Managing Network Security
To Outsource or Not to Outsource,
That is the Question!
by Fred Cohen
Series Introduction
Over the last several years, computing has changed to an almost purely
networked environment, but the technical aspects of information protection
have not kept up. As a result, the success of information security programs
has increasingly become a function of our ability to make prudent management
decisions about organizational activities. Managing Network Security takes
a management view of protection and seeks to reconcile the need for security
with the limitations of technology.
Introduction:
As a long-time consultant in the information protection field, I have
often observed, to my dismay, that outsourcing information protection work
is a particularly risky business. I sometimes find myself advising my clients
not to use consultants as much as they do in the information protection
area.
Since my clients almost always follow my advice, you would think that
this might not be very good for my pocket book. But dont worry about
me. My clients almost always ask me to work for them doing things that are
appropriate for a consultant to do.
Basic Issues:
The fundamental role of organizational information protection programs
is to keep people from being harmed as a result of information or information
technology. In most cases, this is translated at the organizational level
into protecting corporate information assets. Since outsourced people in
information protection roles (well call them consultants from now
on) are, in essence, information assets, we could analyze their utility
just as we would any other information asset. I will use return on investment
as the driving force in my simplistic analysis here.
But before we can understand return on investment, we have to understand
the different roles that consultants can play in an organization so we can
understand the risks and the values associated with having them in. Without
this, we cannot make a business case for hiring an outside consultant anyway.
In todays world, we can potentially hire a consultant to do anything
that an employee can do, so every internal role is open to this possibility.
But there are also roles that an outside consultant can play that no insider
can play. Two of these roles are providing knowledge about what other organizations
are doing and providing context from outside of the organization.
- Providing knowledge about what other organizations are doing in the
information protection arena sounds almost like competitive intelligence,
and indeed, it can become this if employed in unscrupulous hands. But good
consultants are able to bring a great deal of expertise to bear based on
other consulting they have done without revealing any information that
could harm other legitimate interests.
- Providing context from outside of the organization has been a major
historical role for the consultant. This is similar in many ways to the
role of board members from outside the company. It also allows insiders
to reduce their internal risks in decision-making. (In effect, the insider
is laying off bets on the consultant. If the result is good, the insider
is credited with the decision and hiring a good consultant. If the result
is bad, the insider blames the consultant and avoids responsibility.)
The three roles:
This then sets out the three major roles of information protection consultants:
- The consultant can act as an independent expert. Examples of
this role include but are not limited to the validation or countering of
an internal opinion, assistance in settling internal disputes, tracing
down an attack by a trusted insider, providing additional credibility to
management or outsiders, and deferring internal risks.
- The consultant can provide knowledge not otherwise available. Examples
of this role include but are not limited to special knowledge regarding
a specific system, method, or challenge, special expertise relating to
a high-valued decision, and experience in helping organizations change.
- The consultant can temporarily supplement internal resources. Examples
of this role include but are not limited to assistance on a specific short-term
project, assistance during an emergency situation, assistance during a
dramatic expansion or contraction, and assistance when a major shift in
direction is taking place.
It is perhaps noticeable that the use of consultants for long-term supplementing
of full-time employees has not been included in this list. This is not because
I am a heavy union supporter, but rather because a long-term full-time consultant
is, in essence, a full time employee, as far as risk management is concerned
or at least should be treated as one. This implies that similar background
checks, clearances, agreements, and other similar things should be in place
for such a consultant, and that the differentiation between this person
and employees should be based only on a legal distinction.
Risk management:
The risk management approach I typically use begins by understanding
dependencies, vulnerabilities, and threats. We begin with dependencies.
- The consultant provides independence. In this case, our dependency
on the consultant is typically rather low. The client is asking for an
objective outside opinion and, even if the consultant is completely wrong,
the client should not be in a position where such an error will cause great
harm. Proper use of such a consultant should result in few, if any, substantial
dependencies. Example: If the consultant agrees with our previous opinion
and the consultant is wrong, the only real effect is the added cost of
the consultant. If the consultant disagrees and is wrong, we will spend
a little bit more effort making certain and it may reduce our certainty
a bit or cause us to find a different solution.
- The consultant provides knowledge. In this case, our dependency
on the consultant is substantial because we depend on the consultants
special knowledge to uncover things we would not otherwise find. If the
consultant does not have adequate expertise, their lack of knowledge could
often translate into a great deal of damage. Example: The consultant
says the firewall is safe and it is not. The organization soon loses a
very large portion of its information assets because the consultant was
wrong and was trusted.
