Outsourcing Security

[RoadClosed]

Talking business:

This thread some what parallels the argument for open source versus Microsoft. It's interesting that on one hand outsourcing is a bad idea, but open source is great followed by all the reasons mixing more into the pot is good. The idea being that the more people who look at you and your systems the better off you will be?

I went down this path because I was going to introduce another concept in outsourcing, that is fielding code to various entities outside an organization and how that risk could be infinitely more devastating than getting a half decent company to implement and monitor your network security. Yes I am down playing information security, because in the real world that may be number 2 or 3 on a company wide risk analysis. When one “says outsourcing IT security” that would be the level it's looked at, outside of IT perhaps. At least that has been my point of view. Like Tiger says, it depends on your assets you are protecting and your level of trust among industry peers versus some kid off the street. Weather it’s Bob the computer geek hired on Tuesday or an international firm; you both start at ground zero with trust.

It may also be something of interest to your customers and that could be a deciding factor. For instance, a local company had terrible customer service with their outsourced cable TV repairman. They were much more efficient but the customer base began asking for actual employee technicians because they had a desire to preserve the company reputation and they were better guys in general. The outsourced guys worked on getting the most jobs in a day because that is how they were paid so that was there motivation. In this scenario customer desire drove the decision and not internal controls. You will find the same scenario in every large utility organization and that is the core of their business.

Even those companies with talented programming staff often find themselves outsourcing modules, not because of money, but because of TIME. Even the evil empire - secretive in their covenant code does this, i.e. Microsoft. Time is another critical factor in some scenarios. Tony it's interesting you use Chrysler as an example. I know a few Asian based firms that oversee their robotic plant operations and other design firms that come up with new designs along with a half dozen core items critical to the corporation. Many also Asian in ownership.

Hmm, payroll could be a very small risk or a huge risk, imagine dumping 75,000.00 bi-weekly into a payroll account outside an organization. Such as a local or international bank and then having that whisked away by an attack that occurred at the outsourcing entity. Items completely beyond your control - but to track and disperse your own paychecks would be mind boggling because the risks of errors outweigh the risk that some hacker cracks a local bank and drains the money? Or internal accountants bleeding small dollar amounts off various accounts until $400,000.00 gone and the company CANNOT recover. In addition there are no small or even large companies that own their own payment systems. How many companies out there imprint their own visa cards or the ever popular gift cards? A rare few. It’s all done ala 3rd party and is about as core as you can get in a retail system. In those situations the opposite is true because their volume gets so large that spending 15 million dollars and moving it inside actually saves a few cents per transaction.

Every company has risks they can control and risks they can’t. “Inherent” versus “Control” risk in my copyrighted risk analysis procedure. In this method of thinking I sometimes actually reduce “Inherent” risk based on the level of automation and complexity a task or system has. The more automation the LESS “Inherent” risk. Meaning people have less of an ability to f#C it up and there are more controls and reports to mitigate it.

[tonybradley]

Reason: Estimating airspeed velocity of unladen swallows.

African or European? And, since they are alleged to have transported coconuts transcontinentally is it fair to only assess their "unladen" airspeed??