Friday, August 31, 2012

Do security like a start-up or get fired - Own your security

This is part of a blog series. For more details, start with the intro.

Own your security programme

We rarely see start-ups hire consultants to "consult" on IT security (except perhaps if they've had an incident and need to be seen as having done something about it). However, in larger organisations with complex environments this is commonplace. Whether enterprises choose to use external security consultants or outsource certain security functions, the most important thing to remember is this: your external provider must never be responsible for your security.

Unfortunately, in far too many organisations, there is the tendency to fall into the trap of ceding responsibility once they've outsourced something or brought in external consultants. Many forget that outsourcing functions or operations does not imply the outsourcing of responsibility. It is absolutely crucial that the organisations continue to make their own IT security decisions, maintain responsibility and take ownership.

The instant that members of an organisation start thinking that the external provider is responsible for IT security, immediate action needs to be taken to correct the perception (and potentially the processes). A good sign is best illustrated by a question I once asked the security manager of a large bank:
"Why is this security process done this way?"
The answer floored me:
"That's how the outsourcing vendor does it, but we're not sure why. It doesn't actually make sense to us why it's done this way."
How can improvements ever be made if an organisation does not know the reason behind how things are done? This particular issue is not limited to the IT security area. It is a common trap organisations fall into when they outsource anything. But IT security is one of the most critical areas to keep on top of.

There is also the ever-present threat of "analysis paralysis". This is the condition where the consultant or outsourcing provider produces too many documents and designs, which end up gathering dust. All the budget's been spent on producing documents, but there isn't any money left to move forward. Instead of shelf-ware, organisations end up with shelf-paper (figuratively speaking of course, as it's usually a digital shelf in today's environment).

Next up - Evolve.

No comments: