Considering the flexible co-sourced arrangement.

Many businesses have used a third-party services provider at some point to carry out either part of their cyber security arrangement or offer skills. Oftentimes, the relationship is good - but when the relationship goes wrong, or the relationship doesn’t deliver the results then it can be a challenge for CIOs who has to explain to the Board why the money they have spent buying in resources has not delivered the required benefits.

There are many reasons why businesses should consider the flexible co-sourced arrangements as well as the benefits that consulting resources can bring - As I have highlighted in a previous blog, when it comes maximising your cyber resources, we can choose from a spectrum ranging from full time employees – a vital resource but the least flexible - to co-sourcing.

Choosing from The Spectrum

Some useful questions that CIOs and IT departments should be asking include: Is the function in question a core competency? Will it remain this way in the short through to medium term? Do you need this function performed only for a set period of time? It is important to be cautious when answering this because Yes can become No after a period of time.

Do you know when the start and stop points are? Are you looking at resourcing options because of a bandwidth constraint? Are the resources only available in a certain format (e.g. Consultancy, Out-source or Co-sourcing)? Is the function clearly defined? Do you need flex-up and flex-down flexibility?

Should you be considering technology solution to help magnify your resources to mitigate this need or to backfill existing resources to enable them to perform the task?

Selecting a Co-Sourcing Partner

Be proactive in creating a deals principles document - a list of the needs, criteria, requirements and budget that your organisation have for this function. Talk to more than one potential vendor and make sure that you consider cultural fit as part of your criteria.

The key point to make is that you should consider flex-up and flex-down as part of your requirements.

Take input from your short-listed potential partners, how might they help you refine your criteria and requirements to best meet your needs? A good co-sourcing partner will be happy to work with you on a flexible basis to help you assess the fit and to make the adjustments to make a successful partnership, and to continually improve.

What Should Stay Internal?

Know Your Organisation’s Core Business. Knowing what your organisation’s core business is, allows you to answer this question in the most effective way, but as a rule you shouldn’t be looking to external partners to provide core functions other than on a temporary and tactical basis. If you need to do this then the partner and the service provision must be well managed. What security functions work when co-sourced?

Functions to Co-Source

First up, let’s consider the tactical option and how to improve your cyber security quickly. Perform a security assessment to act as a benchmark and to provide focus for your continual improvement (I recommend that every organisation do this, it lets you know where your organisation is stronger, and where there is room for improvement.

Another choice is to test security plans - 45%* of companies said they didn’t have the time/ability to do this well.
Regular testing of escalation policy and incident response processes is critical - 31% of companies have either never tested their processes or their last test was more than a year ago.

Having written security policies in place, and having tested them is a very important but often overlooked process, with only 26%* of organisations having a formal policy that is tested and reviewed annually.

Strategic – Continual Improvement

Implementing a security framework (ISO 27001, NIST Cybersecurity Framework, COBIT, etc.) will help your organization demonstrate their commitment to stakeholders (be they clients, the Board, or investors, or all of those). Working to a co-sourcing partner to implement a framework will help your organization not only improve its information security and cybersecurity, but will allow your organization to demonstrate the progress that it is making.

Cybersecurity and information security doesn’t stand still (the bad guys aren’t sleeping) which makes implementing a security orientated continual improvement process an effective way of improving your organisation’s security function no matter what the starting point is.

As I discussed in an earlier blog in this series, many organisations don’t have the bandwidth to undertake all of their security functions (64% of Fifth Step engagements are bandwidth orientated), this includes some of the most important roles in your organisation’s security function, the CISO (chief information security officer) and SO (Security Officer) roles. Implementing these as a flexible service with your co-souring partner can augment your existing capability, provide vital external knowledge and views of what is going on in the market, as well as ensuring the bandwidth is there to get the job done.

* Statistics from the SC Magazine MarketFocus May 2016 – Co-Sourcing SIEM