EP 41: Security Outsourcing: Vendor Selection and Management
Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.
Sign Up Now!
About this episode
November 26, 2019
Kip Boyle, CEO of Cyber Risk Opportunities, and Jake Bernstein, JD and CyberSecurity Practice Lead at Newman DuWors LLP, discuss Security Outsourcing: Vendor Selection and Management.
Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help you thrive as a cyber risk manager. On today's episode, your virtual chief information security officer is Kip Boyle and your virtual cybersecurity council is Jake Bernstein. Visit them at cyberriskopportunities.com and focallaw.com.
Jake Bernstein: Kip, what are we going to talk about today?
Kip Boyle: Jake, today, we're going to talk about security outsourcing, vendor selection, and management.
Jake Bernstein: That's a great topic, but why now? What's special?
Kip Boyle: Okay, why now? Well, this is a little bit of a cheat, "Why now?" Well, because that also the name of my latest online video course, which was recently released on LinkedIn Learning, and so I'm kind of celebrating by hijacking an episode and talking about it, but I also figured our listeners would enjoy learning about the seven-step outsourcing process that I cover in my course.
Jake Bernstein: Me, too, and honestly, I don't consider this to be a hijacked episode at all. I mean, security outsourcing, vendor selection, and management is a key component of cyber risk management.
Kip Boyle: Yeah, that-
Jake Bernstein: And this is the cyber risk management podcast, so this doesn't feel like a hijack at all. Let's dive in.
Kip Boyle: ... Okay, great. Thank you for that support, but I still feel excited. Okay, so before I dive into describing these seven steps, I want to make a comment about the business case to outsource security work, and the comment is this, doing it primarily to save money isn't going to work due to hidden costs.
Jake Bernstein: Well, okay, so hidden costs, that's a little catchphrase that you hear all the time, so what does it mean in this context?
Kip Boyle: There's so many hidden costs. This is true, whether it's a security outsourcing deal, or something else, right? I mean, the dominant narrative is you save money by outsourcing. Okay, you certainly can make that case. But in my experience, there's a whole bunch of hidden costs, and it's things like this. Just to put the deal together will probably cost you about 5% of the annual value of the deal, so if it's a $100,000 deal, a million-dollar deal, just know that you're going to spend about 5% of that just putting the deal together.
Jake Bernstein: Yeah. How?
Kip Boyle: Well, because you've got to negotiate contracts, there's typically lawyers' fees to pay.
Jake Bernstein: Oh, sure.
Kip Boyle: You've got to conduct a vendor search.
Jake Bernstein: Just blame us lawyers.
Kip Boyle: You're definitely part of it. You have to find a vendor, right, and so there's the process of that, which I kind of talk about in my seven steps to a successful outsource, but there's so many things you have to do before you even ink a deal, so to speak. I know these days, we really don't really put ink to paper anymore, but my age is hanging out. What can I say?
Jake Bernstein: Well, hold on now, Kip. You're talking to a new pen addict and actually the disconnected totally analog notebook and pen is a very good way to manage cyber risk these days.
Kip Boyle: I wish I had remembered that you were a newfound pen fanatic before I said that, but nevertheless, we'll continue. That's just one hidden cost, right, is 5% just to put the deal together.
Then depending on who you go with, right, there could be a long period of time where you're transferring the work from the people who are doing it today to the people who need to learn how to do it. That's a potentially hidden cost because sometimes you actually have two people working the same job at the same time for weeks or months and so you're paying two people to do the work of one. You've also potentially got cultural barriers, language barriers, time zones, and a lot of people just don't anticipate that when they first get this brain wave, "Hey, I should be doing outsourcing."
Jake Bernstein: I want to ask, obviously, I'll pitch you the slow ball, is there a better approach to the outsourcing business case? But before I do, I mean, I want to just clarify. People toss around the term "outsource" all the time and I just want to say there's a difference between outsourcing and offshoring and your comment about navigating cultural and language barriers, I want to highlight that, at least, I guess this is more of a question, it doesn't necessarily matter if we're talking about outsourcing to a company in your own country or truly offshoring someplace else, these seven steps still apply, if you're taking security work outside your companies, is that right?
Kip Boyle: Yeah, that's absolutely correct. Some people like the idea of nearshoring or onshoring, I mean, there's all kinds of permutations of outsourcing and offshoring is certainly one, and obviously, that's the most notorious one. I know that the whole outsourcing/offshoring idea is just packed with connotation. For Americans and other Westerners, the connotation may be largely negative. If you are living in the Far East, I'm sorry, the connotation, it'd actually be very positive because you see it as an economic opportunity. I'm not trying to focus on that here, but just know that from a business case perspective, who you choose to work with is going to determine a lot of these hidden costs.
Jake Bernstein: Yeah, no, I think that's a good point. Are you ready to tell us the seven steps?
Kip Boyle: Yes, but first I want to talk about what is the better approach to building your business case for outsourcing security. This is a very security-centric way to think about it. In my experience, the best business case, the strongest business case can often be made when you are moving routine commodity work out of your team. Let's say you a CISO or you're a cyber risk manager and you've got a team of people who are doing all this routine work and what you want to do is you want to move that routine work out so that the people on your team can focus on high-value work that only they can do as an insider.
I want to give you an example of what I'm talking about. A routine commodity piece of work might be resetting passwords. I know in this day and age, a lot of password reset is kind of self-help, which is great, but a lot of organizations are still doing password resets, or firewall rule updates, that sort of thing, and I just don't think that a cybersecurity team, an internal one, I just don't think that's their highest and best value for their time because so many other people know how to do that work, so an IT outsourcer, for example, can take that work on. The kind of high-value work that I'm talking about is something like, let's say your company's going to launch a new product and you haven't even really started designing it yet in terms of the technological solutions, the process, the procedures, all that stuff. If you could have a conversation with a senior decision-maker before the design and implementation of a new product occurs, you can actually affect the security posture of that new product launch by mentioning early and often that the security has to be baked into it.
Now, that's not something that conversation is not going to happen as easily if the team is so busy trying to reset passwords and change firewall rules. I mean, they have no time to build the kind of relationships, or have a lot of meetings with senior decision-makers, and so they're going to miss that opportunity and security's going to be maybe bolted on after the product is finished. That's an example of what I'm talking about, and actually, that does segue very well into the first step, which is to identify candidate work to outsource. I'll just repeat myself, you want to outsource routine commodity work so that you can focus more on the stuff that you really can't outsource.
Jake Bernstein: Yeah, and I think the only comment I would have to that is that it's a lot like all businesses and non-security outsourcing, the type of stuff that you want to outsource would be like your basic bookkeeping, possibly certain HR-type functions, things that are not your special sauce, they're not your specialty.
Kip Boyle: Right.
Jake Bernstein: The fact is that someone else may be much more efficient and good at something, it's pertinent to every business, and you just need to do it.
Kip Boyle: Right.
Jake Bernstein: I totally agree, you got to outsource routine commodity work. But let's keep going.
Kip Boyle: Do you know who actually advocated for that over the last century in the United States? A management guru named Peter Drucker. Have you ever heard of him?
Jake Bernstein: I think I have heard that.
Kip Boyle: Very famous management consultant, executive management consultant, a prestigious writer, prestigious thinker, very influential. He actually had this little saying. He said, "Do what you do best and outsource the rest," and that's kind of where this idea came from. I think you explained it very, very well just a moment ago, but just in case anybody wants to dig in a little bit deeper, like where did this idea come from? It's Peter Drucker, so go read up on his body of work.
Jake Bernstein: Yeah, definitely. Step two.
Kip Boyle: Right, so step two, once you know what you want to outsource, now, you got to document your requirements. There's actually a secret to documenting requirements for your outsourcer. Do you know what it is, Jake?
Jake Bernstein: Well, I'm going to cheat and say it's focus on the outcomes you want.
Kip Boyle: Yeah. See, we have notes.
Jake Bernstein: But you did send me your script.
