How to manage organizational risk
There isn't an enterprise on earth that wants to find itself in the middle of a SolarWinds-like hack. It's a mess that has left CIOs and CISOs rethinking their third-party relationships and organizational risk mitigation strategies. The challenge is how to continue to take advantage of the many benefits of outsourced relationships while also shoring up and protecting your business and IT vulnerabilities.
The benefits of outsourcing services are compelling: It can be cost efficient, and it can help with security and compliance while providing 24/7 monitoring and increased IT team expertise. Of all these pluses, Curtis Franklin, a senior analyst at Omdia, an Informa Tech IT research and consultancy firm, says that adding expertise or simply having expertise available is generally the primary reason enterprises outsource. "Many need to do this because they simply cannot get the expertise they need either at an affordable price or at all," he says.
This plays heavily into better security. If an enterprise doesn't have access to solid expertise, they need to outsource talent and services.
Do these benefits outweigh operational and transaction risks? Risks to business continuity, compliance, and data confidentiality? Franklin thinks so. "These are all valid, but they are in the context of any third-party risk. Oddly enough, the one that I never hear talked about is the risk to data confidentiality. People have a touching degree of trust in their third-party security partners. It's right up there with a child-like belief in Santa Claus."
Please read: Zero trust makes business secure by default
Simon Leech, a senior adviser in the worldwide security, risk, and compliance practice at HPE GreenLake Cloud Services, cautions you can't outsource organizational risk. If your public cloud provider gets breached, for instance, there will likely be language in the cloud service-level agreement that nullifies responsibility at the point of the breach. It won't matter if the provider pays you nominal compensation; it's your customer's data that was compromised. "At the end of the day, it's still your reputation that's on the line," he says.
Franklin hasn't seen any major security breach happen yet in his research and consulting business, but he stresses it's a reasonable fear, especially after the SolarWinds attack. "SolarWinds was the definition of a trusted partner," Franklin says. "Just look at who their client list was. A lot of companies are scrambling to their FAIRframework to adjust the numbers on the likelihood of an incident because of this."
Put out by the FAIR Institute, FAIR (factor analysis of information risk) is a cyber-risk framework that's become the leading quantitative model of cybersecurity, information, and operational risk. The framework assigns a score to the likelihood of an event occurring and the severity of the consequences. Franklin says several companies, including SolarWinds, knew that if they got breached, the consequences could be severe because of insights and access to data. "People just assigned the risk of the likelihood at something close to zero," he says. "And that's why so many organizations were caught completely off guard."
How many layers do CIOs have to analyze and consider when determining what the risk of the relationship is? Franklin recommends going as deep as you can. On the other hand, he acknowledges that practicality dictates there are limits to how many levels down you can go. For example, say you have a managed security service provider. You probably are going to ask it which software it's using to provide the service. Is that enough, or should you then go to each of those software vendors to discover which components each is using in its software? Will they share which open source libraries they're building, and so on? This is where you start getting down into three, four, five layers.
How many layers can you afford to examine closely? According to Franklin, "In most cases, the answer is going to be just a couple." For companies relying on a service provider, it's important to know that its third-party vendors take this seriously and are doing due diligence on at least a couple of layers of their suppliers. Basically, it boils down to, "We will put our reputation behind the services we use to provide you a service."
Can you outsource too much?
The answer is, it depends.
Practically speaking, it's a function of company size. Franklin points out: "A large Fortune 1000 company is typically going to be much more in-house because they have a cyber footprint big enough to keep a team vision. And to their minds, they require the consistent internal focus on dealing with defending against threats, responding to intrusions, doing the forensics on things that happen."
However, there's an emerging trend even among large organizations of migrating to a hybrid security operations center (SOC) model. They recognize that some activities are best dealt with by an organization that sees lots of events spread across the globe, rather than just through one company's lens. It makes sense, especially for security, to have as much visibility as possible.
If an enterprise is concerned about being in anyone else's control, there are ways to do consumption on demand and deploy managed services without giving up control of the actual data. Enterprises can build that infrastructure on their own premises or in a colocated data center so that they're never giving up control. Their data never resides on the same hardware as somebody else's business, which is what they have with most shared services situations.
"From that perspective, they get an alternative to risk or to public cloud risk, with the same cloud experience, including the whole concept of cost control and pay for what you use, along with being able to expand elastically and contract again, as necessary," says Leech.
Building an outsourcing strategy
The availability of almost everything as a service offers some very real opportunities for cost savings and security improvement. The bad news is building a strategy requires some sophisticated economic and risk analysis. "This is where CIOs earn their money," says Franklin.
It comes down to calculating the potential financial risk of an incident versus how much it costs to reduce that risk to an acceptable level, similar to how insurance policies work. These are all things that are cost effective and typically invisible right up until the moment they aren't.
"The challenge you will often see with a public cloud provider is that they make their SLAs fairly nonspecific," says Leech. "They've always got a kind of a 'get out of jail free' card, as it were. They obviously don't want to have to pay any performance credits if they're not meeting particular KPIs. It's the same thing but from a risk perspective."
The good news is there are some models and frameworks, like that from the FAIR Institute, that help even less experienced CIOs make these calculations.
Of course, not all third-party relationships work out. It pays to have read the fine print during your due diligence period prior to inking the contract. If a predecessor brought the company into the contract, carefully examine existing contracts as part of your company familiarization process. It always makes sense to own as much of the data regarding your company as possible. Franklin warns, "If you have all kinds of historical data regarding network activity and historical forensics that belongs to your supplier or your service provider, then it makes a transition much more difficult."
Franklin expects the hybrid SOC model is going to become the default. "There are very few companies that will keep things entirely in house," he says. "The vast majority are going to have a hybrid model where there are certain aspects of their security operation that they outsource in order to get what they see as the best service. Whether it's the best execution on a particular functionality, or weeding out the tier-one garbage, or doing truly in-depth forensics after a major intrusion."
The vast majority [of companies] are going to have a hybrid model where there are certain aspects of their security operation that they outsource in order to get what they see as the best service.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.