Last week, we analyzed the value and level of threat among the data your organization processes. The analysis allowed you to determine how susceptible this data and therefore, your business could be to a cyberattack. This crucial exercise completed phase 1 of building a cybersecurity strategy:
Phase 2 begins with building a solid foundation for your cybersecurity strategy that, when finished, will best fit your organizational needs.
A solid foundation rests on determining whether to:
- Keep all cybersecurity in-house
- Outsource all cybersecurity efforts
- Hybrid—keep some facets internal and outsource others
To determine which is best for your organization, let’s briefly identify the components of a well-thought out, qualitative cybersecurity strategy.
The 7 Characteristics of a Cybersecurity Strategy
Understanding what manufactures a qualitative and sufficient cybersecurity strategy is essential before you can accurately assess if in-house, outsourcing, or a hybrid approach is the best fit for your organization’s needs.
The National Institute of Standards and Technology (NIST) released “Special Publication 800-181: National Initiative for Cybersecurity Education (NICE): Cybersecurity Workforce Framework” this month. This strategy framework is quickly picking up traction in the world of cybersecurity, and with its in-depth delineation of cyberinfrastructure, it’s on track to becoming the go-to standard among cyber strategists.
Within the NICE framework, NIST sheds light on the seven characteristics that every effective cybersecurity strategy must incorporate:
Securely Provision (SP): Conceptualizes, designs, procures, and/or builds secure information technology (IT) systems, with responsibility for aspects of system and/or network development.
Operate and Maintain (OM): Provides the support, administration, and maintenance necessary to ensure effective and efficient information technology (IT) system performance and security.
Oversee and Govern (OV): Provides leadership, management, direction, or development and advocacy so the organization may effectively conduct cybersecurity work.
Protect and Defend (PR): Identifies, analyzes, and mitigates threats to internal information technology (IT) systems and/or networks
Analyze (AN): Performs highly specialized review and evaluation of incoming cybersecurity information to determine its usefulness for intelligence
Collect and Operate (CO): Provides specialized denial and deception operations and collection of cybersecurity information that may be used to develop intelligence.
Investigate (IN): Investigates cybersecurity events or crimes related to information technology (IT) systems, networks, and digital evidence.
Each of these seven characteristics has numerous “specialty areas.” Additionally, each “specialty area” is comprised of multiple work roles and competencies. Is your head spinning yet?
Needless to say, as threats evolve and quantify, defending an organization becomes a growingly complex and costly endeavor. In recent years, many small-medium organizations have increasingly outsourced their cybersecurity efforts to third-party vendors. This is an understandably attractive option, as building out an entire in-house cybersecurity strategy can be quite a daunting task.
In-House vs Outsource Cybersecurity
While you can outsource your entire cybersecurity strategy… we don’t recommend it.
Specifically, the “Oversee and Govern (OV)” characteristic of your cybersecurity strategy requires broad-scale thought and should be considered in tandem with other facets of your organization. If you outsource this characteristic, you’re leaving cybersecurity to operate in a vacuum.
And it’s not just us… The Cloud Security Alliance (CSA) also recommends keeping “governance and compliance” in-house.
Regardless of whether you heed this advice, six (or seven) characteristics remain on the “potential to outsource” table. So how do you decide what to keep in-house vs outsource?
4 Factors to Consider:
The choice to outsource some—or all—your cybersecurity efforts is a decision only you and your organization’s decision makers can make… however, regardless of which and how many characteristics you’re considering, you should entertain these four factors:
Cost. How much will outsourcing this characteristic and all (or perhaps some) of its specialty areas cost? When outsourcing, you eliminate overhead costs such as employee wages, maintenance, office space, machine and systems upgrades, etc. Do these costs outweigh that of what you would pay a Managed Security Service Provider (MSSP) or other third-party provider?
Time. Building out a cybersecurity strategy takes time and commitment. Finding a third-party vendor requires due diligence, but can be a much less time-consuming task than building the infrastructure yourself. NIST’s “Cybersecurity Workforce Development Toolkit,” describes what goes into building, manufacturing, and implementing various characteristics and facets of an effective cybersecurity strategy’s infrastructure. Do you have the time and man-power to build out the characteristic you’re analyzing?
Vulnerability (risk). We can’t stress this one enough. Determining how vulnerable you are to cyberattacks is a huge factor in determining whether to outsource a characteristic of your cybersecurity strategy. If cybercriminals are hungry for information embedded in your data, you’ll want to ensure it’s protected with enhanced and effective security measures, whether internally or externally. Obviously, the higher the vulnerability, the more resources you’ll want to utilize in defending that data. Not sure how vulnerable some of your data is? Use our previous post to find out!
Security. When you hand the keys over to a third-party vendor, you’re giving them access to your sensitive data. Be extremely cautious and mindful of your data’s sensitivity before deciding whether to entrust your security to a third-party. After all, third-party cybersecurity vendors aren’t exempt from breaches… If your security provider is hacked, you’ve been hacked.
What to Ask Your Third-Party Vendor:
You can outsource delivery of security services, but you can’t outsource accountability.
At the end of the day, it’s you who answers to your consumers and stakeholders, not a contracted third-party.
Regardless of what you intend to outsource, ensuring your consumers’ and stakeholders’ data is secured is your organization’s responsibility. As a result, you should place careful and thoughtful scrutiny to the third-party cybersecurity vendor(s) you place your trust in. Think of the third-party vendor selection process as you would interviewing candidates for employment. While you may not be able to sit face-to-face with a vendor’s representative, you should conduct independent research and inquire when necessary to uncover the answers to the following considerations:
- What are their audit requirements?
- What kind of experience, qualifications, expertise and ability do they have on their team?
- What’s the vendor’s business reputation? Do they have references that can speak to their abilities?
- Is there a concrete, systemic strategy to their defense efforts?
- What other parties and contractors do they utilize and are they up-to-date with current regulations and expert recommendations (such as advisements issued by NIST)? If they’re an offshore vendor, or if they contract services offshore, look into what regulatory and independent parameters the offshore provider adheres to… other countries don’t always have the same security regulations as the U.S.)
- What internal controls and security provisions are utilized?
- Do they offer insurance coverage?
- What level of responsibility is incurred should there be a breach?
- What background checks are used in their employment process?
We hope by now, you and your team have a better idea of which, if any, characteristics you choose to outsource. Keeping efforts in-house may take more legwork, but can certainly be the logical choice depending on your size, industry, and the sensitivity of your data!
Keeping efforts in-house will require your IT and OT to employ and implement defense strategies to safeguard your data. Even if you choose to outsource facets of your strategy, your organization can employ certain safeguards and strategies to keep your information secure… we’ll talk more about this in our next post!