In an article last week (“Global firms reach compliance breaking point”, vnunet.com, 12/14/2006), Robert Jacques summarized the findings of research conducted by Dr Jonathon Liebenau, senior lecturer in information systems at the London School of Economics Department of Management. The research project was commissioned by McAfee. In the project’s findings report, Dr Liebenau suggests that companies around the globe might be slowly losing their ability to meet compliance requirements while at the same time perform activities to mitigate risk due to other security vulnerabilities.
The shortage of qualified security professionals and the growing number of global security regulatory requirements are working together to push organizations beyond the limits of what they are capable of handling.
As a security manager, I understand the strain a security team can experience when trying to balance day-to-day security efforts with audit requests. I’ve been lucky, however. My employer understands the need for adequate staffing. Even so, I’ve found myself hiring individuals into my security analyst positions who lacked advanced security or compliance skills.
We use our internal staff for non-help desk tasks. Support requests, such as password resets and account creation, are sent to an outsourced help desk. Our help desk outsourcing partner also handles account terminations and large scale account management activities related to new system rollouts. Finally, any repetitive access control activities are contracted to outside resources. This does not mean we relinquish responsibility. We regularly review all processes to ensure outcomes that conform to our policies, standards, and guidelines.
We also outsource the tedious task of aggregating, correlating, and making sense of log data, including IDS/IPS and firewall logs. This allows our analysts to focus on higher level security tasks that require knowledge of our organization and its technology.
In my opinion, the only way to meet the onslaught of regulatory mandates is to outsource those tasks that anyone can do and retain in house those tasks to which the internal staff adds value. In this way, internal security analysts can focus on strategy, analysis, design, and operational oversight while using outside resources to scale out when faced with increasing compliance activities.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.