In today's lean, just-in-time business environment, many companies are looking to outsourcing as an alternative to in-house support.
Although the concept of outsourcing has been around for quite some time, many corporate managers are reluctant to outsource information technology (IT) security. On the surface, shying from IT security outsourcing may appear to be a sound decision, but with more thought and study, in-house IT security may not be the secure choice.
Unfortunately, many managers who tout the virtues of in-house IT security do not actually understand the critical concepts of information security in a wired world or even the basics of information systems auditing. As a matter of fact, most companies that in-house IT security give the responsibility to either the management information systems (MIS) department or the security department. While, on the surface, this organizational placement may appear to make sense, upon reflection it may be absolutely wrong.
According to the information system security guidelines of the Information Systems Audit and Control Association (ISACA), the security administrator for information systems should be a full time position. Moreover, the functions of the security administrator should not be combined with the functions of the systems analyst, application programmer, data entry technician, computer operator, tape librarian or systems programmer. Not only does this suggest combining the duties of quality assurance and security administration, it also indicates that the security administrator should not be assigned to the MIS department. This leaves the logical avenues (for all but the largest corporations) leading to assigning IT security administration to the security department or outsourcing.
Although IT security administration undeniably contains elements of physical security, the core expertise is information technology, not guns, guards and dogs. Additionally, how many corporate and government security departments have you seen with the luxury of having an employee dedicated to IT security issues? We must also not forget the possibility of combining the positions of quality assurance and IT security administration into one out-sourced position.
Even though they may seem diverse, both quality assurance and IT security administration share an important aspect - they are both best performed by someone who is removed from the corporate culture and routine mindset of daily operations. By outsourcing these activities to a single highly qualified individual a company may gain not only an increase in security and efficiency, but also a valuable outside view of their operations and procedures.
Okay, those are the pros of outsourcing IT security administration. But, what is the downside? The most common fear of outsourcing IT security administration seems to be trusting the security of one's information to an outside consultant. Although this is a valid concern, it boils down to perception after some basic vetting of outsource suppliers. Think about it. Does your company use employees for physical security or do they outsource to a company that specializes in physical security? More than likely the answer is the latter. Even the U.S. Government outsources physical security. The key is vetting the supplier and knowing the reliability of the resources you are purchasing.
Most executives don't think twice about outsourcing physical security to Securitas, Brinks or U.S. Investigations Services (or whatever your local equivalent is) because these are well-established companies that are known and trusted. However, in the much newer market space of IT security there are very few well-known and trusted companies. The key to assuaging corporate anxiety over outsourcing IT security administration is to do your homework and find out who the trusted leaders are in the IT security field. One way to find the right supplier may be to look at companies that provide this service to the government. After all, if a company is good enough to provide IT security there, it will most likely be sufficient for your corporate needs.
Once you find a qualified and reliable company, your job as a manager will still be far from over. One of the good things about having an outsider's view of your IT security (and perhaps quality management) is that they will almost always notice areas where you (and your employees) are falling short. Depending upon your position in the company and your willingness to accept criticism, this may also double as a bad point. What you must remember is that you took the initiative to identify the need for outside assistance. Moreover, you went the extra step to vet the supplier and assure yourself that you were getting reliable and trustworthy IT security support. So, when they tell you that you are doing something wrong (which they almost always will if they know the business), don't take it as a personal failure or an attack on your ability as an IT professional; they are doing what you are paying them to do - listen to them.
Outsourcing IT security can be a very difficult decision, both politically and operationally. The analysis that must be made before doing so is one involving not only security but corporate culture, budget, politics and personnel. Before making the decision to outsource IT security you should examine your corporate structure and competencies to ensure that outsourcing is the best answer. However, unless your resources and structure allow for a full-time professional IT security administrator who does not fall under the control of the MIS or security departments, your best answer may well be to outsource.
In today's world data becomes knowledge and knowledge is power. If you don't properly safeguard your corporate knowledge you may as well fire those outsourced security guards, turn off the outsourced video surveillance system and leave your office door unlocked, because sooner or later someone will get into your system and be gone with your corporate knowledge.
Dave Lang, CPP, CISSP, serves as an adjunct professor at the George Washington University. He may be reached at firstname.lastname@example.org.