When Offshoring Comes to Infosec

Our manager gets word that some information security operations will be outsourced, and it has him worried.

By Mathias Thurman

May 7, 2007 12:00 PM ET

Computerworld - Offshoring IT work is nothing new for my company, but I have dreaded the day when I would be asked to offshore some of our information security work. So, when I tell you that I spent last week in India, youll understand that it wasnt just the jet lag that had me feeling harried.

When it comes to budgets, IT is not a high priority for my company. Most internal investment is in product development, because that is what keeps us competitive and makes money. In every other area, we are always looking for ways to cut costs, and for several years, weve been doing that by moving certain jobs and functions to lower-cost countries. We outsource some of our product source code development to Russia, hardware engineering to China, training and knowledge management to Singapore, and application development and engineering to India. I understand the reasoning behind moving certain operational and support tasks offshore, and I believe the cost savings far outweigh the risks. But information security is another story entirely, and I dont say that because I want to protect my turf. Im talking about protecting the company.

In the hiring process, we hold security engineers to a higher standard than other employees, since in giving them the ability to access our critical infrastructure, we are giving them the keys to the kingdom. If security engineers are going to effectively protect intellectual property and detect network intrusions, they have to be able to monitor all network and employee activity. While no employee should expect privacy on a corporate network, the truth is that many people engage in very private personal and business matters at work. We have to be careful about whom we put in a position to be privy to all that sensitive information. Having people offshore do that work makes me very uncomfortable.

So, there I was in India, trying to put my mind at ease. I was very impressed with the security operations of one of the Indian companies I visited. Its network operations center put my companys in-house capabilities to shame. The Indian company has invested heavily in enterprise-class monitoring, configuration management, documentation, process and procedures.

But while offshoring would let us take advantage of certain economies of scale, the trade-off is a lack of oversight and security. One key will be retaining control of all that I can while leveraging the budgetary advantages of a lower-cost workforce. Take Tripwire as an example. We use it to monitor changes to files. If we outsourced this activity, I would insist that we in the U.S. continue to define policies (that is, which files are to get monitored), while the actual execution of the policy and the monitoring operations themselves would be moved to India. I would still be responsible for compliance, oversight and escalation, but the day-to-day operational activities would be conducted overseas.

Comments ()

What is Tech Briefcase?

TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more

Bookmark content

Speed up your research efforts with content across the web.

Search and Store

Find the white papers you need. Create folders for any topic.

View Anywhere

Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.

Don't have an account yet?

Additional Resources

WHITE PAPER

Enter the Security KnowledgeVault

Security is not an option. This KnowledgeVault Series offers professional advice how to be proactive in the fight against cybercrimes and multi-layered security threats; how to adopt a holistic approach to protecting and managing data; and how to hire a qualified security assessor. Make security your Number 1 priority.

Read now.

WHITE PAPER

Cut Communications Costs Once and for All

New IP-based communications systems are being deployed by small and midsized businesses at a rapid rate. Learn how these organizations are enabling faster responsiveness, creating better customer experiences, speeding office or mobile interactions, and dramatically reducing existing communications costs.

Read now.

Top Stories

Free Insider Guide

Excel 2010 Cheat Sheet: Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.

Security White Papers

Driving Secure Enterprise File Sharing and Syncing in the Enterprise: GroupLogic's new activEcho is the industry's only secure Enterprise File Sharing and Synching solution that balances the need for simplicity for the end...
The Enterprise File Sharing Option: Enterprises and IT departments need to address several critical security issues when considering file sharing and syncing products. Many of today's solutions do...
Security Strategies to Virtualizing Internet-Facing Applications: The IT organization at Intel has set a goal to transition their enterprise to a private cloud for their Office and Enterprise applications....
Cloud Security Planning Guide: Cloud security considerations span protecting hardware and platform technologies in the data center to enabling regulatory compliance and defending cloud access through different...
Cloud Security Vendor Round Table: This vendor round table guide will help you to evaluate different cloud technology vendors and service providers based on a series of questions...

Security Webcasts

Live Webcast Data Privacy and Protection in Production Environments: New Research from Ponemon Institute: Date: Wednesday, June 13, 2012, 1:00 PM EDT / 10:00 AM PDT

In a recent study conducted by Ponemon Institute, fifty-five percent of respondents...
Data Privacy and Protection in Production Environments: New Research from Ponemon Institute: Date: Wednesday, June 13, 2012, 1:00 PM EDT / 10:00 AM PDT

In a recent study conducted by Ponemon Institute, fifty-five percent of respondents...
Security Certifications 101 - BlackBerry and all those acronyms what do they mean and why they matter?: FIPS, Common Criteria, CAPS, AISEP, NFC, NIST, Fraunhofer SIT, CESG, DSD - these are just some of the government and industry certifications which...
BlackBerry PlayBook OS 2.0 Security Overview: The presentation provides an overview of BlackBerry PlayBook OS 2.0 security capabilities and features, including: BlackBerry® Balance™ technology, BlackBerry® Bridge, data-at-rest protection, and...
BlackBerry NFC Security Overview: The presentation on NFC security will provide an overview of the security protections built into the BlackBerry platform to protect users, application developers...
Playing Defense: Staying on Top of Your Disaster Recovery Game: When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing...