Panel: Do not outsource all security

ITWorldCanada - TORONTO - In a time when outsourcing is all the rage and IT security is slowly following this trend, panelists at yesterday's Infosecurity conference in Toronto were in agreement that certain portions of a company's security should always be kept in-house becaue they are too important to entrust to others.
"Never, ever outsource anything that touches your clients," said Rosaleen Citron, CEO of WhiteHat Inc., during the "view from the top" panel discussion. If something happens to corporate clients, from a security perspective, no matter whose fault it is, the company, not the outsourcer, gets the blame and its brand and image suffers.
Last year, the BMO Financial Group learned a version of this truth when two of its servers containing customer information inadvertently ended up on eBay for a few hours after one of its outsourcers shipped the wrong pallet. The mistake, from a "keep it in-house" security perspective, was that the bank should have wiped the server drives clean itself.
Ron Ross, chief strategist for Bell Canada's Managed Security Solutions, said the key to successfully defining what can be outsourced and what must be kept in-house is to define what is core to a company's success and what is contextual. "Core, keep in-house; context, let it go."
But not all information directly pertaining to security is considered to be core to a company's success.
For many companies, managing firewalls, intrusion-detection systems and antivirus softwate are a headache best lived without. Outsourcing them, or at least their attributes, can be a wise security move, said Michael Murphy, Canadian country manager for Symantec Corp.
Though many companies still want control over the above-mentioned security solutions, they pass on the configurations to a third party to monitor them and to aggregate the data with other systems around the world. This gives Symantec (as well as other companies offering managed security services solutions) the ability to advise its customers of trends and events as they develop, instead of waiting until they happen.
He likened self-monitoring your IT security environment to monitoring your home alarm system. Homeowners control the alarm but let someone else monitor it.
Murphy cited Symantec's statistics that show that companies using its managed security services for more than six months suffered fewer "severe events" than those newly signed on. Symantec was better able to understand the specific security needs of those clients with "tenure" and thus better apprise them of specific defense strategies for developing attacks. During a six-month period (July to December 2003), 100% of those clients with

Reprinted with permission from

For more news from ITworldcanada.com, visit its Web site.Story copyright 2006 ITworldcanada.com. All rights reserved.