Kip Boyle: Yeah. Yes, yes, ladies and gentlemen of the audience, we do show prep here. Yeah, I'm very good. I threw you a little bit of curveball, but you hit it square. You want to focus on the outcomes. Now, the thing about cybersecurity outsourcing is it really does matter how the work gets done. I mean, if you're going to outsource accounting, for example, there are standards, right? The generally accepted accounting principles, and you're pretty sure that those are going to be followed, right, so there's already existing standards or how accounting should be done on, but with cybersecurity, that's not always true, and so you've really got to make sure that the work gets done correctly because shortcuts-
Jake Bernstein: I'm going to stop you for a second and say that I kind of wish for a gap, which is the generally accepted accounting principles for cyber, but we're a long ways from that. It's not enough to say it's not always true. It's not really true at all. That's what makes cybersecurity so challenging right now, particularly when you're about to outsource.
Kip Boyle: Yeah, no, that's exactly right, although sometimes you'll be working with them with what's called a "managed security service provider," so an outsourcer that specializes in delivering a cybersecurity service, like network intrusion detection, or network intrusion prevention, or something like that. They may heal a little bit more close to so-called "industry standards," but if you were to outsource password resets to an IT service provider, I would be concerned about that, right? Because IT service providers are not necessarily focused first and foremost on security and even in MSSP, there's a conflict there I'm going to talk about in a moment in terms of vendor selection.
Even though how the work gets done matters, you really want to focus on outcomes, and in my course, I really go into detail about this, but if you have a hard time focusing on how the work gets done, and you just can't let go of that, you're going to have a hard time because outsourcers have their own way of doing things. They probably have better tools than you have, they have already scaled their operation more than you have, and if you won't take advantage of their unique capabilities, then maybe outsourcing isn't the right thing for you. In terms of documenting requirements, that's a big insight that I would like to share.
Jake Bernstein: I would say it is absolutely critical to combine this with step one, which is to identify truly good candidate work to be outsourced because I think your example of an MSSP that's doing a network intrusion detection, it was not random. That is something thing that is relatively commoditizable as a concept, but what you can't do is outsource security wholesale.
Kip Boyle: Right, and particularly risk.
Jake Bernstein: Exactly, and I think this goes to one of the things that we say all the time, which is that it's about cyber risk manage, and you can't outsource that.
Kip Boyle: You can't. You cannot outsource the risk management. You can bring somebody alongside of you to help share in the burden, and that's really what we're talking about here.
In terms of documenting your requirements, the other thing that I want to mention before we go on to step three is the service level agreement. Now, one of the hardest things that I've seen people struggle with when they outsource is the distance between you as the manager and the people doing the work is going to become very great. I don't just mean the physical distance, but also the emotional distance, the psyche, the psychic distance. You don't really know these people and when new people roll onto the outsourcing team, you don't really know them, and so that makes people feel uncomfortable because managers are typically able to look into how a person's doing their work.
That's a very common way of evaluating are they doing a good job or not, but when you outsource, that's not going to be available to you, generally speaking. What you're going to have to do is manage through a contract and you're going to have to set service levels, service levels like, how fast should a password be reset, or how quickly should a firewall rule get rewritten to accommodate a change in the business, and so if you don't know how to write service level agreements, you need to figure that out.
Jake Bernstein: Yeah. Something on this topic, we have a colleague shout out to Melissa, who's been on the show before, but she has a phrase from the government called "essential government function." It's another way of thinking about whether an SLA is going to be enough for a particular outsource, a type of work, because if you have something that is essential to your company because of everything that you just said, Kip, about the risks of outsourcing because the lack of direct management, can you actually safely outsource that? I think a simple example might be the army decides to outsource its pilots for its air support. That's an essential government function. You can't do that.
Kip Boyle: It's not going to work really well.
Jake Bernstein: It's not going to work real well.
Kip Boyle: Because they're going to take holidays off and stuff like that.
Jake Bernstein: Right, and, "Oh, sorry, we can't fly air support today. We have a contract dispute." That just doesn't work. Similarly, maybe you can have an MSSP doing your intrusion detection program, but maybe you can't, so it really needs to be part of the overall risk management process to look at all of this stuff.
