I would compare outsourcing all of your information security to
outsourcing all of your accounting. You may outsource specific portions
- like SEC Compliance or random audits, but you don't just hand the
whole thing over to some third party and hope they do a good job of it.
It just isn't done because it's just not a good idea.
1) You need someone or group to keep an eye on the third party and
make sure they are performing as expected.
2) You need people in house who know your network and can respond
quickly to threats.
3) What service levels are you looking for?
4) Who do you call when something breaks?
5) If you have a multi-vendor environment, how do you handle
finger-pointing when something breaks? (DO NOT try to tell me that
finger pointing doesn't happen!)
6) Someone at your company *is* going to be responsible for making
business process vs. security decisions. You may as well have someone
who understands the C-I-A triangle instead of a PHB who's interested in
"stream-lining customer interactions" and "enhancing business
processes".
7) You really need to have security input very early in a design
process for any new applications. Security as an "after-market bolt-on"
never works as well, IMHO.
2 cents,
Jimi
-----Original Message-----
From: Bret Watson [mailto:lists@ticm.com]
Sent: Monday, July 11, 2005 6:37 PM
To: security-management@securityfocus.com
Subject: Re: Outsourcing information security
:) As someone who runs a fairly large IT Security Outsourcing
practice...
There are some key things to consider when outsourcing IT Security:-
1. how much? do you want to outsource the operations, the
design/advisory, the risk management, the compliance?
2. Try as you might - you cannot outsource the business risk - you
can transfer it though
3. if you plan to keep a core team in-house and outsource the rest -
make sure there are VERY clean roles and responsibilities - its the
biggest cause of pain for my clients
Cheers,
Bret
ZoomInfo: www.zoominfo.com/BretWatson
