|
-
August 25th, 2004, 09:04 PM
#1
Majority of Security Outsourced by 2010
Seems sort of deja vu. I swear we were just debating this subject (into the dirt  ) in this thread: Outsourcing Security.
Just as that thread is dying down- with the majority viewpoint being that outsourced security is a bad idea- this Information Week article appears claiming that the majority of security will be outsourced by 2010.
Report says Virtually All Big Companies Will Outsource Security By 2010
Security outsourcing will prove attractive, said Kovar, for reasons other than the cost savings typically cited by companies that farm out business processes. Among the drivers toward managed services are the accelerated attacks of today's threats--giving enterprises virtually no time to put up defenses on their own before an attack infiltrates a network--legislative requirements such as HIPAA and Sarbanes-Oxley, and the trend toward pushing out the network perimeter to include partners and remote workers.
-
August 25th, 2004, 09:13 PM
#2
So, bad for in-house security specialists, good for entrepreneurs in the IT security field...
-
August 25th, 2004, 09:25 PM
#3
Originally posted here by AngelicKnight
So, bad for in-house security specialists, good for entrepreneurs in the IT security field...
YES!!!! 
Back to the case, every (well administered) company will keep a bunch of guys to "interface" with outsourcers. Its just not possible to a manager (or above) maintain a good outsourced infra strutucture (security included) without some "smart" guys inside.
Although im work as a bad guy (=outsourcer) i think
Total outsourcing = bad service
you should have some one to "watch" outsourcing (i..e me)
Meu sítio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
August 25th, 2004, 09:36 PM
#4
Hmm...but if you need someone on your payroll knowledgable enough to monitor the outsourcing, why don't you just simply have the knowledgable person on your payroll as your in-house security guy? Seems to be the most cost-effective solution if looking at it that way...
-
August 25th, 2004, 09:42 PM
#5
You are thinking about "one-security-guy-area", but most security areas have more than one.
Im here at a client and there is more than 30 guys on security area here (inside+outsourcers). But those guys didnt maintain security here; there is OTHER team called "operational security" that admin security (+20).
So Angelic, still think that is better keep everybody inside?
Why this client did that? because (as tony post stated) its damn hard to keep inside guys up to date. Its EASIER (not better) to hire some "expecialists" to take care of some business.
But for each group of outsiders, there is ALLWAYS a company guy together.
Keep security up-to-date,keeping an eye on those "blood suckers"....
Meu sítio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
August 25th, 2004, 09:44 PM
#6
Hmm...but if you need someone on your payroll knowledgable enough to monitor the outsourcing, why don't you just simply have the knowledgable person on your payroll as your in-house security guy? Seems to be the most cost-effective solution if looking at it that way...
I absolutely agree with cacosapo on that one. Just because someone is knowledgeable enough to speak of security intelligently, perform a risk analysis and evaluate products and vendors to oversee the security implementation for a company doesn't mean he can do it all.
Plus, it isn't just a matter of manpower- there is the question of infrastructure and equipment as well. For many companies, small and medium enterprises especially, it may just make better business sense to farm the stuff out than to try and buy it all in house.
So, IMHO, having a guy, or even a small team of guys dedicated to managing security and overseeing the outsourcers does not translate to saying that "if they're so smart they should just do it".
-
August 25th, 2004, 09:47 PM
#7
Oh, good point, wasn't thinking on that level. I officially stand corrected. 
-
August 25th, 2004, 10:07 PM
#8
I haven't read the entire peice yet but I'll comment on the quoted portion and caca's response if I may.....
giving enterprises virtually no time to put up defenses on their own before an attack infiltrates a network
This is kind of proof that this is an opinion piece..... The speed these worms travel now I'm really wondering how the outsourced staff are going to have any more time than anyone else. Couple that with the fact that they have to do something to _every_ network that is vulnerable that they manage..... My first question after I get "wormed" is "whaddya mean I got done twenty seventh? Why wasn't I first?????".... The other option is to have a central firewall/border gateway for all the clients.... Whichever way you cut that I am paying for T1 mileage somewhere in the contract that may be a significant overhead that I wouldn't want/need.
--legislative requirements such as HIPAA and Sarbanes-Oxley
I'm not familiar with the requirements of S-O so I can't comment. However, I am intimately familiar with HIPAA having just finished the whole thing..... The only sensible possibility of anyone outsourcing security I can see under HIPAA is the small non-profits. Even then, that's a bit of a stretch.... Once any organization understands that there is a requirement for HIPAA compliance and go through the "regulations" they should pretty soon realize that they aren't particularly stringent. In fact, in many cases all that is required is that you have "policy" in place to address the different concerns. OK, you should probably lob a firewall in there and have a backup _plan_, but this is hardly a mandate for heavy duty outsourcing of stuff.... really, I have been through it all with a toothcomb and, as government acts go, it is pretty sensible with regard to the line between security/privacy and usability.
Caca:
Back to the case, every (well administered) company will keep a bunch of guys to "interface" with outsourcers.
Question: Who's managing the security? Isn't it your "smart guys"? That being the case all you have really outsourced is the grunt work..... Log checking, patch testing and deployment etc..... maybe we are just talking at cross purposes?
Don\'t SYN us.... We\'ll SYN you..... 
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
August 26th, 2004, 02:00 AM
#9
Hmmm,
This is kind of proof that this is an opinion piece..... The speed these worms travel now I'm really wondering how the outsourced staff are going to have any more time than anyone else
I can relate to that, I wish I had £1 for every self-styled industry pundit who touts his company's services 
I think that it all boils down to what you mean by "outsourcing". Over here if you outsource a business area the outsourcing company is obliged to take on all your existing staff at their current terms and conditions, or you have to find them mutually acceptable alternative employment. So you lose control with no financial gain. All you are doing is moving overheads costs elsewhere in the budget.
In the case of hardware support, employing an external supplier is a very viable proposition. With security it is a different question, just like development. Sure you employ contractors or consultants, because knowlegable individuals are hard to find and keep, and the workload is not constant. This isn't really "outsourcing" in the true sense, and seems to be cacosapo's role.
Yes, I have seen a growth in the use of external agencies to filter the e-mail side of IT, but that is a quite specialist function, and it is difficult for a small to medium operation to match their service internally. The logic is a bit like using DHL rather than running your own transport fleet. You are effectively sharing the costs of a much more sophisticated operation with other customers.
In economic theory it is the advantage of specialisation and economies of scale.
I think that Tiger~ has it when he points out that malware travels so quickly these days that the outsourcers have no more chance of stopping it than internal staff. In fact, they probably have less chance as they have to keep their staffing down to make profits and cannot pull people from other duties, so they have no flexibility.
I have had experience of ousourcing, and none of it has been good. In the old days when we were rolling out a new product it was a relatively simple matter to get the infrastructure, network, and hardware support guys to "re-prioritise"; as soon as they were outsourced it was all SLAs (service level agreements), and meeting their SLA took priority.............I even had to go crawling to the users to borrow some of their software engineers (one of the advantages of working in high-tech armaments). 
By all means sub-contract your hardware support and e-mail filtering, as you will probably get a better job done at a lower cost. Otherwise stick to employing consultants, contractors and external auditors. That way you retain control as you have merely agreed with and external provider to supply an individual with a certain skillset for a certain period, with agreed responsibilities at an agreed price. The difference between that and outsourcing is that you retain control.
Just my thoughts
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
