In-House vs. Outsourced IT Risk Assessments
In today’s cybersecurity landscape, it’s essential to have experts on your team who can add value to your school’s risk assessment projects. Inevitably you’ll have to make the decision of whether you should task your internal team with the responsibility, outsource to a third party, or take a hybrid approach. Each option comes with its advantages and disadvantages, so it makes sense to explore different arrangements to determine which one is best suited for your institution. Before going into the pros and cons of each, there are a few risk assessment principles that you’ll want to familiarize yourself with.
This is the process you will use to conduct your assessment. This could include using a spreadsheet to track your progress and determining if you will conduct interviews face to face or over email. Using broader database/workflow software is also an option and could drastically reduce the administrative energy and repetitive tasks that are required within a risk assessment project.
Your scope will be the assets, units, stakeholders, etc. that will be under the scrutiny of your assessment. You can start narrow with critical resources such as your data center or take a broader approach and start campus-wide.
Your framework is the blueprint or roadmap you’ll follow when conducting your assessment. You must figure out which standards or question-sets you will use during the assessment. This could span a wide range of possibilities. For example, the question set for a HEISC self-assessment will be different from a full-blown NIST 800-53 FISMA. After all the data is collected, you’ll have to determine how you’ll want to analyze and report the data.
Conducting an in-house risk assessment
Going in-house means leveraging your existing team members to complete an assessment. When you choose this option, you may not already have a current risk assessment framework in place. There are several factors you’ll have to consider, including what to assess and how you will assess or approach the project.
When staying in-house, you’ll have the advantage of being able to leverage existing resources vs. having to find new budget for a full-on engagement. Given the complexity and sensitivity of a school’s data assets coupled with the time and resources it takes to hire a third-party, it makes sense for schools to lean toward delegating risk assessment duties to in-house employees.
Home Team Advantage
An existing employee will already have a familiarity and understanding of the campus. This tribal knowledge will help when determining where sensitive data is located and will also prove beneficial when it comes time to access the appropriate stakeholders. It can also be helpful to have personnel right down the hall if that something happens and there is an issue. It may cause less friction to have someone within the organization, i.e., a “familiar face” following up rather than an outside consultant.
Employees are naturally embedded within the organization. As you begin to take a more comprehensive approach with your assessments in the future, the detailed knowledge that an employee gains keeps the knowledge in-house making it more actionable. This will positively guide your decision making down the line.
A permanent employee is also going to be much more invested in tending to the overall health of your organization and taking proactive measures to guarantee a more secure environment. They will still be working at the school after the engagement is over, so they are naturally incentivized to do the best job possible.
Many security teams are short-staffed and can’t conceive of one more thing be added onto their plates. Depending on the scope and scale of the assessment, if you’re trying to do things manually, without automation software, conducting an assessment can quickly become a full-time job.
Conducting an outsourced risk assessment
Outsourcing means paying for an outside consultant or firm to come in and conduct a risk assessment. Depending on your budget, the scope is typically limited to a critical area or a sampling across several different groups of focus. Although you’ll be offloading a majority of the legwork to someone else, you’ll still need to determine the goals of your assessment, i.e., breadth and depth. You’ll also need to figure out what you are assessing against or the standard/framework you will be using. You won’t be entirely on your own with these decisions as the outside consultant/firm can provide recommendations to aid your decision making.
Since an outside party will be doing the manual roll-up work, your team won’t have to devote as much time and resources to the assessment. If the consultant is experienced in dealing with higher education environments, they can provide recommendations on the best approach to take and can potentially benchmark you against your peers.
Accuracy is vital in an assessment, and an outside party can be potentially more objective since they most likely don’t have any ties or biases towards your school. This can prove beneficial as you start to take action based on the findings of your assessment and can lead to fewer surprises down the road.
When you outsource, you also have access to a broader range of experience in the people you contract for an engagement. You can work with professionals that have handled a variety of cybersecurity issues in the past such as ransomware, DDoS attacks, social engineering campaigns, and malware.
The number one downside of outsourcing is cost. If you don’t aggressively limit your scope, you may quickly exceed your allotted budget. Even so, it may be difficult to spot roadblocks or obstacles that may arise during an assessment which can lead to unforeseen additional expenses.
You’ll also have to consider all of the additional vetting, paperwork, processes, and approvals you will have to go through to bring in a consultant. These are all activities that require time and other resources from your department.
Furthermore, budget limitations may drive the scope of the assessment rather than a business case. Often an outside risk assessment will focus on a narrow topic or portion of the environment based on cost, time or logistical constraints.
Every consultant has a unique approach to conducting a cybersecurity assessment. Sometimes this can turn an assessment into more of a box check or certification exercise instead of providing deep insights and actionable results. You also won’t have the same opportunity to communicate face to face after the engagement is over that you would with an in-house employee. Some consultants have a tendency to throw their findings over the wall without a vested interest in seeing their recommendations followed.
At the end of the day, you may be left with a report and its recommendations. Needless to say report quality and actionability of recommendations can vary considerably. Also when it comes to next year, you are back to the starting board as the gleaned information may not be in a format that you can build off of and expand.
Challenges of a Distributed Environment
Higher education has the unique challenge of operating within a distributed environment. This can prove difficult as the consultant may not find the right people with the correct information that they need to do their job. The results of an assessment are contingent upon the people they can find and the information that they can gather within the time frame allotted.
Looking at both options
This doesn’t have to be a mutually exclusive decision. You can run a hybrid team where the responsibilities of the assessment are shared between employees and an outside party. An external expert who’s familiar with higher education can provide valuable insights to an organization as well as an independent assessment to validate or further explore critical areas.
An outside expert doesn’t necessarily replace the need for an internal security team to understand the essentials, such as what sensitive data is in their organization, where it is stored, how it is controlled, and the need to assess the overall security and risk posture across the organization.
If you do decide to go the hybrid route, you’ll want to make sure that you draw clear expectations and responsibilities as you can run into political issues between both groups. Make sure you have a solid framework in place of how the engagement should work that includes a clear handoff of duties.
Deciding what’s best for your organization
After weighing the pros and cons of both options, you’ll have to take into account the resources that are available to you based on your particular situation. For example, if you want to keep things in-house and are still using spreadsheets, consider using workflow software to make your process more efficient. If you’re looking to perform risk assessments multiple times throughout the year but don’t have the budget to hire an outside party each time, you could keep the majority of your assessments in-house and bring in a consultant on an annual basis.
Although risk assessments are a large undertaking, you can’t just throw everything to an outside party and expect to be done. It’s the security team’s responsibility to gain as comprehensive of a view as possible across their organization, especially in critical areas or units that deal with sensitive data. Manual data collection can be challenging and overwhelming as you scale. But, there are automation tools that will help collect and organize information across large distributed organizations like your campus.
Regulations can help direct our efforts to where work might need to be done, but risk assessments give us advance notice of exactly where those gaps might be. Using a variety of applicable regulatory frameworks, anyone can shore up their compliance through the use of questionnaire-based risk assessments.