Related link: http://loop.interop-comdex.com/comments/199_0_1_0_C/
The line just about summarizes this truly insightful piece from Marcus Ranum: “Security is not about doing a lot of smart things. It’s about not doing a few dumb ones.”
I am a bit surpsised about “Don’t outsource security” stance though. While I’ve heard about some people having bad experiences with outsourcing security, it seems like it might be the best option for some small and medium companies with no security staff. Some say “we are in business of doing X and not in business of “doing IT”; thus we will outsource IT”. Same argument seem to apply to security perfectly…
Outsourcing security
Security for small/medium sized businesses is a real conundrum. My thought is this - if you have your own in-house IT staff, there is absolutely no reason to outsource security. It should be handled in-house as well.
Many small/medium businesses don't have an IT staff, or they have one person who is a part time engineer/part time sysadmin. In these cases outsourcing security might make sense, but:
How is the company going to know that the outsourcing provider is competent, isn't installing backdoors into their systems, etc etc? When you have little or no IT experience in your company, it can be very difficult to tell a real security provider from a fake or bad one.
Outsourcing security
>When you have little or no IT experience in your company, it can be
>very difficult to tell a real security provider from a fake or bad one.
This situation is similar to that faced by companies that outsource their Accounting rather than hire their own accounting staff. The solution is the same too. Note in your contract that you have the right to bring in external auditors to check that everythig is streight.
Yes there's the extra cost of the auditing, but it wouldn't have to be done every year and frankly what other options do small businesses have?
Simon Hibbs