Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/15/2006
03:51 PM
Alice LaPlante
Alice LaPlante
Commentary
50%
50%

Outsource Security Carefully, And Carry A Big Audit Plan

Are IT managers desperate if they outsource security? That's the provocative question Larry Greenemeier asks in today's issue of InformationWeek. His conclusion? A resolute no. In fact, hiring an independent service provider might just be your best bet for staying safe in the midst of rising threats against malware, hackers, and internal saboteurs.

Are IT managers desperate if they outsource security?

That's the provocative question Larry Greenemeier asks in today's issue of InformationWeek. His conclusion? A resolute no. In fact, hiring an independent service provider might just be your best bet for staying safe in the midst of rising threats against malware, hackers, and internal saboteurs.It's a good question, though. After all, handing over the job of keeping your all-important networks, systems, and data safe can seem like an act of last resort, acknowledging-as Greenemeier points out-that the job is simply too much for you. Yet isn't it better to make such an acknowledgement and seek appropriate help rather than denying evidence that you may be putting your organization at risk?

Still, outsourcing shouldn't be done casually and without stepping exceedingly carefully through the vendor selection process. Greenemeier outlines the minimal actions you must take with this regard.

One thing he doesn't mention, however, which should be at the top of any IT professional's list: active risk management of vendors using independent third-party auditors. And a just-released study by Ernst & Young indicates that IT managers are woefully unprepared when it comes to protecting themselves against incompetent, unskilled, or generally ineffectual third-party security service providers. Only 14 percent of the 1,200 global IT professionals surveyed have formal security risk management procedures in place that are properly validated by auditors. And let's face it: independent auditing of vendor effectiveness is the single-perhaps the only-way to sleep at night when outsourcing something as important as security.

Indeed, although 60 percent of the survey participants who had outsourced information security activities already--or who were planning to do so--said they were doing it to focus valuable IT resources on other key areas, most were "overwhelmingly emphatic" about their determination not to outsource security functions because of the risks involved.

What do you think? Have you outsourced all or part of your security activities? Why or why not? Let me know what you think by responding below.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: A GONG is as good as a cyber attack.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20925
PUBLISHED: 2020-11-24
An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects: MongoDB Inc. MongoDB Server v4.2 versions prior to 4.2.1; v4.0 versions prior to 4.0.13; v3.6 versions...
CVE-2020-5641
PUBLISHED: 2020-11-24
Cross-site request forgery (CSRF) vulnerability in GS108Ev3 firmware version 2.06.10 and earlier allows remote attackers to hijack the authentication of administrators and the product's settings may be changed without the user's intention or consent via unspecified vectors.
CVE-2020-5674
PUBLISHED: 2020-11-24
Untrusted search path vulnerability in the installers of multiple SEIKO EPSON products allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
CVE-2020-29002
PUBLISHED: 2020-11-24
includes/CologneBlueTemplate.php in the CologneBlue skin for MediaWiki through 1.35 allows XSS via a qbfind message supplied by an administrator.
CVE-2020-29003
PUBLISHED: 2020-11-24
The PollNY extension for MediaWiki through 1.35 allows XSS via an answer option for a poll question, entered during Special:CreatePoll or Special:UpdatePoll.