We often read news about cyber criminals hacking websites for trade secrets and financial account information.
Last year it was reported that the United States Office of Personnel Management experienced a massive data breach affecting as many as 21.5 million federal employees and civilians. It has been described by federal officials as among the largest breaches of government data in the history of the United States. Information targeted in the breach included personally identifiable information such as Social Security numbers, as well as names, dates and places of birth, and addresses The hack went deeper than initially believed and likely involved theft of detailed security-clearance-related background information (Source: NBC News,Oct 1,2015 & Wikipedia).
Should organizations outsource information technology security?
Let me share with you the insights of my nephew in law, Felipe Lapitgo, a graduate of the University of the Philippines and is presently a Software Development Technical Lead at Dovel Technologies, Information Technology Services in Rockville,Maryland U.S.A. He has extensive experience in I.T. having worked with I.T. companies such as Niyamit,Inc.as Senior Software Developer, RN Solutions as Software Development Lead and Verizon (Info Vision) as Senior Software Developer.
“For almost all the organizations I’ve been a part of, we do not out-source IT Security. We always hire IT security (Cyber security) experts to do it in-house. These experts that we hire as much we could should be CISSP (Certified Information Systems Security Professional). In some situations, we train someone from our organization to become CISSP and take care and be accountable for out IT Security.
There was only an instance that I have been part of an organization “out-sourced” IT security. Its not really “out-source”, but we are a contractor and we are accountable for the IT security of our client’s organization.
But before we can do it, we went through an intensive background check and we need to pass the secret clearance check. This means that, that the organization that out-sourced the IT security to us, did all their diligence and all they can do to make sure that we can be trusted with their data and IT security. The burden of making sure that we can be trusted is on the client.
As much as you could, IT security should be in-house. If not possible, the Organization has all the responsibility to make sure that they can trust and make the IT security in-charge be accountable.
For stipulations to include, it really depends on how sensitive the data is and whats the value of those data to the organization.
*Ask the out-sourced IT Security contractors to pay whatever the value of those data they are securing to the organization. (This might result to an immediate push-back from the contractor)
*Do a regular and thorough breach penetration testing
*Do a regular and thorough IT security Assessments
Sometimes, when security breached happens, it’s too late to fix ,like when someone will release a source code or some scandalous media is released. When that happens, it’s already out, everyone will have a copy, and its impossible to clean-up.”
Typically, only large organizations can afford an in house security team. The adoption of managed security services is often driven by the cost effectiveness of gaining access to specialized security tools and expertise on a shared basis. Compliance requirements also drive the organization to security outsourcing to help meet their regulatory obligations. The issues to be considered in balancing security needs and budgetary constraints are added value to the business, choosing a supplier, choice, risk and due diligence.
Security outsourcing remain a challenge for many organizations.
Vivian Manuel Canonero 