Which security function would you outsource?
Date: 24 March 2020
If you could outsource one security function – which one would it be?
Outsourcing has become vital to the success of any business and its efficient and cost-effective functioning today. However, when it comes to outsourcing in the world of IT Security, it’s not always an easy decision to make. Factors such as confidentiality of data and the nature of risks makes cybersecurity outsourcing a tricky space to be in.
We, therefore, asked some of India’s leading IT Security experts about their take on the subject and if they had to outsource just one cybersecurity function which one that would be. At the recent Wisdom of Crowds event, organised by Cyber Management Alliance, in Bengaluru’s swanky Sheraton Grand Brigade, India’s leading minds in the IT and cybersecurity space offered their nuanced inputs on the subject.
Unlike many other questions about the best way to manage an organisation’s cyber risk and response, in case of outsourcing, there was a resounding consensus. All those we spoke to agreed that outsourcing is absolutely essential for the modern, cyber-resilient business, simply because the global threat landscape is so vast and the logs generated by even the smallest business can get so overwhelming that it can be absolutely ineffective to try and manage all of it in-house.
“As an individual organisation can have only a limited scope and threat landscape,” explained Phani Krishna Sunkaranam, Infosec & Data Privacy, Trianz Holdings said, “it can be highly beneficial to outsource threat intelligence because you cannot generate adequate intelligence on your own.” He added that the world outside has a vast threat landscape and multiple environments which get all kinds of attacks. So, by being aware of those threats, one can avoid one’s own zero-day events.
Corroborating this view, Balasubramaniam Narayanan, CISO, Cloudnine Group of Hospitals said, “It is always better to have a lean team and wherever a service can be outsourced and effectively monitored, one should opt for the same.” He said the SOC or SIEM are areas that he’d like to outsource as the logs produced are just too large in number and it wouldn’t make sense to allocate an in-house resource for that function when it can be handled much better by a specialized vendor.
Sachin Jain, VP Global Technology, JP Morgan Services and Nikunj Desai, Director, Cybersecurity, Microland Ltd, agreed that Vulnerability Assessment and Continuous Scanning are two functions that should ideally be outsourced. “A lot of alerts come and it’s very difficult to manage and process them manually and find out what the real danger is. So, it’s best to leverage the special skills of outsourced vendors so they can apply predictive analysis and machine learning capabilities. They can tell me about what exposure I have and how I can proactively take steps to prevent attacks,” said Jain.
Desai added, “Vulnerability assessment and penetration testing requires a certain kind of skill and infrastructure and if it is outsourced, it can be done in a much better way.”
Elaborating further, Satyavathi Divadar, Director of Cybersecurity, News Corp, “In Security monitoring, Triage L1 should be outsourced because it’s a 24X7 process but investigation, application, what is the impact on the business and the business unit and is it a false positive etc. – these decisions cannot be left to an outsourced vendor.”
Apart from vulnerability scans and penetration testing, which she also enlisted as the key functions that can be easily outsourced, forensics is a crucial area to consider for outsourcing due to skill scarcity, believes Divadar. “You don’t have to do forensics unless it is required so there’s no point maintaining talent for forensics throughout the year, especially for smaller organisations. However, in forensics, a lot of confidentiality is involved so it should be seen more as partnering than outsourcing,” she explained.
Nisha Kesavan, Vice President, Group IT Strategy & Transformation, Deutsche Bank, however, had a new perspective to offer. She spoke about the ‘tools’ which one uses as a key element to be delegated to an outside vendor. “There are experts who do that (make tools) and it’s about putting your trust in the right place. How I manage the tool is up to me but the tool itself is something that I would definitely seek out help for.”
Are you looking for more such sought-after but rare-to-find insights, straight from the experts? Watch more videos from our Bengaluru Wisdom of Crowds event here. For more information on future Wisdom of Crowds events, sponsorship opportunities or participation in a Wisdom of Crowds event, contact firstname.lastname@example.org or contact us today.
For more information on Cyber Management Alliance, our GCHQ-Certified CIPR training and other courses, webinars, Wisdom of Crowds live events, and our Insights with Cyber Leaders series of executive interviews, click here or contact us today.Subscribe to the Cyber Management Alliance YouTube channel for more insights and interviews from leading cybersecurity executives across the world!