Who Should Outsource the ISO? Here's the Verdict.

SJPA_Captain_America_6

Pressing regulations, daily cyber attacks, complex IT systems, outsourced services, too much to do and too little time to make it happen.

Unfortunately this is the new normal for executives and managers responsible for Information Security. Cyber attackers and their desire to steal from your organization won’t be going away in the foreseeable future. Nor will regulations intended to protect consumers.

Most IT Managers get saddled with the role of Information Security Officer (ISO) due to their technical knowledge. But this creates a conflict of interest. IT people live to get packets from point A to point B and keep systems running. While information security functions should enable business to move quicker and be more competitive without increasing risk to an unacceptable level, there is still an opposing mindset from an operational IT perspective. Finding a person who can operate simultaneously in both camps is very rare. In my 19 years in IT, and 16 in security specifically, I can only think of a handful.

Many of our security partners (aka clients) have shifted the ISO function out from under Information Technology, and into a separate reporting chain such as the Chief Risk Officer or Chief Financial Officer, depending on the type of organization. Organizations that don’t have a full-time ISO who can function independently are stuck somewhere in the middle of this paradox.

Making the situation worse is the scarcity of high-quality talent in the Information Security field, which leads to higher costs. Most small-medium organizations have the same cybersecurity challenges (regulations, fear of data breaches, complex IT environments, etc) as larger counterparts, but lack the financial ability to hire a full-time Information Security Officer. Organizations need security expertise but often can’t afford it.

Enter the outsourced ISO. This is a person who offers cybersecurity expertise for a fraction of what a full-time employee would cost. The problem is you only get a fraction of that person’s time and it still isn’t cheap. The scarcity problem and higher costs also exist in the consulting world.

As demands for cybersecurity increase and budgets fail to keep pace, hiring an outsourced ISO is becoming more popular. With common services like quarterly onsite visits, policy development, training programs, and Board presentations all backed by the company providing the ISO, the package can be appealing for some organizations.

Bad:

One of the biggest gaps in outsourcing anything is a lack of cultural integration. Without the normal hallway discussions, ad hoc meetings, and daily interactions with IT and other business functions, it is difficult to stay in touch to make better decisions. It may also be more difficult to reach the person during emergencies. A full-time employee can be pulled out of meetings easily (though not some vacations) during an emergency, whereas a consultant may be engaged with another client. Make sure your agreement outlines contingency plans if the primary ISO is not available. Last but not least, the lack of personal relationships may slow down communications and reduce cooperation among business units.

Good:

The most obvious benefit is gaining high-level expertise at a lower cost. If the ISO represents a company you also get backend support for specific issues and in a sense get additional expertise at no additional cost. Best practices can also be leveraged from one organization to another, creating a multiplying effect. Possibly the most overlooked benefit is that of an objective viewpoint. Without the hassle of corporate politics to cloud decisions, security can be architected in the most effective way possible.

Some of the downsides can be alleviated by building the ISO’s knowledge of your environment around a cybersecurity risk assessment and focusing on world-class service. (disclaimer: Rivial provides both) But the decision to hire an outsourced ISO is not yet an easy one to make.

One of the major problems leading to data breaches galore, is that being compliant is not the same as being secure. Checking the compliance box is like passing a driver’s license test: you can operate a vehicle but you may be a horrible and dangerous driver. Putting on makeup, texting while driving, drinking and driving, changing diapers… yes, I witnessed such a feat many years ago and still talk about it today… can all lead to bad driving even though the basic skills are in place. Similarly, having the pieces and parts to be marked as compliant won’t necessarily protect you from an attack. A trained and experienced security guru can lead you through maze of compliance and security.

The verdict:

If you can afford to hire a full time ISO, do it. The benefits of in-house cybersecurity expertise may be difficult to see. But having helped various organizations through data breaches and other disaster scenarios, I can tell you the insurance and disaster avoidance an ISO can provide are priceless. If you can’t afford a full-time ISO, spend a few hours researching an outsourced ISO. You may be surprised at the value you get per dollar spent. If you cannot afford either but managed to find the one-in-ten-thousand IT Manager who can run daily operations AND implement a solid cybersecurity program thank your lucky stars and give that person a raise.