Security Outsourcing: Creeping Determinism

Security departments that rely too heavily on their outsourcer to troubleshoot problems could be heading for disaster.

By David H. Holtzman

November 01, 2003 — CSO — "NASA structure changed as roles and responsibilities were transferred to contractors, which increased the dependence on the private sector for safety functions and risk assessment while simultaneously reducing the in-house capability to spot safety issues."
-Columbia Accident Investigation Board report, August 2003

It's been almost a year since the Columbia space shuttle accidentwhich brought the crash rate to 40 percent for this particular fleet. The investigation panel's report blamed NASA's contractor-dependent, decentralized organizational culture as much as any specific manufacturing defect. Several newspapers used the psychological term creeping determinism to describe this fatalistic, laissez-faire mentality that had permeated the agencythe growing sense of inevitability, especially in hindsight, that an accident of this kind would happen.

Security specialists, as well as scientists, can fall victim to this effect.

Outsourcing critical and messy functions like security is seductive, the downside being less control and slightly more cost. But as the Columbia example illustrates, the cumulative damage from this detachment can be devastating. Delegating critical functions breaks the feedback loop, which can bring potentially serious problems to light. An outsider might tolerate a nagging issue because his attention is scattered among various projects. An insider usually won't. Each tolerated error accumulates one upon the next causing a buildup of unresolved snafus that can eventually lead to a massive failure.

"It is our view that complex systems almost always fail in complex ways."
-Columbia report

Security is a major business system, and it reaches into every department and function. The combined complexity quickly becomes cosmic in proportions. An outsourcer's methodology is based on previously seen problems, and it is effective against situations that progress in a slow, linear fashion. But this approach fails when faced with problems that rapidly expand in scope and complexity. In-house security, on the other hand, can stop these situations from spiraling out of control by triaging troubles at first sighting, inhibiting the runaway tolerance of risk.

"Changes in organizational structure should be made only with careful consideration of their effect on the system and their possible unintended consequences."
-Columbia report

For exposed security departments seeking additional cover, security contracting seems more panacea than placeboturning a weakness into a strength. Moreover, it's easy to find someone to hire. Since the terrorist attacks of 2001, security consultancies have been springing up like toadstools after rain. But too often, companies are picked without consideration to their long-term ability to serve the contract. Any company that is considering completely outsourcing its security would do well to give that decision long and careful thought. If security is a business-critical function within the company, it should be internally managed. Hiring an extra set of hands or feet is fine, but the brain, eyes and ears should stay attached to the body.

"Changes that make the organization more complex may create new ways that it can fail."
-Columbia report

Using contractors is not inherently stupid, but it must be managed and recognized for what it brings to the organization, both good and bad. On the plus side, it is useful to have experts available who are paid only when used. However, security is a management function, not a specialty. The extra complexity that comes with detaching it from the rest of the company should not be taken lightly, any more than a mature organization would consider renting a CFO.

The failure of process is always a tragedy, distinguished in severity and scope by the significance of the mission. Lessons learned in one case apply to all, even if we aren't rocket scientists.

Read more about security leadership in CSOonline's Security Leadership section.

• Print