RSS |
 |
| F E A T U R E | |
|
|
|
Security Outsourcing: Pass the Buck November 27, 2000 |
||
|
|
The pitch for outsourcing your security needs often goes something like this: "Security is tough. You can't handle your security requirements. You can't hire enough staff to secure your environment. We have the experts; we'll take care of everything for you." It's a great pitch, and based on the amount of venture-capital funding and number of "monitored-service" offerings cropping up, the market for outsourced information security services has great potential. While there are no guarantees from such providers, outsourcing is quite tempting from the midlevel management perspective. Outsource a heated area to the purported experts and let them deal with the problems. If anything goes wrong, hey, that's not your fault--it was outsourced, right? Unfortunately, it's not always this simple. Security-outsourcing firms can do a few things quite well. Managing your firewalls and IDSes (intrusion-detection systems) and serving as an incident-response wing for your organization are well within the scope of many of these firms. However, security officers and industry experts alike say successful security programs require far more attention. Policy development, threat identification, patch coordination, end-user education--all are required for successful information security programs, and these are areas with which many third parties will struggle. Upper-level management really needs to notice this trend as well. If you, as top manager, lose $10 million of R&D material, get squeezed in lawsuits for unauthorized disclosure of patient data or fall victim to a high-profile credit-card theft, your board of directors is going to want answers, not a scapegoat. Managed security service providers won't be held accountable for such incidents. When choosing a partner for security, you must understand what these organizations will and will not provide. Monitoring firewalls and intrusion-detection systems is one thing; rolling out patches, defining procedures and enforcing policies are quite another. So anyone who tells you definitively that security outsourcing is--or is not--the way to go is not telling you the full story. Stick to your guns and ask questions. Find out what the providers can and cannot help you with. If your organization does not have the capacity to stay on top of firewall, virus or intrusion-detection systems, managed security services firms could be lifesavers. But before you choose an outsourcing partner, be proactive. Put the necessary policies and procedures in place, solidify your information security program and complete your security framework. In the end, only one organization has ultimate responsibility for your security: yours.
|
|
|
|
PAGE: 1 I 2 I 3 I 4 I 5 I 6 I 7 I NEXT PAGE |
||
