Strict Standards: Only variables should be assigned by reference in /home3/ourplanb/public_html/itnewsandviews.com/plugins/system/advga/advga.php on line 21

Strict Standards: Declaration of JParameter::loadSetupFile() should be compatible with JRegistry::loadSetupFile() in /home3/ourplanb/public_html/itnewsandviews.com/libraries/joomla/html/parameter.php on line 512

Deprecated: iconv_set_encoding(): Use of iconv.internal_encoding is deprecated in /home3/ourplanb/public_html/itnewsandviews.com/libraries/joomla/string/string.php on line 28

Deprecated: iconv_set_encoding(): Use of iconv.input_encoding is deprecated in /home3/ourplanb/public_html/itnewsandviews.com/libraries/joomla/string/string.php on line 29

Deprecated: iconv_set_encoding(): Use of iconv.output_encoding is deprecated in /home3/ourplanb/public_html/itnewsandviews.com/libraries/joomla/string/string.php on line 30

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home3/ourplanb/public_html/itnewsandviews.com/libraries/joomla/filter/input.php on line 652

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home3/ourplanb/public_html/itnewsandviews.com/libraries/joomla/filter/input.php on line 654

Strict Standards: Only variables should be assigned by reference in /home3/ourplanb/public_html/itnewsandviews.com/plugins/system/SEOSimple/SEOSimple.php on line 24

Strict Standards: Only variables should be assigned by reference in /home3/ourplanb/public_html/itnewsandviews.com/plugins/system/SEOSimple/SEOSimple.php on line 25

Strict Standards: Only variables should be assigned by reference in /home3/ourplanb/public_html/itnewsandviews.com/plugins/system/advga/advga.php on line 36

Strict Standards: Only variables should be assigned by reference in /home3/ourplanb/public_html/itnewsandviews.com/plugins/system/advga/advga.php on line 37

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home3/ourplanb/public_html/itnewsandviews.com/libraries/joomla/filter/input.php on line 652

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home3/ourplanb/public_html/itnewsandviews.com/libraries/joomla/filter/input.php on line 654

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home3/ourplanb/public_html/itnewsandviews.com/libraries/joomla/filter/input.php on line 652

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home3/ourplanb/public_html/itnewsandviews.com/libraries/joomla/filter/input.php on line 654
Latest blog entries http://www.itnewsandviews.com/index.php/latest Tue, 19 Sep 2017 14:37:43 -0400 Joomla! - Open Source Content Management en-gb Study Shows Improved Practices in Cloud Security, Sometimes http://www.itnewsandviews.com/index.php/entry/security/study-shows-improved-practices-in-cloud-security-sometimes http://www.itnewsandviews.com/index.php/entry/security/study-shows-improved-practices-in-cloud-security-sometimes  

CA Technologies and the Ponemon Institute recently conducted study titled “Security of Cloud Computing Users 2013.” This study reveals that many companies have improved their practices around cloud computing security compared to a previous study from 2010. The responses raise questions and concerns about organizations’ use of security best practices and their awareness of cloud services used within their organizations. It also confirms there are conflicting views on who is most responsible for cloud security.

What should be done?

It is common knowledge among CIOs, CISOs that there are essentially five characteristics and best practices effectively implemented by organizations with well devised security policies. According to recent comments by Ben Rothke, Manager  Information Security at Wyndham Worldwide here are the most notable five characteristics: 

1. Have a CISO: Somebody needs to drive security. For example, a Chief Financial Officer is critical for driving finances. Similarly, a Chief Information Security Officer is critical for spearheading the company’s security practice.

2. Risk Management: Risk drives everything. The CISO understands the risks and threats the organization faces and designs

 a security program around that. This must be customized and not a series of standard “best practices.”

3. Invest in people not products: The cost of hardware and software purchased has no real direct corresponding effect to the level of security. A company that has great talent using open source products will be more secure than a company that spends millions on proprietary tools but does not intrinsically know how to use them.

4. Policies and procedures: It’s very important to have standardization across all business units and processes. You want the firewall installed and managed in one location to be installed and managed the same way in another location. “If things aren’t done via standard processes you’ll have inconsistencies and that’s where security breaches and mistakes happen. When you don’t have common procedures and common practices things are done ad hoc, and ad hoc is the enemy of good security. 