- The consultant supplements resources. In this case, our dependency
on the consultant is potentially very high in that any work they do may
leave a long-term effect on the overall protection program. Example:
The consultant helps to set protection bits on network file servers and
does it incorrectly. The potential for harm is severe, while the cost of
redoing the work the consultant did poorly is about the same as the consultant
cost in the first place. The longer the consultant works for us, the more
we come to depend on the quality of their work.
Now lets look quickly at vulnerabilities:
- The consultant provides independence. Unless things are done
very shabbily, no new vulnerability is introduced as a result of this sort
of activity other than the fact that one more person knows about the decision
being made and the reasons behind it.
- The consultant provides knowledge. New vulnerabilities can be
introduced by poor technical judgements and existing vulnerabilities can
be left unnoticed through a lack of adequate knowledge. While this supports
the notion that consultants can increase vulnerabilities, it is incumbent
on anyone using a consultant to check out the consultants credentials
as well as any results the consultant provides.
- The consultant supplements resources. In this role, the consultant
has the potential to accidentally or maliciously induce vulnerabilities
into systems and, as side effects, weaken protection throughout the organization.
Now we will consider threats:
- The consultant provides independence. In this role, consultants
are rarely a threat to the organization. In the worst case, they may reveal
some inside information related to their consulting work, but in this case,
we might be able to track them down and counter any ill effects fairly
easily.
- The consultant provides knowledge. In this role, most good consultants
very quickly come to know precisely how to attack the organizations
information systems. If consulting is done properly, this threat will be
minimized by the consultant and client taking care to limit the role to
one of providing knowledge. For example, the consultant need not know specific
passwords to be able to determine that inadequate controls are in place
to assure that they are hard-to-guess. Systemic vulnerabilities will be
much harder to protect and to this extent, the consultant in this role
is a serious threat.
- The consultant supplements resources. In this role, the consultant
is most dangerous. The keys to the kingdom are given to the consultant
for whatever efforts they are to aid in. In a policy role, this is rarely
a serious problem, but as the role becomes more technical, access to specific
vulnerabilities and systems becomes increasingly likely. The threat is
potentially very severe in this role.
So we see that the risks introduced by consultants are, at least qualitatively,
more extreme as we move from the role of independence to the role of knowledge
source and into the role of supplemental resource. It is also often the
case that the value of the consultant is far greater in the independence
and knowledge source roles than in the supplemental resource role. The former
roles tend to involve higher cost per hour but far fewer hours to get the
job done well, so that the total cost in those roles tends to be lower than
the total cost in the supplemental role.
On this basis, it would therefore appear that the return on investment
is higher and the risks are lower for the information protection consultant
in the independence and knowledge source roles and that this is where organizations
should spend their information protection consulting dollars.
Other factors to consider:
Other outsourcing factors that tend to make it less suitable for information
protection than other areas include:
- There tends to be less control over the consistency of the personnel,
especially in cases where the contractor determines which people work on
which projects at which times.
- Always remember that the best experts are used in the sale of consulting
services and in high-level customer contacts, but these are not always
the people working on the actual projects. As you move toward the supplemental
role, the level of expertise and consistency of personnel tend to get lower.
- Contractor personnel tend to have a different trust relationship with
the client than employees. Because of the central role of trust in information
protection, it is vitally important that the trust level of consultants
be considered in decisions about their roles.
- Sometimes, you just dont have the personnel to get the job done
and management wont or cant provide it. Perhaps you have no
choice but to outsource, but then perhaps there is another solution that
would eliminate the need to do so. This situation is an ideal opportunity
to bring in a consultant for the roles as an independent expert and knowledge
source. They may help find another way to meet the challenge, help convince
management of the need for more and better insiders, or perhaps even validate
the need for outsourcing in this special case.
Conclusions:
Outsourcing information protection is a very risky business and it is
more risky in the role of supplemental assistant than in the roles of independent
expert and knowledge source. Limiting outsourcing to these two areas in
all but the most exceptional cases is in the organizations best interest.
About The Author:
Fred Cohen is a Principal Member of Technical Staff at Sandia National
Laboratories and a Senior Partner of Fred Cohen and Associates in Livermore
California, an executive consulting and education group specializing in
information protection. He can be reached by sending email to fred at all.net.