The Advantages of Outsourcing Information Security Management

This paper by Andrew Bycroft does not fit to the network security area, but it couls be useful for IT manager.

Information security these days is becoming quite a scary proposition for most businesses. It is moving so rapidly, it is often associated with bad publicity, it is only understood by a small percentage of the population and if not implemented correctly can put even the largest corporate out of business.

 

The media constantly covers breaking news stories about sites being hacked, credit card numbers being stolen and virus infections causing millions of dollars of damages.

 

As a business manager perhaps you are petrified by security – you have every right to be. Forking out money for what may seem like an “unknown” does not make a lot of business sense.

 

Maybe you are an IT manager who is just as scared. Just because one is an IT expert, doesn’t mean one knows security intimately – after all, IT is very broad. Security is so intense, it requires specialists, just as law is so broad that family, civil and coronary law are individual specialist areas.

 

Perhaps you have an interest in security but are confused. There are many products and many solutions to choose from – it all becomes complicated very quickly. In addition there are many statistics out there that may be old and don’t describe the latest trends in Internet security. For example, there was an old statistic indicating that more than 70 percent of attacks came from inside the network – this was true in the early 80s when there was not a lot of connectivity to the Internet. The easiest way to launch an attack was from inside because there were very few options for gaining access externally. Today’s statistics show quite the opposite – with most businesses having a website and therefore Internet presence, attacks are much more likely to come from the Internet. With issues like this it becomes easier for some businesses to think that security is not important, or decide that it is so complicated that they will not think about it and put it on hold, in hope that one day soon a cost effective, point and click security miracle is unleashed.

 

Let’s ask a few questions to see where you would fit with the statistics:

 

  • Does your business have a security policy document?
  • Does your business have dedicated security staff?
  • Would your security staff know what to do once a security breach had occurred?
  • Would your security staff know if a security breach had occurred?

 

 

If you answered, “yes” to all of these questions, then there is nothing more I can tell you. You might as well not read the rest of this paper. If on the other hand, as I suspect is the case, “no” was the answer to most of those questions, then you need to consider the advantages of outsourcing your information security management and I urge you to continue reading.

 

If everyone could employ his or her own security professionals, the digital world would perhaps be a safer place. Indeed, that may be the case, however, there are two problems with this statement. Firstly there is a shortage of qualified security professionals and secondly, qualified security professionals do not come cheaply. As a result, many organisations assign the task of security management to a single person or group of persons who are currently occupied with other chores and place security on the list as a task to complete when time permits. Security simply cannot take a back seat. What is worst is that many of those who wear the security hat, when not busy tied up with their primary job focus, are not skilled to actually carry out the work of a security professional. Think about it: would you want your tailor performing a blood test on you because a pathologist was too expensive?

 

Of course, training is an option. We can turn an IT person into a security professional with a few courses, a couple of certifications and a pay rise. I hear those words again: money, money, money!! It costs quite dearly to keep a security professional in the loop of up to date security trends and attack countermeasures. Training also forms only part of what makes a good security professional, experience is what puts the cream on top of the cake, and why not, if you’re going to shell out money for a security professional you might as well pay for the best your money can buy.

 

Each year more and more security exploits appear. Why is this so? There are a number of reasons. As businesses are gaining more and more connectivity to the Internet and other business partners, the number of options for security holes increases. As hardware and software becomes more complex, so does the possibility of security holes. Many security exploits are found and not reported and even more considerable is the fact that there are still many potential security exploits yet to be discovered. This makes the job of a security professional tough.

 

With this information at hand, it becomes important to realise that staying on top of the latest security exploits takes much time and much experience. Skilled resources are required in order to assess the risk of these exploits, identify whether the business is vulnerable to these exploits and, if so, carry out the tasks necessary to prevent a full-scale attack. Perhaps you have one security professional or maybe even a dozen devoted to your business working constantly from 9 to 5 without so much time as to catch a breath, but does your average attacker also work those hours. Is there a sign hanging on your firewall that reads “open from 9 to 5 – please come back and attack us during business hours”? So now we get the picture, suddenly we realise that security requires 24 x 7 support. Instead of one person working 8 hours you need say, 3 people to cover a 24-hour shift. Suddenly the costs have been increased three fold.