5. Awareness – People have to have situational awareness of what they’re doing. For example, if you don’t have effective key management all the security you have may be useless.

 

Back to the study.

“While cloud computing is still one of the most disruptive and promising trends of the past decade, the study shows that cloud security struggles to get past a grade of 50 percent when it comes to best practices, including the percentage of organizations that say they engage their security teams in determining the use of cloud services,” said Mike Denning, general manager, Security, CA Technologies. “We believe that organizations can do better and gain the benefits of cloud computing by reducing risk and achieving that desired balance of protection and business enablement.”

The study provided several key insights:

• Cloud confidence and best practices are improving but further progress can be made. Positive survey responses only hovered around half (50 percent) for any given question around cloud security best practices, such as vetting services for security risk, engaging the security team in determining cloud service use and assessing how a cloud service could impact data security. In addition, while this statistic improved by five percent from the 2010 survey, only 50 percent of organizations are confident they know all the cloud services in use within their organization.

• Responsibility for cloud security is mixed with a bias toward end users and IT Security getting a pass. The survey shows a concerning lack of agreement remains regarding who has responsibility for cloud security. While some organizations expect their cloud services providers to ensure the security of SaaS and IaaS applications (36 percent and 22 percent, respectively), a significant amount of the responsibility is assigned to companies’ end-users (31 percent for SaaS; 21 percent for IaaS), and very little responsibility was assigned to IT Security (eight percent for SaaS and 10 percent for IaaS). This relinquishment of responsibility points to a lack of clarity around ownership, which may lead to gaps in security processes and governance.

• Users prefer hybrid identity and access management (IAM) security solutions. Sixty-four percent of survey respondents would prefer a hybrid IAM implementation that supports both on-premise and cloud-based applications.

“Confidence in and best practices for the security of cloud computing is improving but not as significantly as one might have expected since our 2010 study,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “Our latest study offers organizations new data that should spark them to examine their own internal practices which could result in improvements in how they adopt and secure cloud services and applications.”

 

]]>
james.lee@mymediainc.net (James) Security Thu, 21 Mar 2013 22:07:08 -0400
Ten Most Popular Cloud Computing Countries http://www.itnewsandviews.com/index.php/entry/cloud-computing/ten-most-popular-cloud-computing-countries http://www.itnewsandviews.com/index.php/entry/cloud-computing/ten-most-popular-cloud-computing-countries  

Are Cloud procurement decisions by CIOs and CTOs purely based on pricing and a favorable service level agreement? Apparently not as a new report shows that Japan, Australia and the United States currently are the countries with the most supportive legal environments for cloud computing.  The study includes the consideration of technology environments from 24 nations and finds different operating environments across the globe lead to vastly different cloud adoption rates. 

The new study by BSA-The Software Alliance finds that while many of the world’s biggest IT markets have slowed quite a bit or even decreased in terms of local adoption, others are embracing laws and regulations conducive to cloud innovation. The second annual report also finds that policy fragmentation persists, as some countries, aiming to promote local cloud markets, adopt laws and regulations that inhibit cross-border data flows or skew international competition.

We have recently reported that the cloud will drive the creation of hundreds of thousands of new IT jobs globally and especially in the US over the next decade. According to recent research from Gartner, the subscription Web services market is now forecast to grow 19.6 percent in 2013 to total $109 billion worldwide. This estimate is revised up from projections of 12 percent to 15 percent previously reported. 

CIOs are fully engaged with the the public cloud’s pervasiveness in the enterprise and see in to continue to grow rapidly in their organizations. Keys areas of growth will include Infrastructure Services/Platform as a Service (PaaS), System Infrastructure Services/Infrastructure as a Service (IaaS) and Cloud Management and Security Services. 

The BSA report ranked nations on the basis of their support for data privacy, security, cyber crime prevention, intellectual property rights, free trade; industry-led standards, information technology readiness, and broadband deployments.

 

The following are the 10 top-ranked countries in terms of cloud environments:

Japan

Australia

United States

Germany

Singapore

France

United Kingdom

South Korea

Canada

Italy

BSA says this year’s biggest mover in the rankings is Singapore, rising from fifth from 10th place a year ago.

