« StillSecure, After all these years, Podcast #7 | Main | More on rapid versus responsible disclosure »

July 20, 2006

Is security outsourcing a viable alternative?

Michael Farnum continuing his discussion about the never-ending list of responsibilities of a security manager, posts an article about using outsourcing to lighten the load.   I commented that outsourcing generally is good for commodity type of security, like firewalls, IDS, etc., but not for some of the more complex security functions.  CJ Kelly, another Computerworld blogger comments that in her opinion there is never a good reason to outsource security.  While I don't agree with CJ, I think for certain functions and in the right circumstances it is OK to outsource security. I don't think the reason to do it is to save the overworked security manager time. 

From an economic prospective, outsourcing does not save you any money.  For someone looking to stretch the dollar and get more bang for the buck, outsourcing does not deliver the goods.  In an earlier life I helped put together a company called Interliant.  We were an ASP, host and MSSP (before it was fashionable), though we tried to sell the outsourcing saves money point, our own studies proved it did not.  If someone like Michael would take the money he is going to spend on outsourcing and hire a good, young security wannabe, I think he would get a lot more productivity and retain an important level of control versus outsourcing.

Besides the economics, the other outsourcing factor to consider is the quality of the tools that the MSSP uses.  Many use their own homegrown solutions based on the popular open source tools.  Though the open source underlying tools are good, the packaged applications the MSSP uses are generally not exactly best-of-breed compared to COTS (commercial off the shelf) products.  So, not only are you paying more, you are getting less.  There are other reasons to consider about outsourcing, including the stability and integrity of who you are trusting your security to.  I am not saying never to outsource, but I would think long and hard before I did though and I would make sure it was for the right reasons.

Posted at 10:38 PM in Michael Farnum, outsourcing security |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d83451e4d369e200d834306e2f53ef

Listed below are links to weblogs that reference Is security outsourcing a viable alternative?:

» The Daily Incite - July 21, 2006 from Security Incite: Analysis on Information Security
July 21, 2006 Good Morning {!firstname}: TGIF or so they say. Felt like a very long week and getting longer. But again, busy is good. Not busy is bad, so Ill stop whining and get on with it. Actually a lot of interesting activity going on, incl [Read More]

Tracked on Jul 21, 2006 10:24:17 AM

Comments

Search

Lijit Search

disclaimer

  • The views and opinions expresed here are those of myself only and in no way represent the views or positions or opinions of my employer, Latis Networks, Inc. d/b/a StillSecure or anyone else.

Blog Networks

  • Find the best blogs at Blogs.com.

StillSecure, After all these years, the podcast

Categories

Track my blog stats

Blog powered by TypePad
Member since 10/2005

About