Kip Boyle: Yeah, absolutely, absolutely. This is all preparation, right? You haven't even inked a deal yet. Right. You're still in the beginning stages and you can now appreciate a little bit better why I say you be better budget at least 5% just to get the deal done because again, step one, what are you doing is you're identifying candidate work. Step two, you're documenting requirements, and now, let's talk about step number three, which is now you're ready to select a vendor. Since we're outsourcing security, you're probably going to end up working with an MSSP, although you could end up working with a different type of company, it's okay. But one of the things that you've got to watch out for here is there's an inherent conflict of interest, whether it's an MSSP or whether it's an IT service provider or whoever it is.
This is the essence of the conflict right here. You as the organization outsourcing work want high-quality work product. You want passwords reset securely and on time and firewall rules rewritten expertly and on time. But your outsourcers' number one desire is to grow and be profitable, and so you have to recognize that and accept that. If you get resentful over that, then you are probably not going to be able to create a working relationship with this outside provider because if you deny them the opportunity to grow and be profitable, it's just not going to work.
With security, it can be a real problem because let's say resetting passwords securely is a 10 step process but step number eight is really annoying to the MSSP, so they might cut corners, right, and put the password into their ticketing system because it's just faster. Well, that's a really horrible security practice, but it's more profitable for the outsourcer to do it that way because they can then do more work with the same number of people, so you've really got to watch out for this, and you've got to build it into your SLA and you've got to build it into the way you manage the vendor to make sure that they don't take these kinds of shortcuts and actually fumble the ball that you've given them and results in a data breach.
Jake Bernstein: Yeah, the only thing I would add is that there's a reason that vendor management is itself part of cyber risk management.
Kip Boyle: That's right.
Jake Bernstein: When you're using vendors to actually do cybersecurity, it probably deserves a second pass on that vendor in particular, just a higher level of scrutiny because you're exactly right, you can't expect, I mean, you're not the only customer, it's as simple as that. Maybe that's the best way of putting it is that when you do something in-house, you think of it as your company is the only customer for this department that's in your company, but when you choose a vendor, you have to know that you're a customer and you're important, but you're not the only customer.
Kip Boyle: No, especially if you're not the one with the biggest spend.
Jake Bernstein: And you may not know that.
Kip Boyle: Yeah, so you're not even going to be an equal customer, you're going to be a two or three customer or something like that, right, so yeah, you absolutely have to consider that vendor management is so important. That's step three is to actually select a vendor and there's many ways that you can do that. I talk about how to do that in my course.
One of the other things I like about the LinkedIn Learning library, and I guess I'll just give them a little plug is they have all kinds of courses up there for all kinds of things. For example, building a business case, I don't explain how to build a business case in my course. I talk about it, but there's a whole other course on building a business case up there that I reference and that you can go to and watch. I think it's a really great resource. I'm happy to be affiliated with them and I'm happy to have my content on that platform.
All right, so that's step number three, select a vendor. Now, once you've selected one, now, you move on to step four, which is to contract with them. I know from experience my number one learning, my number one lesson from this step, don't try to contract with the vendor without a lawyer or a really good contracts manager showing you how. I'm sure you can explain that to us, right, Jake?
Jake Bernstein: Yeah. Obviously, the SLA is going to be written at this step. This is going to be a big part of it, and that's going to come back over and over, but this contract is going to be essentially everything you have to fall back on and manage the vendor. I would say that, obviously, I am biased in this regard, but if you're contracting with a security vendor, you should probably get an attorney who understands the industry. Your general counsel probably doesn't understand the cybersecurity, in which case they may not be fully up to speed on the issues here, whether someone were to call someone like me, or even just talk to a combination of in-house counsel and security, it would be wise to have that contract looked at with an eye to not just normal legal issues, but also the security issues.
Kip Boyle: Oh, definitely. I got most of my experience doing this when I was a chief information security officer, and I got to tell you, one of the big buckets of cold water in my face was that contracts just didn't work the way I expected them to, and they did not work the way I wanted them to. I had to really work hard to translate my requirements into contract language that was practical and defensible. It was quite a lift. I was really pleased to be working with a talented contract manager and an attorney behind that contract's manager, who would actually review the stuff that we came up with. But just please, folks in the audience, do not underestimate how crucial it is to get the contract correct.
