Thursday, December 09, 2004

Pros and Cons of Outsourcing Security Tasks

Jian Zhen of LogLogic wrote two helpful articles for ComputerWorld. The first lists ten benefits of outsourcing security functions, and the second lists seven potential drawbacks. I largely agree with his analysis, particularly concerning the advantages of leveraging centralized security expertise.

A managed security service that does nothing but handle security issues all day long has a much higher level of security situational awareness than an overtasked administrator with multiple responsibilities. How is a general purpose administrator who has to deal with users, stop spam, recover backups, install patches, and maintain infrastructure going to know more about the latest types of attacks and defenses than a dedicated security professional?

Companies who can afford to maintain specialized security teams probably don't need to oursource these functions. A quick way to determine if a company probably doesn't need to outsource security tasks is to check to see if they are members of FIRST. (I almost had a heart attack when I saw that www.first.org was updated. One of the last vestiges of 1994-era HTML has fallen!)

These articles follow a helpful one by Bill Brenner from August 2004, Firms to seek more security help from outsiders. He reports "Unable to keep up with security holes, attacks and government regulations, enterprises will turn to outside firms for 90% of their security by 2010, according to Yankee Group."

No comments: