Translation: We have no technical sense of direction, and we're going to jerk you around as many times as we change our mind.
-- IS Survivalist Eric Brockway provided thisweek's dynamic translation.
How much freedom are you willing to trade for security? It's a complex, difficult public-policy issue, which means it's better suited to happy hour than business hours.
During the workday, your worry is how much flexibility you're willing to trade for IT security. The issues are similar. Unlike national security, though, IT security is a day-to-day worry for any CTO or CIO who deserves to hold onto a job.
Some appear to like the idea of outsourcing IT security. I sympathise: IT security is a difficult, highly technical, rapidly changing, irritating, expensive, and worst of all non-value-adding function. Most CTOs hate dealing with it almost as much as they hate the result of not dealing with it. And for smaller companies that lack enough mass to fund a full-time IT security position, outsourcing might be the only realistic option available.
Outsourcing IT security worries me, though. No, not because you can't trust any outsiders with the keys to your kingdom -- "Who watches the watchers" is just as big a problem with employees as outsiders.
Here's my concern: IT's job is to make employees and business functions more effective. That means delivering as much functionality as possible. In terms of technology, this means access to information and transactions from wherever employees happen to be working.
From a security perspective, the richer the functionality and more broadly you make it accessible, the more security holes you open up. "Flexibility, my eye," I'd say if I were contractually accountable for your security. "I'm going to lock down everything that isn't absolutely necessary to have open. 'Prove you need it, or you can't have it': That's my motto!"
By staffing the security function internally, you have at least a fighting chance of achieving a balance.
But IT security is still a difficult, highly technical, and rapidly changing field. It's hard for an internal security staff to stay current; it's easy to become spread too thin, and establishing necessary boundaries can be awkward when you're a staff member.
So after you staff the function internally, make sure you schedule regular IT security audits with an outside specialist.
Flexibility is important, sure, but you still need someone to watch the watcher.
Return to our CTOs securing the enterprise package.