Security News > 2004 > June > Panel: Do not outsource all security

Panel: Do not outsource all security
2004-06-04 06:36

http://www.computerworld.com/securitytopics/security/story/0,10801,93609,00.html By Chris Conrath JUNE 03, 2004 ITWORLDCANADA TORONTO - In a time when outsourcing is all the rage and IT security is slowly following this trend, panelists at yesterday's Infosecurity conference in Toronto were in agreement that certain portions of a company's security should always be kept in-house becaue they are too important to entrust to others. "Never, ever outsource anything that touches your clients," said Rosaleen Citron, CEO of WhiteHat Inc., during the "view from the top" panel discussion. If something happens to corporate clients, from a security perspective, no matter whose fault it is, the company, not the outsourcer, gets the blame and its brand and image suffers. Last year, the BMO Financial Group learned a version of this truth when two of its servers containing customer information inadvertently ended up on eBay for a few hours after one of its outsourcers shipped the wrong pallet. The mistake, from a "keep it in-house" security perspective, was that the bank should have wiped the server drives clean itself. Ron Ross, chief strategist for Bell Canada's Managed Security Solutions, said the key to successfully defining what can be outsourced and what must be kept in-house is to define what is core to a company's success and what is contextual. "Core, keep in-house; context, let it go." But not all information directly pertaining to security is considered to be core to a company's success. For many companies, managing firewalls, intrusion-detection systems and antivirus softwate are a headache best lived without. Outsourcing them, or at least their attributes, can be a wise security move, said Michael Murphy, Canadian country manager for Symantec Corp. Though many companies still want control over the above-mentioned security solutions, they pass on the configurations to a third party to monitor them and to aggregate the data with other systems around the world. This gives Symantec (as well as other companies offering managed security services solutions) the ability to advise its customers of trends and events as they develop, instead of waiting until they happen. He likened self-monitoring your IT security environment to monitoring your home alarm system. Homeowners control the alarm but let someone else monitor it. Murphy cited Symantec's statistics that show that companies using its managed security services for more than six months suffered fewer "severe events" than those newly signed on. Symantec was better able to understand the specific security needs of those clients with "tenure" and thus better apprise them of specific defense strategies for developing attacks. During a six-month period (July to December 2003), 100% of those clients with less than three months of tenure had severe events. This number fell to 30% for those clients using Symantec's services for more than six months, Murphy said. Though Dean Provost, president of IT services at Allstream Corp., didn't join the outsourcing debate, he had some advice for companies as they increase internal, as well as external, interconnectivity. As connectivity increases, so too does complexity, Provost said. "You create a larger surface area that you have to protect, [so you have] to think about what kind of environment you have created." Companies have to pay careful attention to who has access to what information. "When we get audited, one of the things they ask is about [our] internal IT environment," he said. As a result of this attention to security details, Allstream can reduce its IT-related insurance bill, he said. _________________________________________ ISN mailing list Sponsored by: OSVDB.org


News URL

http://www.computerworld.com/securitytopics/security/story/0,10801,93609,00.html