[ISN] Panel: Do not outsource all security

From: InfoSec News (isn@private)
Date: Thu Jun 03 2004 - 23:36:22 PDT

  • Next message: InfoSec News: "[ISN] Bank glitch leaves 10 million Canadians without paycheque"

    By Chris Conrath
    JUNE 03, 2004 
    TORONTO - In a time when outsourcing is all the rage and IT security
    is slowly following this trend, panelists at yesterday's Infosecurity
    conference in Toronto were in agreement that certain portions of a
    company's security should always be kept in-house becaue they are too
    important to entrust to others.  "Never, ever outsource anything that
    touches your clients," said Rosaleen Citron, CEO of WhiteHat Inc.,
    during the "view from the top"  panel discussion. If something happens
    to corporate clients, from a security perspective, no matter whose
    fault it is, the company, not the outsourcer, gets the blame and its
    brand and image suffers.
    Last year, the BMO Financial Group learned a version of this truth
    when two of its servers containing customer information inadvertently
    ended up on eBay for a few hours after one of its outsourcers shipped
    the wrong pallet. The mistake, from a "keep it in-house" security
    perspective, was that the bank should have wiped the server drives
    clean itself.
    Ron Ross, chief strategist for Bell Canada's Managed Security
    Solutions, said the key to successfully defining what can be
    outsourced and what must be kept in-house is to define what is core to
    a company's success and what is contextual. "Core, keep in-house;  
    context, let it go."
    But not all information directly pertaining to security is considered
    to be core to a company's success.
    For many companies, managing firewalls, intrusion-detection systems
    and antivirus softwate are a headache best lived without. Outsourcing
    them, or at least their attributes, can be a wise security move, said
    Michael Murphy, Canadian country manager for Symantec Corp.
    Though many companies still want control over the above-mentioned
    security solutions, they pass on the configurations to a third party
    to monitor them and to aggregate the data with other systems around
    the world. This gives Symantec (as well as other companies offering
    managed security services solutions) the ability to advise its
    customers of trends and events as they develop, instead of waiting
    until they happen.
    He likened self-monitoring your IT security environment to monitoring
    your home alarm system. Homeowners control the alarm but let someone
    else monitor it.
    Murphy cited Symantec's statistics that show that companies using its
    managed security services for more than six months suffered fewer
    "severe events" than those newly signed on. Symantec was better able
    to understand the specific security needs of those clients with
    "tenure" and thus better apprise them of specific defense strategies
    for developing attacks. During a six-month period (July to December
    2003), 100% of those clients with less than three months of tenure had
    severe events. This number fell to 30% for those clients using
    Symantec's services for more than six months, Murphy said.
    Though Dean Provost, president of IT services at Allstream Corp.,
    didn't join the outsourcing debate, he had some advice for companies
    as they increase internal, as well as external, interconnectivity.
    As connectivity increases, so too does complexity, Provost said. "You
    create a larger surface area that you have to protect, [so you have]
    to think about what kind of environment you have created."
    Companies have to pay careful attention to who has access to what
    information. "When we get audited, one of the things they ask is about
    [our] internal IT environment," he said. As a result of this attention
    to security details, Allstream can reduce its IT-related insurance
    bill, he said.
    ISN mailing list
    Sponsored by: OSVDB.org

    This archive was generated by hypermail 2b30 : Fri Jun 04 2004 - 02:21:12 PDT