November 21st, 2008
I would like to know why it is a BAD idea to outsource security for a
firm with 5000 employees? We currently have a highly trained security
staff in place. We have firewalls, internal, external network and host
based IDS systems, strong security policies and procedures.
Additionally, I would like specific examples of security outsourcing
catastrophes that other firms may have experienced.Hello and thank you for this question.
Outsourcing, whether it be long-term or short-term has core cause and
affect symptoms that currently aren't being remedied. It has both pros
and cons and depending on how you’ve outsourced your security, it can
turn out to be good or bad.
There is a great article posted on Network Magazine site and it very
well discusses this issue of outsourcing.
Outsourcing Security - Is turning over the keys the best way to secure
your enterprise?
http://www.networkmagazine.com/article/NMG20000426S0026
It is nothing new for a company to buy goods or services from other
companies. It is neither rational nor reasonable for a company to do
absolutely everything in-house. The question is therefore what a
company should do in-house and what others can do better. When a
company changes tack and decides that jobs that have previously been
done in-house are to be done by a contractor, we call it outsourcing.
Even if outsourcing is by no means new, there will be consequences
each time a decision is made to outsource, consequences which can be
both positive and negative for the company's employees.
http://www.union-network.org/Ibits.nsf/5751d24322e603308025646c003b28b8/9e0b613362344979c125667a0033d54d?OpenDocument
Bruce Schneier of Counterpane Internet Security, Inc., wrote about
outsourcing security. Here is that article.
http://www.computer.org/computer/sp/articles/sch/
Classic Outsourcing Blunders
http://www.darwinmag.com/read/080101/blunders.html
Outsourcing looms for core security. According to this article,
outsourcing can be good or bad. It all depends on how you have your
agreement done with the outsourcing company. It has given some major
questions that should be asked while looking for an outsourcing
company. Questions related to experience, SLA’s, services,
infrastructure should be investigated to come up with the best
company. Read more on this.
http://www.networknews.co.uk/Analysis/1129412
Shutdown of Pilot Network Services is a classic example of how
outsourcing your security can put a company right on to the steps of
disaster. On April 25, 2001, Pilot Network Services went out of
business, abandoning 200 customers that relied on them for something
rather important: security. Check out more details about how it
happened, its impact on customers and how they dealt with this trauma.
http://www.cio.com/archive/080101/exposed.html
A similar example on the same grounds is of Salinas Network Services,
who were the largest firewall management company. They also
disappeared.
11 Questions to Help You Select the Best Service & Support Provider.
Their questions include some major issues like How consistent is the
expertise level, what third-party reviews have been done, and what
monitoring can you perform and so on.
http://www.networkcomputing.com/1308/1308f2.html
2002: Year of the bad outsourcing deal – Read this article by Andy
McCue. According to the analyst company Gartner, 2002 and 2003 will
see record numbers of outsourcing deals that go bad.
http://www.networknews.co.uk/News/1132982
Outsourcing can offer definite advantages - but only if you do it
right. Outsourcing is fraught with danger for the unwary executive or
corporate counsel. There are pros and cons to outsourcing:
Pros:
- improved service and performance,
- better management control,
- improved business focus and many others
Cons:
- nickel-and-dime syndrome ("I have to charge you extra for
this, and this and that"),
- contract termination problems,
- loss of in-house expertise and more
So, what is the best way to find out whether outsourcing is good for
you or not. Here is a 20-step program created by WSR Consulting Group,
LLC to help you in this.
http://www.wsrcg.com/outsourc.htm
Outsourcing Security Management. The need for outsourcing is explained
here. They have covered many aspects in the discussion and have also
given many links to dig more on this.
http://rr.sans.org/policy/outsourcing.php
A totally different view is given over here. According to this
article, the demand for third-party security services will exceed
$17.2 billion by the end of 2004.
http://www.computerworld.com/securitytopics/security/story/0,10801,57980,00.html
Bruce Schneier says that "On the one hand, the promises of outsourced
security seem so attractive: the potential to significantly increase
your network's security without hiring half a dozen people or spending
a fortune is impossible to ignore. On the other hand, there are the
stories of managed security companies going out of business, and bad
experiences with outsourcing other areas of IT. It's no wonder that
paralysis is the most common reaction to the whole thing." He says
very clearly that don’t outsource your security management. This is
the best and safe way to have any sort of bad experience with
outsourcing.
[pdf] http://www.counterpane.com/outsourcing.pdf
There is a similar discussion regarding "Should enterprises outsource
security to a third party?" is posted on this page
( http://www.internetweek.com/columns01/point081301.htm ).
As quoted, some argue it may not be wise to relinquish control of
security to a third party. But, this has been done for years in
securing brick-and- mortar businesses. The same principles hold true
for Internet security. Enterprises should look for a reputable
security partner. However, another point says that "Leaving security
decisions to IT staff or to technology-centric security outsourcers is
ineffective and inefficient. A company must take a security posture
that puts business requirements first and evaluates all security
measures against those requirements. That's why security overall
belongs in-house."
Companies are outsourcing IT security to cut costs of around-the-clock
surveillance. But, some doubt the risk is worth the savings.
http://www.informationweek.com/story/IWK20010713S0009
Outsourced Security On The Rise
http://www.internetwk.com/story/INW20000303S0005
The collapse of once-promising companies such as Pilot Network
Services Inc. and Salinas Group sounds like the rumblings of a
shakeout beginning in an emerging market. Use caution when choosing a
managed security vendor.
http://www.informationweek.com/story/IWK20010713S0006
Further links:
Tips For Successful Security Outsourcing
http://www.esecurityplanet.com/trends/article/0%2C%2C10751_1331451%2C00.html
Outsourcing security a good plan, but be careful out there
http://search390.techtarget.com/tip/1,289483,sid10_gci769748,00.html
The realities of outsourcing
http://www.nwfusion.com/columnists/2002/0114kaplan.html
Find out which technologies network executives are happy to outsource
and which parts of their network they don't want anyone else to touch.
http://www.nwfusion.com/careers/2002/0527man.html
Search terms used:
In Google:
Outsourcing Security:
://www.google.com/search?num=25&hl=en&lr=&ie=UTF-8&oe=utf-8&q=Outsourcing+Security&btnG=Google+Search
In Pandia:
outsourcing security:
http://search.curryguide.com/execute/search/nph-web.cgi?ac=pandia&adbg=ffffff&intprom=s&query=outsourcing+security&where=?=&match=?=n%3An&pp=16&sd=
I hope this helped. Feel free to ask for clarification, and if you are
satisfied with this answer, then do rate it.
Regards,
netcrazy
Posted in ashcroftevans.com | edit