Q: You are the manager of the IT department of a medium to large sized company. Like any manager, you have a budget. You can never seem to get enough money from the C-level bosses above you, most of whom may not fully understand the importance of information security and compliance. Tough question.... do you hire/train employees to handle your network security, or do you outsource to a third-party (not unnecessarily off-shore)? What are some of the factors you would consider in each avenue? If you have been in this situation before, what are some of the lessons you have taken away?
A:
Hi Martin,
I think the question comes in two folds... Governing information security and operating information security should be perceived as different topics. I do believe that information security governance should be in-house. Regardless of the resources available, a company should determine what the risks are, and how the risks are addressed. That being said, usually it is much better choice to outsource information security operations. Here is a quick try to summarize the status:
Cons List Managed Security Operations (compared with in-house IT operations)
- It is scary to rely to a 3rd party for all your security... it usually feels like hiring legionnaires. Pro Soldiers versus highly taxed IT peasants. Trust is the key word.
- Communication on wire is still slower than face to face communication. Local IT team integrates better with the local projects (naturally)
- As a manager you cannot order as you wish to a MSSP. They do not code for SOA application, or fix your internal routing when you ask them to do so... You cannot allocate their resources to different project.
- Usually the MSSP service is customized for a target audience, not exactly for your specific operation... The choice is very much like tailor made dress vs. Hugo boss (and sometimes banana republic...)
- SLA management still requires an internal resource at your organization.
If data privacy is your main concern, the procedures may get complicated.
- Your business advantage of being more secure than your competition maybe stolen very easily since MSSPs are not exclusive for your operation.
Pros List for Managed Security Operations (compared with in-house IT operations)
- All services are guaranteed with an SLA
- All services are usually verified by a 3rd party (e.g. SAS-70, ISO 27001)
- Economies of scale. Even the large company InfoSec operations are dwarfed by regular MSSPs operations
- Constant access to trained engineers. A larger pool of information security know-how.
- Operational Excellence. MSSPs are constantly evaluated, audited by 1000s of parties. They have to be better in operations.
- Certified Engineers for specific products. The luxury of accessing subject matter experts of various fields
- Better connections with hardware and software vendors
- Cookie-cutter compliance solutions
- Better visibility of information security space via hundreds/thousands of different customers
- Established procedures for change management, asset management, configuration management, BCP/DR etc.
- Opportunity to focus core business instead of working for security operations
- Avoid fixed infrastructure cost for a highly redundant high capacity expensive infrastructure
- Shifting the dirty tasks to MSSP (3am Saturday changes?)
Segregation of duties. It is good to have a 3rd party for security
- 7x24x265 real-time availability of all security resources.
- yinal
No comments:
Post a Comment