Monday, December 20, 2010

My $0.02 worth on outsourcing security

I have had some discussions with people surrounding this topic lately and I want to highlight a few points on this very tender topic.

Firstly, I am not in favor of offshoring security testing. It needs to be said. I acknowledge it is happening, I acknowledge there is an economic benefit in doing so, I understand why this is happening - but it isn't something I'm happy with. Then again I'm not happy with a lot of things but we have to make do with what we've got sometimes. I also think a lot of people rage about it without a clear grasp of what is "really" the problem. So I want to put out a number of ideas out there what I think people are sensitive about and with that in mind, try and put it into perspective. Moreover, I want to stress in economic terms why this happens and is "normal" (in an economic sense of the word).

I've included some common economic principles below that I have personally found really interesting in studying this for my MBA. Contrary to popular belief, economics is not just about business. At its core, it is about how people make decisions and evaluate choices. Everyone should study a bit of economics IMHO. Even if you have no interest in business, it can help you with your social engineering efforts. :) Anyway, this segues into my next point.

Economists discuss that when people make a decision (such as purchasing another unit of a given good) they evaluate what is the benefit in doing so. Some companies have already made the decision to move a good number of critical functions offshore gives them a much greater benefit. They can put the cash saved towards purchasing more security consulting, buying more widgets, giving execs larger bonuses - whatever. The point is the decision has been made that they perceive there to be a greater "gain" in this move.

Thirdly, the whole "outsourcing" security is precisely why security consultancies are built. Businesses outsource their function to specialists every day. It makes sense. Anyone that is even slightly familiar with economic theory will understand that it makes sense to employ specialists where needed when a specific skill competency is outside of your core business. So the whole idea that "outsourcing = bad" must be utterly dispelled. It isn't "bad". To say it is bad is a strawman argument. When I was hiring pentesters in my last job, its because I am snowed under, I wasn't getting time to develop my own skills and yet expected to attend 5+ hrs of meetings/day. It made perfect sense for me to hire guys who stayed ontop of their game and were paid to keep their skills sharp, to say nothing of obtaining objective, independent testing. So lets get that out of the way. It happens every day, what we're talking about are these services either moving offshore or to more unskilled labour - that is what gets most security consultant's goats up. If you get a plumber in to fix your pipes, that is "outsourcing". Service your car? Outsourced. We do this every day, only we don't perceive it that way. Ever buy a car? Probably imported. I can go on but the point is that "outsourcing" is another word for "trade" (see Principle #5 below).

Fourthly. the outsourcing argument assumes that Australia has a monopoly on technical acumen - and that's simply not true. We are a very small player on a global stage. To be fair, I also think a good number of our homegrown talent is largely uncredited (but that's another issue). But I'll pick on India since its a hotspot for outsourcing and there's a lot of good discussions and research on this topic in relation to India (so it suits for reference purposes).

For starters, India's IT schools are regarded as an asset of national critical importance. They also have a much larger population, an incredibly larger proportion of people going through university (1.1 billion people estimated, 7% post secondary education vs our 22 million population and 34% post secondary education). Right away, they have three times our national population with a tertiary education. Granted, there are cultural issues which suggest that many graduates are not well suited for many jobs (cultural attitude to rote learning apparently) but if you consider the pool of potential graduates coming through, statistically they have enough people they can (almost literally) throw at the wall and see what sticks! Even if there is evidence to suggest they aren't all appropriate, the fact remains that even if you look at the guys with talent, there is almost a statistical certainty that they will have more technically capable guys than we do in Australia. It's arrogant presumption to presume we're so awesome that they can't compete in the same space as us. One of the beautiful things about technical skill is that it is not constrained by country, economic wealth or privilege and does not care about culture barriers. This is what is great about tech and what brings techies together around the world. Likewise, its the Achilles heel which ensures that the industry will always trend to being outsourced.

Bringing the point home, its not difficult to assume that if I can keep a close eye on how I outsourced my pentest and manage assurance with virtual team then certainly other companies can't with outsourcing.  That's not to say crap work can be delivered by unskilled labour but lets be frank, we've seen that with local assets too, right? :D I see that as a management problem, not a delivery problem. Don't believe me? Ask any tradie who has to oversee first year apprentices fresh out of high school.

Finally, I.T. security has been largely a growth industry and despite hearing it is almost a recession proof industry for years, its interesting that only now we're being hit with the outsourcing. Having grown up in I.T, I've seen this so many outsourcing gigs hit jobs of either friends or family that I've almost become inured to it. I know people are thinking "OMFG pentesting gone to India wtfbbq" and its like yes, welcome to the 21st century. We are all expendible. Now as mentioned, I am opposed to outsourcing this function because I think sensitive information gathered from pentesting needs to be kept close to home with strict governance around it along with stringent quality assurance. However, we all know about the insider threat so again - its a strawman argument to assume it can't happen here. But the reality is we are not unique and beautiful snowflakes. People will outsource to companies if they can do it cheaper - even if there is a drop in quality. If the quality drop is still within an acceptable level, then meh - they'll wear it. I'm not saying it is right, but this is what Mankiw calls "the margin" and its here to stay (always has been really). I was actually going to graph this point but I'm tired and can't be arsed. If you're actually interested, go study 'price equilibrium' or 'equilibrium theory' (the two aren't the same but they are related) and you'll see what I'm talking about.

Ultimately, the problems that arise from outsourcing are largely the same problems our clients today face when decide to engage us as consultants. I share the same trepidation as everyone else but I don't think the problem is as concerning as everyone makes out. We just need to be very clear on what those problems are and ensure that we impose suitable checks to offset those risks and have some sound advice for clients looking to move down this path.

If you're a company competing against outsourcing, my recommendation is to study Mankiw (see below) and have a think about how you could apply these principles in effect to your work. I have many ideas on how I'd compete against anyone simply offering a lower daily rate against my business. Some of them aren't entirely fair either. ;-) In any case, there are somethings I won't post because we're competing against this crap too. :) One strategy I will offer is that I am a firm believer in uplifting our capability and focusing on delivering business consulting and security strategy (see #4 below and my previous rant).


- J.

N. Gregory Mankiw - 10 Principles of Economics.

#1 People face tradeoffs
#2 The cost of something is what you give up to get it
#3 Rational people think at the margin
#4 People respond to incentives
#5 Trade can make everyone better off
#6 Markets are usually a good way to organize economic activity
#7 Governments can sometimes improve market outcomes
#8 A country’s standard of living depends on its ability to produce goods and services
#9 Prices rise when the government prints too much money
#10 Society faces a short-run tradeoff between inflation and unemployment

PS: I recommend "Economists Do It With Models"  as a great resource for understanding economic concepts in bite sized chunks. Jodi Beggs is actually a former student of Mankiw and better able to conveying information than the textbook I have to use for my unit. :-(   Yes, the link is worksafe btw, don't be put off by the name.

PPS: I had a whole rant where I was actually going to discuss price elasticity of demand with regards to security services but I realised that its not relevant to this discussion and decided to drop it, but I'd be keen to hear from other security folk who are actually interested in this stuff on what they perceive as the elasticity of security services to be. I'm of the very its actually quite elastic based on my own experiences but I realise that flies in the face of a lot of evidence to the contrary. Then again, I suspect I might be an anomaly in this area...

No comments: