their information as well as provide the best user experience. This leaves a CISO with a tough job.

“Outsourcing is a requirement today. The trained manpower availability is less so I am left with choice than to go for outsourcing. Regulators are also permitting us to use outsourced organizations. Only one thing, there need to be very tight laws to control the outsourcing agency. As long as the agreements and the laws are in place, outsourcing is not a threat,” says Captain Sanjay Joshi, Deputy General Manager and Chief Security Officer, Bank of Baroda.

There is a huge shortage of security professionals in the industry. This is further compounded by the fact that there is a scarcity of cyber security resources, who are skilled about the best practices as well as the latest tools. A number of experts do feel that outsourcing security functions can be one of the ways to deal with the situation.

“A chief information security officer (CISO) can focus on risk closely to see whether countermeasures help them mitigate the risk or how different risk can cascade to create a huge security challenge for the organization. The CISO role is that of decision making and more often than not taking the right decisions and needs to have the right balance between instincts and Intelligence,” says Kalpesh Doshi, chief information security Officer, APAC, Group IT, Capgemini Technology Service India Limited.

However, a large part of the question remains as how to go about selecting third party vendors and outsourcing agencies which do not hamper the functions of an organization.

“It has to be given to a very big and reputed company. We cannot just go for a company which is small or a fly by night operator, no matter whether he paints a glorified picture. He can paint a rosy picture that he can do this, he can do that. But no, I am not interested. I am interested in a very big organization which is in this business, which is stabilized, and has a large turnover. I must have a customer service provider who is at that level. I cannot go for a small time service provider. So, outsourcing, if you ask, I will say, yes we are doing it but only with a service provider who are capable of handling this kind of a large organization,” adds Captain Joshi.

There is also a school of thought, according to which the most effective way for organizations to opt for a hybrid model, in which they are able to manage the overall risk and governance function within an organization, while letting other functions be assigned to an outside agency. They say that this is critical as no outsider or third party would be able to understand an organization’s culture, business priorities, and appetite for risks in this rapidly evolving IT landscape.

“However, services like tools, security operations, incident investigations, network monitoring, VA, PT, application security testing, etc. can be outsourced. There are a variety of skills that come into play to manage this for an organization and hence it would turn out to be an economically wise decision to outsource such services,” adds Kalpesh.