Jake Bernstein: Yeah, with a vendor, that's kind of where it starts and ends.
Kip Boyle: Yeah, so that's step four. Step five of is you want to implement the agreement. Let's assume you've done a wonderful job writing the contract. Everybody's happy we sign it. The ink flows and we have a deal. Now, you've got to implement that deal and a smooth transfer is your goal. You want your MSS P to have a great start, to put the right foot forward. That is going to help you create the momentum that you need because you've just kind of gotten married here, okay, and there's going to be a lot of stuff that's going to happen in the first few months of the relationship where you're going to think they're crazy, they're going to think you're crazy, and why did they squeeze the toothpaste from the middle? It just doesn't make any sense. You got to have a great agreement that you can implement.
One thing that I want to also point out here is that if you are going to have to do layoffs because of the outsourcing, and even if you're not, even if you're just going to move people from one type of work to a different type of work, so if you've got somebody on your internal team that's been doing password resets, and now you want them to go off and have deep conversations with senior business leaders, those people are really probably going to struggle for a while to get their footing in their new role, and if you actually outsource the work and send people to go work for the outsourcer, or if you're releasing people, I urge you to think carefully about what kind of an outcome do you want for all these people and how their world is changing.
It's going to affect your reputation as an employer if you're laying people off or moving them to the outsourcer because folks talk. If you're keeping them and you want them to be productive, you really got to support them. Everybody goes through these changes differently. Some people actually feel it so deeply that it's almost they're grieving a death and so it can be really traumatic for folks when they're caught up in this whirlwind of change. I've seen it firsthand. It's a hard thing to relate without seeing it yourself. Jake, any thoughts?
Jake Bernstein: I do. That thought would be that when you're making this transition, you have to remember basic cyber risk management, which is to watch out for inside threats that might be coming from recently laid-off employees. I hate to sound paranoid, but it is a risk that should be managed.
Kip Boyle: It's difficult, too, because I've been involved in outsourcing where somebody that I knew and trusted and had worked with a long time, all of a sudden, they got notified that their employment was coming to an end, and it was so nerve-wracking because you wanted to continue to know and trust them way you always had, but the trauma sometimes is so great that people just kind of lose it and they do things you would never have thought that they would be capable of doing. I would say it's one of the worst things, most difficult things that I've ever had to manage was layoffs. Just really, really tough. It's so touch and go.
Jake Bernstein: Yep. Step six.
Kip Boyle: Yeah, step six. Now, you've implemented the agreement. Now, you want to manage the vendor. Jake, do you remember what is the major tool that we're going to use to manage the vendor?
Jake Bernstein: That would be the service level agreement, Kip.
Kip Boyle: Exactly, the SLA. If you don't have a way to monitor the SLA at this point, you better get busy because you should have built this already. Your SLAs should be measurable. They should be something that you can monitor without seeing people do the work.
Let's take password resets as an example. I mean, if you set an SLA that password resets have to be one hour from the time that the ticket is opened, you should be able to measure that. You might want to set up a way to do that by having the vendor do log forwarding to you so that when an event is written to the event log that a person's password's been reset that you'll actually have a copy of that, and so you'll have a piece of evidence that says, "Oh, yeah, Jake submitted his password reset. I can look in the ticketing system and see that it came in on this day at this time and I can pull the event record where his password was actually reset and I can do a simple piece of math and find out how long that took." That's your ideal state, but it's all about the SLA now. That's your major lever that you can pull.
Jake Bernstein: I would say, too, that this is a good time to remember what you put in the contract in step four. This is where audit rights are extremely helpful is that if you don't build in an audit right during step four with the contract, then you may not have the ability to fact-check the vendor. Sure, they may send you reports, and we all want to think those reports are fully accurate, but the only way to know is to build in an audit right allowing you to go in and see for yourself.
Kip Boyle: Yeah, and sometimes that audit right isn't going to be you showing up at the door saying, "Let me in," sometimes you can do it in a secret shopper kind of a way, right? You could submit a request for something that the vendor should be doing, and then you could run your own stopwatch to find out how long it takes to get it done. That's one way.
