5 Considerations to make when choosing to outsource your security program
Show Notes: https://justinfimlaid.com/5-considerations-when-outsourcing-security/

Sponsor: https://nuharborsecurity.com

Contact Me: https://justinfimlaid.com/contact-me/

Twitter: @justinfimlaid

LinkedIn: https://www.linkedin.com/in/jfimlaid/
5 Considerations When Outsourcing Security
I bumped into a couple folks struggling to find security talent and are looking to outsource part of their security program.  The question this week is, we need to find a trusted security partner – how do I decide what to outsource?

First things first, when deciding what to outsource its important to understand your security program and what you're trying to achieve by outsourcing.

Now – if your desire is to outsource everything, and you know the goals of outsourcing then this part is easy and the hard part is finding the right security outsourcing partner.

If your desire is to outsource part of your program – then your security outsourcing objective should follow your strategic plan and look to mitigate the risk hard to staff functions.  For example, some security disciplines take a long time to train, such as penetration testing. It's real easy to run a scan but actually conduct penetration testing is an art. It's a challenge to train a penetration tester or penetration testing team in house most organizations do not have this need to and can't justify the human expenditure of a full-time tester with part-time penetration needs.  If this is your case, whether penetration testing or other hard to train or specialty functions it might make sense to outsource this.
My Take
When I was industry, and I thought about outsourcing my security program, I always broke it down to two components – what I need to control and what saves me time.

I would identify what parts of my program I need to tightly control quality or I have tight time deadlines.  I would then look to develop in house talent to fulfill this need so I could tightly control timelines and quality.
Any part of my program that was part-time, required a very specialized skill set, or I could relinquish control and still be successful I would outsource.

Here's 5 other things to consider when outsourcing:

Do you need to control a core competency?  One example might be, If you're leading security in a software development shop it makes a lot of sense to in source code scans and web app testing, but you can probably outsource your need for forensics.
Does you program have intellectual property.  I would tread carefully if this is the case and keep control your security architecture.  In some countries 90% of software is pirated and  lifting IP is an expectation.
Does you program require dedicated knowledge of a specific technology? If so, Don’t count on outsourcing.
Are you trying to reduce costs? If you're program requires travel, extra project management, bench capacity of one security function, it might make sense to outsource part of your security program.
Does your program require a lot of creativity?  Don't outsource the thinking, outsource the operational and execution part that make the creative pieces successful.