Malaysia is also demonstrating progress in the right direction, bolstering cybercrime and IP laws and opening itself for increased digital trade, BSA adds.

The U.S. has moved into third, passing Germany now in fourth. BSA credits “useful advances in standards development for cloud computing and infrastructure improvements rather than major policy improvements” within the U.S.

Canada, Russia, and India all also moved up the rankings by implementing international IP agreements.

Policy improvements in many of the world’s biggest IT markets have stalled, BSA adds.  All six European Union countries covered in the study have lost ground in the rankings. Others are “effectively unplugging themselves from the global market — with especially counterproductive policies in Korea, Indonesia and Vietnam.”

Trade agreements are an important component of a nation’s cloud competitiveness, and should encourage the free movement of data and applications across borders, BSA says. “Governments must work to establish a framework that is rigorous enough to meet individual countries’ privacy concerns but flexible enough to ensure the free flow of cross-border data transfers. 

 

According to the BSA report to ensure the growth of cloud computing, the obligations in forward-looking trade agreements should include provisions for:

1. Explicitly prohibit restrictions on the provision of cross-border data services.

2. Prohibit requiring the use of local computing infrastructure, such as servers, as a condition for providing, or investing in the provision of, cloud services in the country.

3.  Prohibit the use of standards and licensing requirements in ways that restrict trade.

4.  Cover purchase by private businesses and consumers and government procurement, including by state-owned enterprises.

 

]]>
james.lee@mymediainc.net (James) Cloud Computing Wed, 06 Mar 2013 23:15:25 -0500
US Clamps Down on Spying by China, Others http://www.itnewsandviews.com/index.php/entry/security/us-clamps-down-on-spying-by-china-others http://www.itnewsandviews.com/index.php/entry/security/us-clamps-down-on-spying-by-china-others

First it was copyright and patent infringement, now the White House warned China and other countries there will be trade and diplomatic actions over recent corporate espionage discoveries. The White House has cataloged more than a dozen cases of cyber attacks and commercial thefts at some of the U.S.'s biggest companies. The US has documented the impact costs of espionage, competitive disadvantages, job losses, and product losses that American firms as such as General Motors and DuPont have already had to confront.

"There are only two categories of companies affected by trade-secret theft: those that know they've been compromised and those that don't know it yet," Attorney General Eric Holder said at a White House conference Wednesday. "A hacker in China can acquire source code from a software company in Virginia without leaving his or her desk."

The White House on did not specify actions it would take against China, but a strategy document is loaded with examples of Chinese theft of corporate secrets from top American firms, and officials said the administration has repeatedly raised the theft issue at senior levels of the Chinese government.

"With respect to China, protection of intellectual property and trade secrets remains a serious and highly troubling issue," said Undersecretary of State for Economic Affairs Robert Hormats, at the White House event, which marked the beginning of the new strategy.

Of the 19 cases that had resulted in charges and convictions detailed in the strategy document, 16 involve theft aimed to benefit entities in China, such as stolen hybrid technology from GM and military secrets from defense contractor L-3 Communications Holdings Inc., among others.

In addition to denying it condones computer hacking, China also has said that it is itself a victim of cyber attacks and that Chinese law forbids such attacks.

Akamai Technologies, which monitors large amounts of web traffic, said in the third quarter of 2012 China was the world's No. 1 source of observed attack traffic, with 33% of such traffic. The U.S. was second, at 13%.

U.S. intelligence agencies issued a rare public report in 2011 that identified Chinese hackers as the "most active and persistent perpetrators of economic espionage." Senior intelligence officials said the Chinese government and sympathetic hackers are behind the cyber spying.

It is reassuring to see the US finally taking a tough stance on cyber criminal activities. These actions follow an executive order that President Barack Obama signed last week to create voluntary cyber security standards for companies running critical infrastructure like the electric grid.

 

 

 

]]>
james.lee@mymediainc.net (James) Security Wed, 20 Feb 2013 21:51:22 -0500
Cybersecurity, Private Clouds, Privacy are Top 2013 Tech Trends http://www.itnewsandviews.com/index.php/entry/security/cybersecurity-private-clouds-privacy-are-top-2013-tech-trends http://www.itnewsandviews.com/index.php/entry/security/cybersecurity-private-clouds-privacy-are-top-2013-tech-trends

The Global nonprofit IT association ISACA recently issued guidance on managing three top tech trends for CIOs and their organizations in 2013. These trends are expected to pose major challenges to businesses in 2013: cybersecurity threats, private vs. public clouds and data privacy.

