Improving security is number one factor in deciding to outsource assessments

Outsourcing assessments make sense if you don’t have the time, tools or talent

Monday, July 3, 2006

AUSTIN, TX – When your organization decides that it needs proactive management of its security infrastructure, such as quarterly perimeter penetration tests and annual assessments, it must then make the build vs. buy decision. You must understand the scope and boundaries of a potential outsourcing arrangement and determine the internal resources that will be required to achieve the same desired level of security capability. Sourcing decisions must be based on an analysis of required security capabilities, current operational capabilities and cost.

Focus on Improving Security Controls

Gartner research shows that buyers of outsourced security rank "improving security posture" as the most important factor in deciding to outsource. Other motives include faster responsiveness and avoiding additional hiring. Reducing current levels of spending is not a primary driver for outsourcing security functions. Similarly, for enterprises that have already outsourced functions, security posture (with vendor performance) leads the list of criteria for renewing the service. It is important to be clear about your expectations for a security outsourcing engagement. Northwest Hospital, these alleged attackers hacked into powerful servers at California State University, Northridge; and, the University of Michigan and the University of California, Los Angeles. They also hacked into a server at the Planet, an Internet service provider, and installed "Internet Relay Chat" server software using the machine as a home base for a botnet.

Allocation of Security Staff

If your organization has a shortage of skilled security practitioners, or you wish to focus your established security resources on activities such as root cause elimination and security standards/process development, you can use an outside assessment company to offload many of the assessment operational functions. Outsourcing assessment and review of the network perimeter and internal network controls reduces your need to hire, train and retain security skills for that function, and frees up existing security expertise for higher value security projects.

Process Capability and Staffing for Prevention and Remediation
Maintaining or improving the overall security posture requires awareness of potential or actual security problems along with the ability to address tactical problems as they arise and process or structural problems as they become apparent. Internal processes and internal staff must be in place to leverage the security management information provided by either an outsourcer or internal security assessment. It is imperative to mitigate vulnerabilities, which requires high levels of system access that are not typically granted to an outsider when system administration is performed internally. If your organization focuses on incident response and remediation capabilities, it will be able to act on, and therefore benefit from, deeper and more timely knowledge of potential security incidents. If your organization does not focus on those capabilities, it is likely loose the benefit of early warning of potential problems.

Vendor Performance

No two vendor security assessments are the same. For example, some take the tell-me-show-me approach by asking you, “Do you have a Firewall?” and then, “Show me your Firewall.” Each subsequent question and answer earns you a rating on a score card. This approach generally includes some type of statistical sampling of equipment to provide a representation of the whole. Other companies, like Spohn through its NetAUDIT™ assessment services, actually inspect and test nearly all of the equipment possible to provide an accurate assessment of all the vulnerabilities throughout the organization. Some companies dump an entire list of possible vulnerabilities found. Spohn provides a list of the most probable vulnerabilities ranked by criticality by using tools and multiple approaches to eliminate the false positives. Most companies provide remedy recommendations but Spohn is one of a very few that provide tools that help you save time and money on the planning and remediation.

You must evaluate services thoroughly to determine whether the vendor is doing the work you need them to and that their services provide you the most value for the dollar.

About Spohn

Spohn Consulting, Inc. is a professional services firm specializing in security assessment for small, medium and large businesses in the United States. Spohn is privately held with corporate offices in Austin, Texas and regional sales offices in California, Chicago, Maryland, New Jersey, New York, and Texas.

About NetAUDIT™

NetAUDIT is a complete suite of assessment services based on Spohn's proven methodology for identifying vulnerabilities and misconfigurations in administrative, physical and technical security controls. NetAUDIT assessments assist companies in preventing unauthorized access to information, systems, networks and facilities and lower risk of loss to the organization.