When Offshoring Comes to Infosec

Our manager gets word that some information security operations will be outsourced, and it has him worried.

Offshoring IT work is nothing new for my company, but I have dreaded the day when I would be asked to offshore some of our information security work. So, when I tell you that I spent last week in India, youll understand that it wasnt just the jet lag that had me feeling harried.

When it comes to budgets, IT is not a high priority for my company. Most internal investment is in product development, because that is what keeps us competitive and makes money. In every other area, we are always looking for ways to cut costs, and for several years, weve been doing that by moving certain jobs and functions to lower-cost countries. We outsource some of our product source code development to Russia, hardware engineering to China, training and knowledge management to Singapore, and application development and engineering to India. I understand the reasoning behind moving certain operational and support tasks offshore, and I believe the cost savings far outweigh the risks. But information security is another story entirely, and I dont say that because I want to protect my turf. Im talking about protecting the company.

In the hiring process, we hold security engineers to a higher standard than other employees, since in giving them the ability to access our critical infrastructure, we are giving them the keys to the kingdom. If security engineers are going to effectively protect intellectual property and detect network intrusions, they have to be able to monitor all network and employee activity. While no employee should expect privacy on a corporate network, the truth is that many people engage in very private personal and business matters at work. We have to be careful about whom we put in a position to be privy to all that sensitive information. Having people offshore do that work makes me very uncomfortable.

So, there I was in India, trying to put my mind at ease. I was very impressed with the security operations of one of the Indian companies I visited. Its network operations center put my companys in-house capabilities to shame. The Indian company has invested heavily in enterprise-class monitoring, configuration management, documentation, process and procedures.

But while offshoring would let us take advantage of certain economies of scale, the trade-off is a lack of oversight and security. One key will be retaining control of all that I can while leveraging the budgetary advantages of a lower-cost workforce. Take Tripwire as an example. We use it to monitor changes to files. If we outsourced this activity, I would insist that we in the U.S. continue to define policies (that is, which files are to get monitored), while the actual execution of the policy and the monitoring operations themselves would be moved to India. I would still be responsible for compliance, oversight and escalation, but the day-to-day operational activities would be conducted overseas.

The success of any outsourcing of information security activities could depend on the effective use of metrics, in addition to our retaining ultimate control as operations are moved offshore. We already use metrics extensively for our in-house information security operations. Let me give you an idea of what we measure.

The Metric Mix

Our IT executives like to see metrics from the various IT divisions so they can measure the effectiveness of the organizations and make suggestions for improvement. Upon my return from India, I was told that the IT security quarterly scorecard needed to be updated, and I had only a day to put it together. Information security currently reports four metrics each quarter.

The first is the number of managed laptops and desktops that are running the current Trend Micro antivirus pattern file, a metric thats easily obtained from the Trend Micro Control Manager. We strive for 95% compliance. This quarter, we were down by three percentage points, but that was only because we recently acquired a large company that hadnt completely cut over to our virus standard.

The second metric is the number of managed systems that meet the current recommended patch level. We use Microsoft SMS to obtain this information, and we look for 90% compliance. We were at 84% this quarter because the desktop folks have been unable to properly deploy patches to some remote offices.

The third metric is the percentage of the network being monitored by the intrusion-detection system. Our goal is to monitor 80% of the network, but this quarter, we covered only about 18% of the traffic, down from 24% in the previous quarter. The reason for the drop is that we have increased the number of network nodes with no offsetting increase in intrusion sensors. The acquisition was a factor, but so was a network rearchitecture that we have undertaken to better segment the network.

The fourth metric is the percentage of security tickets that are resolved within the parameters of our service-level agreement, which depend on the priority of the ticket. For this quarter, we did very well, resolving 90% of the security-related tickets in a timely manner.

These metrics are of value to me as well as to the executive staff. They tell me where we have deficiencies and where I need to add people and money, assuming either is available. Too often, neither is. But theres no question that offshoring will boost the resources available to me, and metrics should help me evaluate the effectiveness of what were doing and monitor compliance with security policies. It wont be easy to let go of these security operations, but I can at least maintain the knowledge that Im still in charge and ultimately responsible.

If you have had globalization experiences, I would love to hear your stories.

What Do You Think? This weeks journal is written by a real security manager, Mathias Thurman, whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com, or join the discussions in our security blogs: computerworld.com/blogs/security. To find a complete archive of our Security Managers Journals, go online to computerworld.com/secjournal.

Copyright © 2007 IDG Communications, Inc.

Shop Tech Products at Amazon