In a time when outsourcing is all the rage and IT security is slowly following this trend, panelists at last week's Infosecurity conference in Toronto were in agreement that certain portions of a company's security should always be kept in house since they are too important to entrust to others.
"Never, ever outsource anything that touches your clients," said Rosaleen Citron, CEO of WhiteHat, during the "view from the top" panel discussion. If something happens to corporate clients, from a security perspective, no matter whose fault it is, the company — not the outsourcer — gets the blame and its brand and image suffers.
Last year the BMO Financial Group learned a version of this truth when two of its servers containing customer information inadvertently ended up on eBay for a few hours after one of its outsourcers shipped the wrong pallet. The mistake, from a "keep it in house" security perspective, was that the bank should have wiped the server drives clean itself.
Ron Ross, chief strategist for Bell Canada's Managed Security Solutions, said the key to successfully defining what can be outsourced and what must be kept in house is to define what is core to a company's success and what is contextual. "Core, keep in house - context, let it go."
Servers with customer information are core, servers wiped clean are context.
But not all information directly pertaining to security is considered to be core to a company's success.
For many companies, managing firewalls, intrusion detection and antivirus is a headache best lived without. Outsourcing them, or at least their attributes, can be a wise security move, said Michael Murphy, Canadian country manager for Symantec. Though many companies still want control over the above-mentioned security solutions, they pass on the configurations to a third party to monitor them, and to aggregate the data with other systems around the world. This gives Symantec (as well as other companies offering managed security services solutions) the ability to advise its customers of trends and events as they develop, instead waiting until they happen.
He likened self-monitoring your IT security environment to monitoring your home alarm system. Home owners control the alarm, but let someone else monitor it.
Murphy cited Symantec's statistics which show that companies using its managed security services for more than six months suffered fewer "severe events" than those newly signed on. Symantec was better able to understand the specific security needs of those clients with "tenure" and thus better apprise them of specific defence strategies for developing attacks. During a six-month period (July to December 2003), 100% of those clients with less than three months of tenure had severe events. This number fell to 30% for those clients using Symantec's services for more than six months, Murphy said.
Though Dean Provost did not enter into the in house/outsourcing debate, he had some security advice for companies as they increase internal, as well as external, interconnectivity.
As connectivity increases so too does complexity, said Provost, president of IT services with Allstream "You create a larger surface area that you have to protect - [so you have] to think about what kind of environment you have created."
Companies have to pay careful attention to who has access to what information. "When we get audited, one of the things they ask is about [our] internal IT environment," he said. As a result of this attention to security details, Allstream can reduce its IT-related insurance bill, he said.