[ISN] Panel: Do not outsource all security

InfoSec News isn at c4i.org
Fri Jun 4 02:36:22 EDT 2004


http://www.computerworld.com/securitytopics/security/story/0,10801,93609,00.html

By Chris Conrath
JUNE 03, 2004 
ITWORLDCANADA 

TORONTO - In a time when outsourcing is all the rage and IT security
is slowly following this trend, panelists at yesterday's Infosecurity
conference in Toronto were in agreement that certain portions of a
company's security should always be kept in-house becaue they are too
important to entrust to others.  "Never, ever outsource anything that
touches your clients," said Rosaleen Citron, CEO of WhiteHat Inc.,
during the "view from the top"  panel discussion. If something happens
to corporate clients, from a security perspective, no matter whose
fault it is, the company, not the outsourcer, gets the blame and its
brand and image suffers.

Last year, the BMO Financial Group learned a version of this truth
when two of its servers containing customer information inadvertently
ended up on eBay for a few hours after one of its outsourcers shipped
the wrong pallet. The mistake, from a "keep it in-house" security
perspective, was that the bank should have wiped the server drives
clean itself.

Ron Ross, chief strategist for Bell Canada's Managed Security
Solutions, said the key to successfully defining what can be
outsourced and what must be kept in-house is to define what is core to
a company's success and what is contextual. "Core, keep in-house;  
context, let it go."

But not all information directly pertaining to security is considered
to be core to a company's success.

For many companies, managing firewalls, intrusion-detection systems
and antivirus softwate are a headache best lived without. Outsourcing
them, or at least their attributes, can be a wise security move, said
Michael Murphy, Canadian country manager for Symantec Corp.

Though many companies still want control over the above-mentioned
security solutions, they pass on the configurations to a third party
to monitor them and to aggregate the data with other systems around
the world. This gives Symantec (as well as other companies offering
managed security services solutions) the ability to advise its
customers of trends and events as they develop, instead of waiting
until they happen.

He likened self-monitoring your IT security environment to monitoring
your home alarm system. Homeowners control the alarm but let someone
else monitor it.

Murphy cited Symantec's statistics that show that companies using its
managed security services for more than six months suffered fewer
"severe events" than those newly signed on. Symantec was better able
to understand the specific security needs of those clients with
"tenure" and thus better apprise them of specific defense strategies
for developing attacks. During a six-month period (July to December
2003), 100% of those clients with less than three months of tenure had
severe events. This number fell to 30% for those clients using
Symantec's services for more than six months, Murphy said.

Though Dean Provost, president of IT services at Allstream Corp.,
didn't join the outsourcing debate, he had some advice for companies
as they increase internal, as well as external, interconnectivity.

As connectivity increases, so too does complexity, Provost said. "You
create a larger surface area that you have to protect, [so you have]
to think about what kind of environment you have created."

Companies have to pay careful attention to who has access to what
information. "When we get audited, one of the things they ask is about
[our] internal IT environment," he said. As a result of this attention
to security details, Allstream can reduce its IT-related insurance
bill, he said.





More information about the ISN mailing list