Outsourcing security offers benefits, risks

Jaikumar Vijayan schreibt unter anderem für unsere US-Schwesterpublikation CSO Online.

Companies looking to outsource security functions to third parties need to have a clear understanding of the mutual risks and liabilities involved in doing so, according to an executive from Morgan Stanley who spoke at Computerworld"s Premier 100 IT Leaders Conference here in Scottsdale, Arizona, Tuesday.

Morgan Stanley last year decided to outsource functions such as firewall management and network vulnerability assessment to a managed security service provider. The move will allow the financial services giant to run more efficiently while freeing its in-house staff to focus on strategic security issues, said Lance Braunstein, Morgan Stanley"s executive director of infrastructure planning.

The tasks of managing infrastructure firewalls and intrusion-detection systems "are all going away," Braunstein said. "We had a 24/7 requirement here that we were simply unable to do," he said. Outsourcing to a third party also allows Morgan Stanley to do more "proactive discovery of vulnerabilities," he said.

Key to the arrangement is a clear understanding of each party"s potential exposure if something goes wrong, he said.

In Morgan Stanley"s case, some of the security functions being managed by third parties, such as passive vulnerability scanning, have capped liabilities attached to them in case something goes wrong. But security problems arising from negligence or that result in property or some other kind of damage have uncapped liabilities associated with them, Braunstein said.

It"s also important to have a clear understanding of a service provider"s ability and processes for ensuring confidentiality of the work being entrusted to them.

When choosing a vendor, companies need to pay attention to issues such as the breadth of services offered by the provider, its financial and competitive viability, and cost, he said. "Once a contract is signed, you need to look at the implementation issues," Braunstein said.

That includes understanding how the service provider will connect to your enterprise, how any knowledge transfer will be accomplished and what the business continuity plan is, he said.