Opinion

Security Outsourcing: Creeping Determinism

Security departments that rely too heavily on their outsourcer to troubleshoot problems could be heading for disaster.

By David H. Holtzman

November 01, 2003 — CSO — "NASA structure changed as roles and responsibilities were transferred to contractors, which increased the dependence on the private sector for safety functions and risk assessment while simultaneously reducing the in-house capability to spot safety issues."
-Columbia Accident Investigation Board report, August 2003

It's been almost a year since the Columbia space shuttle accidentwhich brought the crash rate to 40 percent for this particular fleet. The investigation panel's report blamed NASA's contractor-dependent, decentralized organizational culture as much as any specific manufacturing defect. Several newspapers used the psychological term creeping determinism to describe this fatalistic, laissez-faire mentality that had permeated the agencythe growing sense of inevitability, especially in hindsight, that an accident of this kind would happen.

Security specialists, as well as scientists, can fall victim to this effect.

Outsourcing critical and messy functions like security is seductive, the downside being less control and slightly more cost. But as the Columbia example illustrates, the cumulative damage from this detachment can be devastating. Delegating critical functions breaks the feedback loop, which can bring potentially serious problems to light. An outsider might tolerate a nagging issue because his attention is scattered among various projects. An insider usually won't. Each tolerated error accumulates one upon the next causing a buildup of unresolved snafus that can eventually lead to a massive failure.

"It is our view that complex systems almost always fail in complex ways."
-Columbia report

Security is a major business system, and it reaches into every department and function. The combined complexity quickly becomes cosmic in proportions. An outsourcer's methodology is based on previously seen problems, and it is effective against situations that progress in a slow, linear fashion. But this approach fails when faced with problems that rapidly expand in scope and complexity. In-house security, on the other hand, can stop these situations from spiraling out of control by triaging troubles at first sighting, inhibiting the runaway tolerance of risk.

"Changes in organizational structure should be made only with careful consideration of their effect on the system and their possible unintended consequences."
-Columbia report

For exposed security departments seeking additional cover, security contracting seems more panacea than placeboturning a weakness into a strength. Moreover, it's easy to find someone to hire. Since the terrorist attacks of 2001, security consultancies have been springing up like toadstools after rain. But too often, companies are picked without consideration to their long-term ability to serve the contract. Any company that is considering completely outsourcing its security would do well to give that decision long and careful thought. If security is a business-critical function within the company, it should be internally managed. Hiring an extra set of hands or feet is fine, but the brain, eyes and ears should stay attached to the body.