Managing Network Security


To Outsource or Not to Outsource,

That is the Question!

by Fred Cohen

Series Introduction

Over the last several years, computing has changed to an almost purely networked environment, but the technical aspects of information protection have not kept up. As a result, the success of information security programs has increasingly become a function of our ability to make prudent management decisions about organizational activities. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.


As a long-time consultant in the information protection field, I have often observed, to my dismay, that outsourcing information protection work is a particularly risky business. I sometimes find myself advising my clients not to use consultants as much as they do in the information protection area.

Since my clients almost always follow my advice, you would think that this might not be very good for my pocket book. But don’t worry about me. My clients almost always ask me to work for them doing things that are appropriate for a consultant to do.

Basic Issues:

The fundamental role of organizational information protection programs is to keep people from being harmed as a result of information or information technology. In most cases, this is translated at the organizational level into protecting corporate information assets. Since outsourced people in information protection roles (we’ll call them consultants from now on) are, in essence, information assets, we could analyze their utility just as we would any other information asset. I will use return on investment as the driving force in my simplistic analysis here.

But before we can understand return on investment, we have to understand the different roles that consultants can play in an organization so we can understand the risks and the values associated with having them in. Without this, we cannot make a business case for hiring an outside consultant anyway.

In today’s world, we can potentially hire a consultant to do anything that an employee can do, so every internal role is open to this possibility. But there are also roles that an outside consultant can play that no insider can play. Two of these roles are providing knowledge about what other organizations are doing and providing context from outside of the organization.

The three roles:

This then sets out the three major roles of information protection consultants:

It is perhaps noticeable that the use of consultants for long-term supplementing of full-time employees has not been included in this list. This is not because I am a heavy union supporter, but rather because a long-term full-time consultant is, in essence, a full time employee, as far as risk management is concerned – or at least should be treated as one. This implies that similar background checks, clearances, agreements, and other similar things should be in place for such a consultant, and that the differentiation between this person and employees should be based only on a legal distinction.

Risk management:

The risk management approach I typically use begins by understanding dependencies, vulnerabilities, and threats. We begin with dependencies.

Now let’s look quickly at vulnerabilities:

Now we will consider threats:

So we see that the risks introduced by consultants are, at least qualitatively, more extreme as we move from the role of independence to the role of knowledge source and into the role of supplemental resource. It is also often the case that the value of the consultant is far greater in the independence and knowledge source roles than in the supplemental resource role. The former roles tend to involve higher cost per hour but far fewer hours to get the job done well, so that the total cost in those roles tends to be lower than the total cost in the supplemental role.

On this basis, it would therefore appear that the return on investment is higher and the risks are lower for the information protection consultant in the independence and knowledge source roles and that this is where organizations should spend their information protection consulting dollars.

Other factors to consider:

Other outsourcing factors that tend to make it less suitable for information protection than other areas include:


Outsourcing information protection is a very risky business and it is more risky in the role of supplemental assistant than in the roles of independent expert and knowledge source. Limiting outsourcing to these two areas in all but the most exceptional cases is in the organization’s best interest.

About The Author:

Fred Cohen is a Principal Member of Technical Staff at Sandia National Laboratories and a Senior Partner of Fred Cohen and Associates in Livermore California, an executive consulting and education group specializing in information protection. He can be reached by sending email to fred at