When best intentions are not enough: a business manager’s view of outsourcing security

Security managers try their best. They deploy firewalls and intrusion detection systems like they are supposed to, along with antivirus, web content filtering, encryption and policies. Yet when it comes to managing new threats or keeping ahead of the latest new vulnerabilities, security managers are stuck. They cannot adapt quickly enough. They cannot digest the amount of information their security controls are already producing. And they cannot well-enough sell the idea of more spending to senior management.
source: 8to9it.com

To the security manager, risk management is a matter of a few things: policies for influencing behaviour, technologies for controlling behaviour, and people to keep it all working. However, to the CEO–and the rest of the business–security needs one more important component: tireless diligence; eyes on glass 24/7, just like the CEOs home alarm system that is constantly monitored.

Two opposing forces make the problem difficult. There are too few skilled security professionals to hire; and advanced threats and critical risks are growing each day. Companies need expertise and technology, but only the most well-heeled can afford to manage all the threats internally. Hiring experts then, either for short term triage, or for longer term oversight and monitoring, is one technique companies have been using for years to overcome the time and talent shortfall.

Outsourcing to the experts
While many IT security functions consist of operational and business-as-usual activities, todays world–full of sophisticated targeted attacks–requires specialised expertise to counter.

Vulnerability and patch management, antivirus updates, and changing rules in firewalls are mature technological procedures already baked in to most security programs. Over the last few decades, most (but certainly not all) organisations have built teams that are experienced in the day-to-day activity required to reduce attack surfaces.

Unfortunately, these tasks cannot be scheduled to fit into a regular work week. Countering advanced targeted attacks is much more like fending off attackers climbing fences than regularly scheduled fence repair. The skill sets of the security experts needed to ward off attackers is harder to obtain, and those with the skills are harder to retain.

While even the smallest organisation may train people for operational security tasks, the top security experts get their experience at the most highly threatened and most targeted organisations: large financial institutions, telecom providers, defence contractors, government agencies, and managed security service providers, also known as MSSPs.

The solution is most likely some combination of internal and external support an internal security team complemented by outside experts, consultants and managed service providers.

For business to thrive in the midst of risks, the IT and corporate security teams need to have tools at their disposal for proactive defense and rapid response. Outsourcing is one simple and cost effective way of increasing an internal teams capabilities.