Skip to main content


How 2020 Presidential Candidates Can Guard Against Cyberattacks

The 2016 presidential election witnessed unprecedented Russian cyberattacks and disinformation campaigns designed to disrupt the U.S. electoral system by influencing public opinion. The Russian goal is intended to destabilize the U.S.  through ideological activism, advancing their interest and further their political agenda. Their methods compromised computer systems of candidates and political parties using the exfiltrated data to spread disinformation and influence presidential elections.

On January 6, 2017, the U.S. Director of National Intelligence released a declassified report “Assessing Russian Activities and Intentions in Recent U.S. Elections.” According to the report, Vladimir Putin ordered a massive campaign orchestrating attacks from multiple fronts that involved spreading pro-Trump propaganda on social media to hacking the Democratic National Committee (DNC). Their methods resulted in massive data breaches within the DNC that included access to John Podesta's email f…

Information Security Outsourcing – A CISO’s Perspective

In several of my projects often times I run into organizations having challenging constraints involving technology, manpower or an inadequate budget that prevents them from implementing a sound security program.  I often question a company’s dedication and resolve directly with their leadership to right the ship in these situations. Hearing excuses one after another, I push to have them come clean so we all know the exact issues to face and move forward. Some of the reasons often are a financial inability, denial, biased opinions or deliberately hiding the reasons.

In one instance, I worked with a company that did not have a formalized corporate governance let alone a technology one, of course, my concern was how would the security program I put together uphold a critical aspect of the big picture corporate governance?  How can I implement my efforts in the organization, an undocumented governance vacuum and make it enforceable? On top of that where the rubber meets the road is how do I make the business architecture align with the technological architecture in a harmonious way?  If corporate governance is lacking what makes anyone in the organization abide by corporate laws and who would care about security policies and procedures in the first place? Now it became apparent they are asking the CISO to be the CEO, COO, CFO, CIO to put it all together for them, now there’s a pretentious conflict of interest if I have ever heard one, it’s already adventurous enough reporting to the CIO most of the time. So with this particular client, one had to wear many hats and you had to force it to fit in order to move forward.

CISOs going into organizations often face some resource challenge that because of the economic or political climate prohibits them from executing security in the proper fashion, in other words making them do more with less. So what innovative ways can a CISO do trying to squeeze blood out of a turnip is the challenge and an extremely difficult one with legions of cybercriminals at the doorstep.
Is outsourcing security an option? The idea of handing over control of security to an outside firm paid to maintain the security infrastructure operations, monitor for attacks, access management, data loss prevention, perform vulnerability scans, collect logs or update security software for employees is controversial and for good reasons which I will discuss.

Aligning the Business Challenges

Not all CISOs have a discretionary budget that runs their own departments, yet those who do regardless of their particular reporting structure need to deal with what they have to minimize the organization’s risks. Those that do not have an operating budget must work closely and partner with the CIO, what is typical among many companies today (yes that is very much short-sidedness but the reality the CISO needs to deal with) to identify where the budget will be spent with regards to security.

Information security is not easily outsourced because it permeates an entire organization, it is not like other resources a company successfully outsourced in the past. Information security outsourcing cannot be compared with the outsourcing of logistics, accounting, legal services, advertising, information technology or the procurement of raw materials and components.
From the start, the key components of any security program begin with corporate governance, risk, and compliance. Without these crucial components, information security can never function and the fundamental reason they can not be outsourced. The technological stacks can be outsourced provided strict controls are in place that guarantees to uphold the three key components from the vendors. Therefore, a CISO needs to understand the political landscape to his/her advantage whether there is a reliable staff with the necessary skillsets and technology stacks to rely upon or the vendor outsourcing partner.

Much can be outsourced such as operations and the typical candidates are firewall management, network security, encryption, vulnerability scanning, anti-malware, host security and database firewall management are all good for outsourcing. Access management and data loss prevention, although can be outsourced, are the first line of defense protecting a company’s crown jewels the data. I am hesitant to advocate such a move because giving up the keys to the kingdom who can get to the data, what they can do, where they can go and where the data can be transmitted carries a high risk giving that responsibility to a third party vendor. Understand that outsourcing may have cost, technological and skillset advantages it does have one major flaw and that is you lose control and it must be weighed carefully. Outsourcing varies with every organization and a CISO needs to understand what the strengths and weaknesses of their environment are and only outsource areas where the biggest bang for the buck and the return on risk is advantageous.

Remember, when considering an outsourcing partner ask yourself while developing the RFP process if the outsource vendors can add value over and above what an equivalent internal team would cost. I have seen many flavors of what defines value be it cost savings and efficiencies to innovation being on the bleeding edge of security prowess. It is important for the CISO to balance the risk with the reward on contemplating outsourcing.

The Pros and Cons of Outsourcing

In contemplating outsourcing, one must weigh and understand the pros and cons that are essential in determining the risk factors on that decision. Here are a few things to consider.

What Are the Pros?

