See your link here
Security Outsourcing - Is it time?
3 comments- IT TOPICS:Management, Security
In my personal blog, I have been writing a series about how to be an effective security manager. In the first installment, I wrote about making yourself known to the executives and the general populace of the company by simply being social. In the third installment, I suggested sticking to the basics of security, like security-in-depth, risk management, etc. But it is the second installment that I want to pull from for this post.
In that post I advised that you make a list of all the things you do so you can get organized and to inform your boss and everyone else of the many responsibilities you have (the second reason may sound petty, but hey, somebody besides your dog needs to know how hard you work - and he's probably tired of hearing about it). The post listed a veritable smorgasbord of security admin / manager tasks. And it was not even near a complete list of all the things security practitioners have to get done to make their network secure.
When I look at that list, I have to ask the same question Alan Shimel asked: How many hours can you work in a day? I have slowly come to a very simple answer: not enough.
Take a look at the list I mentioned above. See if you could handle that load and not work 50-60 hours a week. Don't think so? Then what do you do? How can you get it all done and actually have a life? Well, I must say that I have been forced to re-think a position I have held dear for most of my IT career. I am starting to seriously take another look at.... outsourcing. GASP! SCREAM! (--cue Friday the 13th and Freddy music and lound end-of-the-world explosions here--)
Now before you get your knickers in a knot, I am not talking about firing a bunch of people but keeping them in their jobs long enough to train their replacements from some other country. I am talking about someone remotely managing some of your security assets. I am talking about giving up some lower-level security admin tasks to a third-party. Maybe monitoring the SIM, or opening and closing ports on the firewall, etc.
I know that this does not always fit well in a company. A dynamic company with a lot of changes really needs flexibility that most outsourcing firms will not be able to provide. But if you can afford some loss of flexibility, then it might work. And think about this fact: it also gives you an almost instant change control infrastructure (if the company does things right), which is always a major audit point.
I say it is worth looking into this option. I really don't like the thought of losing control (many firms don't allow you into the firewall once you turn over management - but that points back to the change control benefit). But the sheer volume of work makes it a bona fide alternative.
Think about it.
Print
Email this
Digg this