Jake Bernstein: The specifics will be greatly dependent upon the service and the provider and all of that.
Kip Boyle: Of course. Yep, you could also go interview people who've interacted with the vendor and ask them, "How did it go?" There's hard numbers, which is great, there's testing, which is helpful, and then sometimes you just got to talk to people who actually experience it and see what they have to say, so there's a lot of different ways you can do this.
Jake Bernstein: All right, so step seven is, I'm going to steal it from you because it's pretty straightforward in some ways, is renew the agreement.
Kip Boyle: Or not renew the agreement.
Jake Bernstein: Or not.
Kip Boyle: That's the issue, right? Typically, you've got to make this decision before the agreement expires, and so just a couple of thoughts. First of all, contract renewal is a time when you as an outsourcer have a very strong position. Probably this is your strongest position next to the time that when you were doing vendor selection, when you probably had the strongest position, so if you've got some grievances, if you've got some things that you have and able to get done, make sure you write them down throughout the term of the contract because once renewal comes around, all of a sudden, magically, you will be listened to more than you had been, and different people from the vendor may show up than you've been talking to over the past year, and asking you, "Oh, please, won't you consider renewing?" But one thing I wanted you to talk about, Jake, is the evergreen clause.
Jake Bernstein: An evergreen clause would be, it's essentially an automatic renewal. I mean, honestly, you should watch out for them, but at the end of the day, they're not going to be that effective. It's very difficult to force someone to stay in a deal they don't want to be part of. There's the hypothetical contract breach from trying to cancel and stop paying and then there's what actually happens in court. Now, granted, you're going to be employing lawyers and spending money, but if you have an agreement that automatically renews, and by the way, most of them will, and you want them to, because the last thing you want is to forget to renew the contract with the intrusion detection outsourcer, and then suddenly find yourself, "Oh, we actually don't have any intrusion detection at the moment."
Kip Boyle: That's called "sudden service disruption."
Jake Bernstein: Sudden service disruption. The way that most contracts read is that there will be some notice period that you have to cancel in before the contract renews. It's often 30, 60, sometimes 90 days, but the bottom line is that the renewal time doesn't necessarily start right when the contract is about to expire. It actually probably starts months before whenever your notice period kicks in, so you do watch out for that.
Kip Boyle: Yeah. I'll tell you that I've had to navigate an evergreen clause and the first time I did it, I didn't do it very well. The first time I wanted to get out of a contract and it had an evergreen clause and I've heard horror stories from people who felt like they couldn't get out of the contract when they desperately, desperately wanted to get out of it, so just a total nightmare. As if the work itself wasn't tough enough, you've got these evergreen clauses and other things. I mean, let's face it, the outsourcer really probably doesn't want to end the relationship. Remember, their primary goal is to grow and to be profitable, right, so it's kind of in their best interest to make sure that the contracts renew.
Right, so those are the seven steps that you'll be able to learn more about if you decide to go and watch my course on security outsourcing, and that's on the LinkedIn Learning platform. Here's a special little deal for you: If you would like to watch that course for free, you can, but what you have to do first is you have to connect with me on LinkedIn. If you connect with me on LinkedIn, then what I'll do is I'll accept your connect request, and then I will send you a link, and the link will allow you free access to the course for 24 hours, and that assumes you don't already have access to LinkedIn Learning, so there's a freebie for you if you listened all the way to the end of the episode.
Jake Bernstein: Very good.
Kip Boyle: Okay. Well, that wraps up our episode today. Again, we talked about security outsourcing. We'll see you next time.
Jake Bernstein: See you next time.
Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. Remember that cyber risk management is a team sport, so include your senior decision-makers, legal department, HR, and IT for full effectiveness. If you want to manage cyber as the dynamic business risk it has become, we can help. Find out more by visiting us at cyberriskopportunities.com and focallaw.com Thanks are tuning in. See you next time.
Sign up to receive email updates
Enter your name and email address below and I'll send you periodic updates about the podcast.
Cyber Risk Opportunities
Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).
K&L Gates LLC
Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.