Outsourcing is a major decision for an organization, and not one that should be taken lightly. Opening up a global security operations center (GSOC) to a third-party can also open an organization up to risks, so it’s important for security leaders to take every precaution possible.

Greg Newman, VP of Operations at HiveWatch, shares his suggestions for safely outsourcing a GSOC.

1. Identify whether outsourcing a GSOC is the best idea for your organization

Building an in-house GSOC can be time-intensive and expensive, requiring significant investment in technology, infrastructure, personnel and ongoing training. Security leaders must also assess risks, balancing internal control against the perceived loss of control when outsourcing sensitive data to an external GSOC. The ability to scale is another consideration to make, as growth means the need for more resources and investments in personnel, while a GSOC-as-a-Service (GSOCaaS) may offer more flexibility as you figure out what people, technology, and software you actually need to get the job done, and as those needs evolve and change.

If outsourcing comes out as the clear winner, the first step is defining your organization’s objectives and requirements, including the primary goals of the GSOC. This might include the table stakes like monitoring your access control systems and video systems, plus improving threat detection, achieving compliance standards within your vertical market, reducing response time, or adding additional resources to cover after-hours incident response. Whatever these goals are, they need to be clear and defined.

You also need to determine the scope of services required. Will the GSOC provide 24/7 monitoring, incident response, threat intelligence, or vulnerability management? Consider factors such as the size of your organization, the industries you operate in, and the sensitivity of the data you handle. And consider the number of disparate systems your team will need to handle at the same time. Ensure you understand the expectations that your security program has of an outsourced GSOC or GSOCaaS.

2. Make the right partner selection

I didn’t use the word vendor for a reason — when you’re making a decision as big as whether to trust an outside entity with the security of your organization, building a relationship and partnership with that company is the most important aspect of the process. Identifying partners that can meet (and hopefully exceed) the goals and objectives set above is imperative, along with the ability to scale as the needs of your organization change.

Some other considerations to make include:

• Flexibility: So many times, there are surprises when transitioning to an outsourced GSOC — things that you didn’t know about your own program, or things you didn’t anticipate. It’s good to engage with a partner that has the right amount of flexibility when dealing with the unknowns. You want a partner that will work with you to solve problems.
• Tech stack knowledge: Make sure the partner you choose has experience with the tools your security team uses — or already has state-of-the-art tools necessary to effectively manage and respond to incidents. You’ll want your GSOC partner to be your tech thought partner as well, and explore what makes most sense for your program together.
• References: Make sure you can speak to other customers about their experiences using the partner — and ask questions about how they meet goals and collaborate effectively.

Transitioning from an in-house GSOC to an outsourced one takes time, planning, and dedication to ensuring nothing slips through the cracks.”

3. Plan for a smooth transition

Transitioning from an in-house GSOC to an outsourced one takes time, planning, and dedication to ensuring nothing slips through the cracks. The time to start thinking about the logistics is not once you sign the contract.

Start with a clear timeline, list of milestones, and the resources required for the transition (especially technology and support outside of security, such as IT, information security, and human resources). The process should be reviewed and agreed on by both the partner and the customer to make sure there’s a clear understanding of the roles and responsibilities of each. A simple mutual action plan can be helpful here.

Also, consider not taking it all on at once: Some companies may take a phased approach to fully outsourcing a GSOC, which might be a good fit for a more streamlined transition. (For example, initially taking over nights and weekends for a certain amount of months.) Additionally, some companies benefit from having an overlap between providers (if they’re switching). Start with something basic like access control and video monitoring; prove the value, prove the partner, and then expand the reach to the whole program.

Finally, the biggest piece of advice I can give is: be flexible. I like to use this quote from Mike Tyson: “Everyone has a plan until you get punched in the face.” Part of engaging with the right partner is being able to collaborate when something doesn’t go exactly the way it was supposed to, or how you envisioned it, or how sometimes something looks right on paper but it just… doesn’t work that way. Planning for flexibility and being open to learning things about your security program comes with the territory in these kinds of activities, along with the ability to go a different direction if needed.

4. Monitoring and managing the partnership

The real work begins when the GSOC has officially been transitioned to an outsourced third party. Maintaining an effective partnership is a critical piece of the puzzle, and should be done through regular communication and constant evaluation to make sure the GSOC is meeting the organization’s needs. Like any department across a company, there’s no such thing as “set it and forget it.” This is where having data becomes a huge factor in determining the efficacy of the partnership — and not all outsourced GSOCs are able to easily report on this data without the right tools and technology to do so.

Here are some of the ways your GSOC should be working with you to keep the relationship in tact:

• Performance reviews and indicators: All of the goals and objectives that were agreed on early in the process have to be regularly reviewed to make sure the GSOCaaS is meeting the agreed upon KPIs.
• Incident reporting and case management: Make sure your partner is able to provide details about incidents, including the ability to collect information for actionable offenses that can be shared easily with HR and the C-suite (as needed).
• Continuously improve: The right partner will be looking for ways to better serve you as the customer. In the case of an outsourced GSOC that’s using their own software, this might also include the ability to ingest requests for new features and updates as needs arise.
• Customer support and service: One of the most important aspects of engaging with an outsourced GSOC is ensuring that you’re able to establish a feedback loop to address any concerns or challenges easily and proactively. This goes back to the relationship-building aspect and it’s so critical to the success of your security program.