Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Outsourcing information security

Simon Burson | Jan. 20, 2010
The unfamiliar territory and complexity of security often results in a typical human response: make it someone elses problem

AUCKLAND, 17 JANUARY 2010 - The need to keep information secure is not a recent development.

To satisfy this need, most organisations construct a list of security requirements based on common sense. This has proven fairly effective with simple and well understood media such as pen and paper. As information management (and its security) has become more complex in nature, the likelihood of a gap in that common sense list of requirements has increased. The relative decrease in common understanding of how an organisation's information is recorded, manipulated, stored and erased makes it difficult to identify a complete set of security requirements to protect it. The unfamiliar territory and undesirable complexity often results in a fairly typical human response -- make it someone else's problem.

Effective outsourcing: An introduction

Effective outsourcing of any business function requires that said function is defined, appraised and its inputs/outputs established.

Using this information an organisation can approach the market and clearly specify the scope of what it needs and what deliverables are expected. Understanding the value of the function facilitates the cost/benefit analysis. Said analysis should justify the outsourcing and take into account the cost of selecting the better provider.

Defining all attributes in monetary terms is difficult, but if this could be done any business function should net a positive return and the best provider of that function is the one (internal or external) that provides the highest positive return.

Well defined by Wikipedia, "Information security means protecting information and information systems from unauthorised access, use, disclosure, disruption, modification or destruction".

Given information systems are increasingly of a technical nature, the solution that protects them often involves technical security products such as antivirus, firewalls and intrusion detection; or technical security services such as security event management, penetration testing and incident response. While products and services can be a significant component in an organisation's security solution, they alone should not be what defines it.

Buying something that "does" security, is like buying something that does food preparation. You may be lucky and stumble across the one tool that meets all your needs, but most people would like more influence over what they have for dinner than, "I bought a fork".

The problem

The domain of information security is the aggregate of subsets of all other domains. It arises from the need to have controls in place that ensure all domains operate correctly. It is empowered through governing documents such as policies, standards and guidelines; and is funded ideally through an organisation's executive committee. Often (particularly in smaller companies) security is instead funded indirectly by the department under which it resides. Due to the nature of the information security domain, it is extremely difficult to outsource.


1  2  3  4  5  6  7  Next Page 

Sign up for CIO Asia eNewsletters.