FEATURE:Outsourcing = bad security?

PREVIOUSLY : KNEE JERK REACTIONS

CHAPTER FIVE : FALSE SENSE OF SECURITY

In response to growing concerns about security and the ever increasing complexity of management of these newly installed point devices, many companies turned to the same companies who managed their existing network infrastructure or to the emerging band of managed security service providers. This seemed the logical response for anyone looking to offload the complexities or security management and alleviate the need for high priced technical talent. The problem was most of the contracts contained clauses in the fine print absolving the service provider of liability and accountability for security incidents. Many such contracts promised little more than notification of events which couldn’t be confirmed as false positives. This level of service puts the onus on the customer to respond to and resolve the incidents reported. In many cases this was a surprise to an unprepared client in their hour of need. Of course, these same service providers were able to assist in the incident response for additional hourly fees.

Outsourcing security has been a hot topic of debate for some time. There is a strong argument for both sides and no sign of consensus on the horizon. The facts are simple yet overwhelming for many:

1. Addressing security and IT risk is not optional;
2. Legislation and liability are driving security to the top of CIO’s priority lists;
3. There is a real awareness problem in bridging the gap between the business people and the technologists;
4. Technology is ever changing, so security is a moving target;
5. Good security resources are hard to find and costly to hire and retain;
6. Outsourcing security does not transfer accountability or liability to the service provider.

Regardless of if you choose to outsource or go in-house for security, the challenge is in getting executive support and alignment between the business units and the security function. In the worst case, these relationships are adversarial and conflict between groups results in a decrease in productivity. In the best case, the security officer understands the business and is able to communicate clearly the threats to business operations and show that effective risk management actually enables the business. Many enterprises make the mistake of outsourcing their security as part of generic outsourcing agreement before obtaining this alignment and the outsource then leads to a false sense of security or a "tick in the box".

NEXT : CAVEAT EMPTOR (Let the buyer beware)

NOTE : Thanks to Chris Thatcher from our North American practice who assisted with this chapter.

CATEGORIES : 1feature, 1outsourcing, 1advice, 1best practices