Standards can provide great assistance in improving the security posture of a company. An organisation that relies solely on standards to assure security is, however, likely to experience a gap as is often demonstrated by companies seeking PCI compliance. The PCI standard is intended to be a bare minimum of requirements for
protecting cardholder data. It is not intended to be the target state for modern organisations' security programs. It has become common place for companies running PCI compliance projects to aim to meet the bare minimum of requirements. As much as possible is de-scoped to reduce the cost of the project - a reasonable approach only if there is something else picking up the security shortfall. Some attempt to outsource all payment card functions so they don't need to even meet the minimum requirements. This report is not intended to comment on PCI, however the author has witnessed the provisioning of a new e-commerce site where card processing was outsourced to avoid troublesome encryption and authentication management. While I am sure it was technically PCI compliant that simply meant customers money was taken securely and effectively. The woeful security in the main site made it trivial to change the deliver address after purchasing, manipulate product prices and monitor what other customers were doing.
All organisations should have at least one appointed security role. While the person holding the role may not be dedicated to security, training should be provided to ensure a calculated level of skill. Any contracting of third parties to provide support services should be managed by that security role. Outsourcing security in its entirety is not viable. To retain a level of assurance that security is being delivered as intended, a (relative) security specialist needs to define the checks and balances.
Outsourcing security operations is achievable, but there is an overhead that needs to be taken into account. The operational tasks should be by design and not whatever the service provider can manage. Concessions may be made for a preferred supplier, but ensuring the target state for security operations is defined makes it possible to quantify the concessions and if necessary compensate elsewhere.
When a turnkey solution is being purchased from an integrator, it should be assumed that security has not been considered until proven otherwise. It is not to say that integrators are negligent, but their business focus is delivering what was requested for the lowest price. Typically, the security in a solution will not be required to deliver the end user function and is consequently easily cut without complaint. An independent party, whether internal or external, should be engaged to review the solution and ensure any risks it introduces are understood and formally accepted by the business prior to deployment.
Sign up for CIO Asia eNewsletters.