5 Best Practices for Outsourcing Cyber Security & Compliance Services

Cybersecurity Outsourcing Report


Q3 2017

The Cybervisors (Cybersecurity Advisors) at Lazarus Alliance, Inc. — provide chief information security officers (CISOs) and IT security teams with insights and advice on how to overcome the cybersecurity skills gap.


How to find a trusted GRC partner

Michael Peters

Chandler, Ariz. – Sep. 30, 2017

Outsourcing your enterprise cyber security and IT compliance is a great way to save money and time, as well as overcome the very serious and growing cyber security skills gap. However, it’s also a very serious decision. Your cyber security provider will have access to your entire network and all of your sensitive data. How can you ensure that you are entrusting your enterprise to a provider who is not only legitimate but is also the right fit for your particular organization and data environment? Following are five best practices to follow when outsourcing your cyber security and IT compliance.

If Something Seems “Off” About a Company, It Probably Is

At a minimum, steer clear of providers who do any of the following:

  • Cannot provide you with a street address and phone number.
  • Do not have enterprise email addresses and instead communicate using addresses from Gmail, Yahoo, etc.
  • Have websites that appear very “amateurish” in design and/or contain text written in broken English.

These are immediate red flags that indicate you are dealing with an amateur – or possibly a fly-by-night operation.

Get References

Even if a provider seems perfectly legitimate and professional, always ask for references, and make sure to call them. Professional cyber security firms are always happy to provide verifiable references. You should also Google the name of the company and its principal(s) and look for reviews – or complaints.

Make Sure that the Provider Can Handle all of Your Compliance Requirements

Continuum GRC’s audit and assessment services include HIPAA and HITECH, PCI DSS QSA, SSAE 16 and SOC reports, FedRAMP, FISMA, NIST, CJIS, ISO, NERC CIP, SOX, ISO, and EU-US Privacy Shield certification; we are the only Arizona-based company that provides this depth of coverage.

However, many GRC companies – including some that are very large – handle certain IT compliance requirements but not others. Make sure that your provider not only offers all of the compliance services you need but also has experience performing those specific audits; ask about your specific compliance requirements while you are checking the provider’s references.

Ask the Provider About Their Audit & Compliance Processes

Believe it or not, some IT auditors are still using Excel or other spreadsheet programs to perform IT compliance reporting and audits, despite the fact that spreadsheet programs were never meant to be used with the very large data sets produced in today’s complex data environments. A GRC provider that is still fumbling around with spreadsheets is going to end up costing you a lot of time, money, and headaches.

Make sure your provider uses modern RegTech software to perform compliance reporting and audits, such as Continuum GRC’s proprietary IT Audit Machine (ITAM). ITAM utilizes big data capabilities and rapid report creation to automate data management and reporting. Instead of dozens of different spreadsheets and ledgers, ITAM creates a centralized repository of all IT compliance requirements with associated controls and automated information flows for audits, assessments, and testing. This saves you time, money, and stress and provides you with a big picture of your data environment and its risks and vulnerabilities.

Get Everything in Writing

Finally, make sure that the provider signs a written contract that specifies exactly what is expected of them and that they are willing to guarantee any promises they make.

By following these best practices, organizations can enjoy the benefits of outsourcing, minimize the risks, and build fruitful, long-term relationships with trusted cyber security providers.

Michael Peters is the CEO at Lazarus Alliance, Inc.

Q2 2017

The Cybervisors (Cybersecurity Advisors) at Lazarus Alliance, Inc. — provide chief information security officers (CISOs) and IT security teams with insights and advice on how to overcome the cybersecurity skills gap.


Outsourcing Can Help Bridge the Cyber Security Skills Gap

The cyber security skills gap is real and growing; there simply aren’t enough cyber security employees to go around.

Michael Peters

Chandler, Ariz. – Jun. 30, 2017

Cyber crime is rapidly escalating, and board rooms are taking notice.

KPMG’s 2017 U.S. CEO Outlook survey shows cyber security risks to be among CEOs’ top concerns, yet only 40% of them feel that their organizations are fully prepared to handle a cyber attack. This isn’t surprising in light of the very serious – and worsening – cyber security skills gap.

The cyber security unemployment rate was zero in 2016, and it’s expected to remain there until 2021. Coincidentally, that’s the same year by which Cybersecurity Ventures predicts there will be 3.5 million unfilled cyber security jobs.

Small and medium-sized firms are being hit the hardest by the cyber security skills gap, as the short supply of qualified talent is quickly snapped up by multinational firms that can afford to pay the high salaries and provide the “Cadillac” benefits and perks that this talent has the power to demand.

The situation is expected to worsen in light of New York’s new cyber security law, which requires finance and insurance firms operating within the state to hire CISOs and “qualified cyber security personnel.”

Governments and private-sector organizations are wringing their hands over how to deal with the problem. The mayor of New York City has announced a plan to invest $30 million in in cybersecurity training, academic research and development labs, with the goal of creating 10,000 new cyber security jobs over the next decade.

IBM has launched what it’s calling a “new collar” jobs initiative to train both students and older workers in cyber security.

Outsourcing the Best Way to Immediately Bridge the Cyber Security Skills Gap

In light of the cyber security skills gap, the best option for most organizations is to outsource their cyber security functions to a reputable cyber security provider such as Lazarus Alliance. Our Cybervisors® service allows organizations of all sizes to immediately retain the services of the best and brightest subject matter experts in cyberspace law, cyber security, risk assessments and management, audit and compliance, governance and policies, and more.

In addition to getting the help you need right away, there are many other benefits to outsourcing your enterprise’s cyber security functions, including:

  • Significant cost savings. It is almost always less expensive to outsource cyber security than to hire and maintain a security team full-time in-house. Even outsourcing just part of your cyber security functions, such as compliance, could result in significant savings.
  • Allows you to focus on your business’ core competency. Most likely, you don’t hire in-house staff to handle your own legal matters or do your own taxes. You realize that law and accounting are not part of your core competency, so you outsource those functions to attorneys and accountants. (Along the same lines, you probably outsource your building security to a security firm!) Using this logic, why would your firm handle its own cyber security? Outsourcing this function to a professional frees up monetary and human resources that can be used to create, innovate, and drive your business.
  • Allows you to access a level of expertise most companies don’t have internally. Cyber security is a highly specialized field, and the skill set it requires is quite different than those in other IT areas. It’s also highly dynamic, with new technologies and threat vectors emerging daily. Our Cybervisors® focus on only one thing: cyber security. They are highly experienced in this field, they are immersed in it, and they engage in continuous education to stay abreast of the cyber threat landscape.

Initiatives like the ones New York City and IBM have launched are positive steps in the direction of bridging the cyber security skills gap, but training new cyber security professionals takes time, and organizations need help right now. Your organization can’t wait 10 years, or even six months, to get the security help it needs, at a price it can actually afford.

The cyber security skills gap is here for the long-haul, and outsourcing is the best way to handle the problem right now.

Michael Peters is the CEO at Lazarus Alliance, Inc.