Lessons Learned in Managing Security Risk when Outsourcing Services

Posted: 10/14/2019 - 00:54
It seems that I have reached a point in my career where I have to acknowledge that I am not one of the young guys anymore. As I support my customers and assess the state of their Risk Management capabilities, I continue to find that I rarely see issues that I have not seen before. I guess that is the benefit of having worked in this field for a couple of decades. But it is also an indication that the lessons that are being learned in one segment of industry are not becoming common practice in other segments. It is important to point out that I consider the issues that I discuss here be COMMON practice, not BEST practice. 
When it comes to outsourcing, as we all know, there are multiple reasons to outsource services. Small companies and large companies outsource services because a) they simply do not have the core competency/skillset that is needed to perform the service properly, or b) the continued investment in infrastructure and staff to stay compliant in certain services (e.g. HR, finance) is significant, or c) some services are transient or niche, and therefore needed for only a short time, or d) some combination of other factors. When properly analyzed, choosing to outsource a service rather than keep it in-house can absolutely be a proper decision. But there are certain obligations that come along with outsourcing that are often forgotten. That leads to security issues. 
We have spent the better part of the last 20 years learning from our mistakes and oversights to establish a sound and comprehensive set of security controls and standards (see NIST 800-53, and ISO 27001/2), and we have created policies to articulate when to use these controls. Most of these controls are considered to be basic hygiene. But for some reason, many companies choose to cast them aside or act as if they do not exist when deciding to outsource services. In my career, I have actually experienced someone who stated that they outsourced a service “to avoid having to comply with our internal security policies”. Think about that. You have established minimum expectations for security controls when you install a system in your own environment. Why would anyone think those minimum expectations do not apply simply because you choose to outsource the service? It is still your service, why would your minimum expectations be any different? In fact, some would say that you have a fiduciary responsibility to make sure that your outsourced services do meet your existing policies and practices. I am one of those people. 
You remain accountable for any service that you choose to outsource. You are obligated to establish your minimum expectations and make sure your service providers know about them and are meeting them. And, here is the part that you may not want to hear: Every service that you outsource still requires some internal investment of resources for you to manage and monitor the service. Some of them require minimal resource investments, and others require significant resources to properly manage the service. Below are some misconceptions that are pretty common as services are outsourced. I highlight them here because correcting these issues is not terribly complicated.   
  • Internal Service Owners, when interacting with audit teams or risk assessment teams, are often asked to confirm that certain security controls are present. A frequent response is “We don’t know, our service provider does that for us.” Here are some of the problems with that statement:
    • You need to know. That is your service. Your service provider works for you. I have found that service providers will pay careful attention to what you tell them regarding service levels, and they will build and price a service to meet exactly what you say. If you leave something out, they will not include it, in an effort to remain competitive on cost. Security requirements are no different. If you do not explicitly state what you expect, it is reasonably certain that you will not get it. 
    • Many times, when a company says “…our service provider does all that for us.”, a small amount of investigation uncovers that the Service Provider DOESN’T do that, either because they haven’t been contracted to do it, or because it is simply something that a SP cannot do. Some actions must be performed by the outsourcer (e.g. user management). There is a major infrastructure service provider that I am aware of that does a very good job of providing guidance to their customers that clearly states “here are the things that we will do for you, here are the things that we CAN do for you if you choose to add optional services, and here are the things that you must do for yourself.” I have found that very few outsourcers have taken the time to read the third section. Those are the ones that say, “Our Service Provider does that for us,” even though the service provider has given them a document that states explicitly that they do not do those things. Auditors enjoy those situations. 
  • “Once I choose to outsource a service, and complete proper acceptance testing, it does not require ongoing monitoring to confirm proper performance.” Unfortunately, many companies outsource services in an attempt to reduce cost. That tends to cause companies to “set it and forget it.” They feel that investing additional resources in periodic assessments eats away at any cost savings that they were trying to achieve. My suggestion is that when you do the cost/benefit analysis when considering outsourcing, the cost of periodic assessment (annual or bi-annual) should be part of that analysis every single time. If you are unwilling to periodically confirm through observation of evidence that your service providers are performing adequately, you should reconsider whether outsourcing a service is the right thing. 
  • “My service provider knows this service better than I do, so I trust them to do it correctly.” It may be true that your service provider knows the details of the service better than you do (remember, you could be outsourcing simply because you to not have the core competency in a given service). But that is not a reason to leave these expectations unwritten. If you are not comfortable stating your security requirements, then require your service provider to explicitly tell you what their minimum security controls are. Most proactive service providers already have these things written down and will provide it to you. 
So, in summary, many security issues that pop up in outsourcing situations are due to lack of proper expectations. Avoid these common mistakes by doing the following: 
  • Explicitly state your security expectations. It is my observation that if you tell a service provider that something is required, they will do it, because they want to get paid.  
  • Read the service documents that your service providers give you. Good service providers will explicitly document what they commit to do, and what you must do for yourself. They do this to avoid litigation and delays in payment. Read those documents.
  • Educate your staff (And your board if necessary) to understand that when you outsource services, you still carry an obligation to manage and monitor the performance of those services. If you happen to have a service provider that isn’t attentive to meeting your requirements, they certainly aren’t going to point it out to you. You have to find it for yourself. 
If you fail to do these basic things, you will find that outsourcing services results in increases in complexity and increases in non-productive activities due to surprises. That means increases in leadership stress.  You do not outsource things to increase leadership stress.

About The Author

Dan Pinto's picture

Dan Pinto is President and Founder of RAC Partners Inc, a Risk Management consulting firm that has provided support to customers in the Pharmaceutical, Financial and Government sectors.  Mr. Pinto is a CISSP and CTPRP, and also serves as the President of the InfraGard Jacksonville Members Alliance, and as the Southeast Regional Coordinator for InfraGard National (www.infragard.org).  Prior to this Mr. Pinto served as a Director for Information Security at Johnson & Johnson in Raritan, NJ for 9 years, and spent 15 years working on multiple Information Security programs at the National Security Agency (NSA, in Fort Meade, MD.