 

So perhaps you cannot splurge for a security professional but hire a security contractor to bring your security up to acceptable levels; maybe your contractor is so good that your security is now top notch. Problem solved…. Well problem solved for today but tomorrow is a new day and tomorrow there’s an additional five ways an attacker can defeat you. Security is not a set and forget scenario. Security requires that you have the resources to focus on it, and more importantly, stay focussed.

 

Finally we’ve established that security isn’t your core competency, but don’t worry. I’m sure repairing your car’s engine isn’t either, nor cleaning your office windows, so what happens in circumstances like these. We look for someone to outsource these services to. We find a mechanic or a window washer who is competent in these areas. Whoever said: “Find the one thing you are good at and outsource the rest” was a very wise person.

 

Outsourcing your information security management is the one thing you can do to make sure that next time you read this document you won’t need to read beyond the statistics.

 

Outsourcing means that you no longer have the hassles or the costs of trying to hire security professionals, nor will you need to worry about whether your IT staff or anyone else who may have been handling your security management knows exactly what they are doing. An outsourcer will have qualified customer-focussed staff to align security management with your business goals and put your best interests at heart.

 

You need not worry about training costs. Your outsourcer will be qualified to provide you with ongoing support and will be up to date on the latest security issues, and should be able to separate the facts from the myths.

 

Management of your security on a 24 x 7 basis is what outsourcers do best. No more long exhausting shifts, no need to roster three people to cover 24 hour monitoring and management of security incidents. A good outsourcer will provide an operations centre and incident response team to ensure that incidents are handled with care, managed from start to end with quality control exercised every step of the way.

 

Outsourcers will have extensive knowledge of the security market, both locally and globally to keep you informed and make recommendations that help your business grow whilst enhancing security.

 

Services such as auditing, penetration testing, security policy documentation, security solution design and implementation, disaster recovery, education, monitoring and proactive management are best left to the experts – your outsourcer.

 

Outsourcers will form a trusted relationship with you. SLAs (service level agreements) and, in some cases, penalties for failure to deliver in accordance with agreements can be decided upon between an outsourcer and yourself leading to a win – win situation. A good outsourcer will be able to provide you with references and possibly even case studies that show that their services are up to the standards you expect. When choosing an outsourcer for your security management, be sure to listen for advertising via word of mouth, as god news about an outsourcer will travel fast, but bad news will travel even faster.

 

Let’s consider cost:

 

Without having to pay salaries for your own security staff that would save about $60k to $90k annually per security professional (based on average salary rates for current security professionals seeking employment to provide security support in house). For three security professionals (to cover a 24 hour shift) that would be a saving of at least $180k.

 

In addition you would not have any training costs to contend with - that could save another $10k per year per security professional.

 

Already that is a saving of $210k.

 

Before jumping for joy you must consider costs that outsourcing attracts that you would normally not have to deal with such as management costs – these may be as much as $80k a year. Subtract this from $210k and that still amounts to a minimum $130k reduction in your costs – now you can jump for joy!

 

It may be possible to save more money when purchasing and upgrading security products as outsourcers usually have discounted purchase prices and even with their standard mark-up (to cover their reseller costs) will still be able to provide you with a better price than you can obtain directly.

 

It will become quite clear as a business manager what your money is buying in a very short time frame once you have outsourced you security management.

 

So there you have it, you can focus your time, money and worries on your core competency – whatever it is you do best, because your outsourced information security management is in the hands of those whose core competency is information security management.

Share this article

Receive all the latest articles by email!

Get all articles delivered directly to your mailbox as and when they are released on WindowSecurity.com! Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the Monthly Article Update.



Receive all the latest articles by email!

Receive Real-Time & Monthly WindowSecurity.com article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become a WindowSecurity.com member!

Discuss your security issues with thousands of other network security experts. Click here to join!

Community Area

Log in | Register

Solution Center

Readers' Choice

Which is your preferred Email Anti Virus solution?