Outsourcing your security function is incredibly valuable for companies without the size or resources to sustain a dedicated in-house function. Having a dedicated SOC monitoring systems and providing incident response capabilities 24/7 is an expensive proposition when it is only for a single company and handing it over to an IT Security Services provider is obviously an attractive option.
Maintaining the relationship
What’s important is to understand exactly what is being handed over and to maintain the relationship with the provider. Too often a company will outsource their security monitoring and operations function, and wash their hands of it, not establishing meaningful metrics which allow them to evaluate whether the relationship is working, or where there may be gaps.
In a perfect world the provider would be able to help with this, but it’s important to note that while their concern is on customer’s security in general it is usually on many customer’s security. The outsourced SOC works through economies of scale, but those same economies can mean that individual customers do not have their unique threat profile and risk appetite considered when setting metrics.
It’s all about the metrics
It really is all about those metrics. Peter Drucker said that what gets measured gets managed, and he was absolutely right. The problem is that security does not provide a simple metric for performance. Over the years I’ve seen a number of metrics which are actively harmful, ranging from number of critical incidents reported which discourages reporting and encourages setting lower priorities, to uptime metrics that prevent urgent actions being taken when a breach is in progress.
Often any metrics set by either party are at best a compromise, not through any inherent fault but because their perspective of the relationship is limited to their own motivations. A customer is perfectly justified in saying that they want no security incidents, and so will have a metric aimed at keeping the number of incidents low. Equally a supplier may want to demonstrate value, and so propose a metric of reported incidents handled within a certain length of time. Neither of these do anything to genuinely improve the security posture of the client, and both can have unintended and negative consequences.
An outside perspective
A relationship with an IT Services Supplier can be an incredibly powerful thing, but as with any long-distance relationship there can be difficulties and it is often worth bringing in an outside perspective to help mediate, to take an independent view of any difficulties, and to make sure that all parties involved are clear about what they want out of it. Consider getting an outside view when you are having difficulties with a supplier, often it is down to differing perspectives on priorities and miscommunication rather than any fundamental flaw or wrongdoing by either party.