General discussion


Monitoring Outsourced Security Firms

By cweinsch ·
Hello. My name is Carl Weinschenk. I am a contributing writer to TechRepublic. I am doing a story on in-house versus outsourced security. I have some related questions that I would appreciate feedback on:

The rationale behind outsourcing is that security is very complex and needs real time 24/7/365 attention. If this is so, what procedures can an IT staff take to ensure that the security firm is a.) honest itself and b.) giving the enterprise the best possible service?

What other dangersare there in giving up control of something so vital?

How do these issues stack up against the headaches of creating and maintaining an in house department?


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Funny you brought that up

by LordInfidel In reply to Monitoring Outsourced Sec ...

I was actually contacted yesterday by a firm who wanted to offer their services to us.

The pro's and con's will depend on several factors.

The size of the company and the competncy of the network staff.

I for one would not trust the security of my network in the hands of someone else. But then again, my team and I have built in several layers of filtering and monitoring/alerting into our network. I would not hand that over to a third party.

I'm not saying that 3rd party monitoringdoes not have it's place or can not be used. But for larger organizations that have staff devoted to security or that have active monitoring in place. It is not worth it.

Unless of course it is "in addition" to the current scheme.

But for a small company, who does not have a experienced Net admin, would benefit from this.

Although, the question remains, what happens when their is an attack. Who is alerted and who's responsibility is it to make sure it is plugged.

As far as the "headaches" described. Any admin worth his salt does not view security as a headache or a chore. Security is always on the forefront of his/her mind, where it should be.

Because when all is said and done, it is the in-house staff's responsibility when it comes to security. Which transaltes into the CIO, IT Mgr, Network Security Director etc.

Collapse -

Part 1

by Oldefar In reply to Monitoring Outsourced Sec ...

Basing the outsourcing decision on the supposed complexity of the task is a bad decision to begin with. Both internal and external IS/ICT initiatives need to be made by first understanding the business objectives, the related business requirements,and the technical objectives derived from the business requirements. Following this approach provides specific technical requirements and keeps IS/ICT aligned with the business objectives. It works with policy as well as projects.

The technicalobjectives drive the technical requirements and provide specific metrics to insure that the IS/ICT security is the best the enterprise can get for its money, whether in house or outsourced. Determining the honesty, integrity, and financial stability of an outsource firm generally falls under the business requirement aspects and may best be handled by the CFO, similar to the way an outside auditing firm is selected.

One of the statistics often stated is that 80 percent of the security breaches are internal rather than external. Moving IS/ICT security to an outsourcer is one way of dealing with the internal threat. The social aspects of internal security threats are possibly mitigated with an outsourcer by the reduced social interaction with employees.

Collapse -

Part 2

by Oldefar In reply to Part 1

Regarding the loss of control of something as vital as security, there are a number of well known and accepted examples of this. The security of the current President and staff is never under the control of the administration. The Secret Service is responsible for their security. A large number of financial businesses outsource both site security and transportation security to companies that focus on these services such as Brinks. In the military the physical security of a site and information security are two different organizations, typically separate from the units who are getting the benefit of the security. This is not to be confused with individual and unit responsibilities to follow established policy in regard to handling classified material and information. Security alarm systems have a long history of being outsourced as well.

It was a common practice in the mainframe environment as well. The security and integrity of data was an expected and accepted part of facility management from firms like EDS and System House. It has continued with credit card processing from firms like ADP. Desktop processing offers some different challenges, but the basic approaches are well understood with a number of outsource companies based on the decades of experience.

Creating the same level of security in house offers challenges of work distribution, skill set, and experience. For small and medium sized companies who cannot meet the cost floor from an experienced security outsource firm, the challenge may need to met in house. For those firms who are negotiating above that floor, providing equivalent security in house may be tough to cost justify.

Related Discussions

Related Forums