  • Cost Savings – Building and staffing the security infrastructure is expensive, acquiring the facilities to house it, physical security requirements to protect it, etc. is a herculean endeavor. Here all one does is pay for the service and let the outsourced vendor worry about the rest.
  • Advanced Technology and Skillsets – The Managed Security Service Providers (MSSP) come into play and their sole existence is providing security services to a wide array of businesses. They will normally have the best in class infrastructures and personnel on hand and would be counterproductive if a similar infrastructure were to be built in-house.
  • Monitoring and Support – Negotiated in the SLA most provide around the clock monitoring, preventing, resolving and reporting incidents. It is their job to uphold security and privacy in accordance with your governance, risk and compliance requirements. This is set in stone with the service level agreement (SLA) and the non-disclosure agreement (NDA).
  • Flexibility – Outsource vendors must be flexible enough to adapt to a business environment in constant flux, so their security functions have to respond quickly to changing demands. Vendors often can tap a wide range of resources, skills, and capacities while internal security staff may have limited capabilities.

What Are the Cons?

  • High Risk – Arguably riddled with controversy and debate trusting a different company with your intellectual property and crown jewel data can be difficult to contemplate. Yet most MSSPs have well-known reputations and track records. Moreover, the service level agreements (SLAs) and confidentially agreements (NDA) backed by law and insurance compels your MSSP to never sell your data to your competitor.  Most MSSPs will also ensure the company they are securing in the event of data loss since their livelihood is on the line.  But I must warn about offshoring where any legal leverage becomes moot in the event of a breach. Always have your data reside and protected using a domestic MSSP where legal jurisdiction applies.
  • Loss of Control - Handing over security to another company means you will have to accept the terms they propose. For example, when outsourcing information security, the vendor often decides the security software and hardware to run. Changing such infrastructure would be breaching the contract with the MSSP. In addition, MSSP will not allow an audit of their facilities and processes to measure up to the governance, risk and compliance mandates of your organization.
  • Loss of Quality - Hiring MSSPs known to compromise quality for profits is a security risk is a consideration. Make sure strong language is set forth in the SLA to prevent such an occurrence and consult with legal counsel to ensure the requirements are executed in the agreement.
  • Cost of Switching Providers is High - A shakeout has taken place among MSSP vendors, with mergers and takeovers becoming commonplace. It is likely that fewer suppliers will survive in the future, making it more difficult to shop for the right price.

Onshore, Nearshore or Offshore

CISOs need to be aware and consider when selecting a vendor partner is where their operations and staff is geographically located. The four areas of concern to consider are:
  • Cultural and Ethics Differences
  • Language Barriers
  • Manageability
  • Security Expertise and Skills

The Options to Consider:

  • Onshore - The prospective vendor is located in the United States where the services are outsourced to the same country and faces no cultural, legal or language barriers. Managing the work and even facility visits for monitoring is convenient and inexpensive. This option is preferred when you wish to outsource highly sensitive services to protect intellectual property or data. However, this option does have drawbacks as not cost-effective and in some situations, the lack of required skillsets poses problems with increased cost.
  • Nearshore – The prospective vendor is located in another country such as Canada or Mexico where services are outsourced to a neighboring country faces minimum, negligible cultural, legal or language barriers.  Managing the work and conducting frequent facility visits are relatively convenient and compared to offshore less expensive. With this option it is more cost-effective compared to onshore, it is not on par with cost saving offered by offshore. Not all nearshore destinations have developed security skillset required and this may pose a problem when a niche skillset is required.
  • Offshore – The prospective vendor is located in another distant country in Asia or in Europe where the services are outsourced. Your organization has to overcome cultural, legal and language barriers among many considerations. Monitoring and managing work requires expensive trips, however, offshore locations have a vast talent pool which can be hired at less cost. Some offshoring destinations which have been in this industry for a considerable period of time developed process and expertise to execute huge outsourcing projects. They also offer the client in-house system as part of the deal.
  • Offshore Captivity - Another option which has gained momentum recently is opening captive centers in offshore locations. This offers an avenue to offshore work along with the flexibility of selecting your own resources and implementing your work culture and ethics, etc.

The Political Fallout

A word about the ramifications involved when dealing with this decision and in most cases, not a popular one among the affected employees in your organization and who can blame them when one loses a job. I have been on both sides of the table and setting personal opinions aside, fierce global competition has led many businesses to restructure and downsize staffs in an effort to save money.  Yes, among some industries it is cut-throat competition resulting, as seemingly unjust as it is, much tighter control of fringe benefits and runs much leaner overhead structures. Moreover, companies are using low-cost labor pools more aggressively and, with the help of modern telecommunications such as the Internet, can move information security infrastructures to low-cost areas.

In situations involving this, a CISO must be a compassionate leader and prepare affected employees to understand the business reasons behind it. Treat and mentor them with dignity, provide inspiration and pay-it-forward to help them find employment elsewhere among colleagues in organizations outside of your own. That would be your greatest gift you can provide your valued departing staff and would remain in their minds and hearts forever.

When considering outsourcing it is not one size fits all as it varies within organizations, one may not have the wherewithal to build a security infrastructure on their own keeping elements they must have in-house and outsource the rest. Others outsource for a certain period of time while they build and implement their own, still, others outsource a few things they lack expertise in.

It is a choice any CISO will face in their job to run their department in the most cost-efficient manner without compromising risk. It is not an easy job as it involves careful consideration of the value added to the business and with it, the emotionalism involved that impacts affected employees.