ISACA is a provider of best practices and expertise as it strives to help its 100,000 members worldwide navigate the changing IT landscape. Many IT professionals globally will follow ISACA recommendations in order to build trust in and value from enterprise information including Big Data initiatives.

 

Cybersecurity

We now know the numbers. The war on cybercrime continues for most organizations and especially their IT departments and CISOs. The total number of Computer viruses, trojans and web attacks is growing at their fastest pace in four years.

In its recent quarterly "Threats Report", McAfee said that it had found more than 8 million new kinds of malware in the second quarter. This represents an increase of 23% from the first quarterly report. There are now more than 90 million unique strands of malware in the wild according to McAfee.

Viruses that send unsolicited emails and attack websites, as well as search engine poisoning — where unwitting users are misdirected toward questionable or fraudulent sites — are among the increasingly sophisticated tactics used to capture and exploit consumer data and pose threats to international supply chains.

“As more devices utilize IP addresses, the attack surface will become larger and threats to cybersecurity will increase. Cyber criminals will dedicate themselves to finding increasingly complex methods for attacks in 2013,” said Jeff Spivey, CRISC, CPP, international vice president of ISACA and director of Security Risk Management Inc.

 

Privacy Concerns Continue to Grow

CISOs and IT professionals have to manage not just threats of data leakage and identity theft, but also growing consumer and employee concerns about data privacy.

According to  Robert Stroud, member of ISACA’s Strategic Advisory Council, "Nearly 90 percent of US consumers who use a computer, tablet PC or smartphone for work activities feel their online privacy is threatened, but many persist with actions and attitudes that put that privacy and security at risk."

“The protection of personally identifiable information (PII) is the responsibility of both organizations and individuals,” said Greg Grocholski, CISA, international president of ISACA. “Organizations need to have a governance structure in place to ensure that PII is managed and protected throughout its life cycle. Individuals must be aware of what PII they are providing and to whom. To be successful, data protection must be a joint effort.”

He continued, “Privacy by design, confidentiality of location-based information,  the consumerization of IT, and an increase in legislative and regulatory mandates that will drive more privacy audits are among the top 2013 trends in data privacy that ISACA anticipates will need to be addressed.”

 

Private Vs. Public Clouds

Over the next 12 months, information security concerns will prompt a growing interest in private or hybrid (public/private) cloud solutions. The expected rise of “personal clouds” will add to the challenge of protecting data for a mobile work force that embraces BYOD (“bring your own device”). Cost, speed, manageability and security are the factors most debated in cloud computing.

ISACA’s 2012 IT Risk/Reward Barometer shows that IT professionals remain wary of public clouds; 69 percent believe that the risk of using public clouds outweighs the benefit. Opinions of private clouds are the opposite — the majority (57 percent) believes the benefit outweighs the risk. Other findings include:

Among people using cloud for mission-critical services, there is a 25-point difference between those who use private (34 percent) versus public (nine percent).

One of the high-risk actions employees take online is using an online file-sharing service, such as Dropbox or Google Docs, for work documents (67 percent).

The most effective way to reduce IT risk is to educate employees (36 percent). Despite these concerns, CFOs (to whom over half of CIOs report) still look to cloud for return on investment.

In the end it really does come down to effective planning and communications. The relationship between the CIO, CISO and other C-level executives really matters. Companies with strong, collaborative relationships between the CIO and other C-suite executives are four times more likely to be top-performing companies than those with fragmented relationships, according to PricewaterhouseCoopers LLP’s fifth annual Digital IQ survey, recently released.

 Digital IQ is a measure of how well companies understand the value of technology and how successfully they link information technology investments to their business strategy.

]]>
james.lee@mymediainc.net (James) Security Tue, 12 Feb 2013 21:42:14 -0500
Is Oracle Finally Delivering the Network Computer? http://www.itnewsandviews.com/index.php/entry/it-management/is-oracle-finally-delivering-the-network-computer http://www.itnewsandviews.com/index.php/entry/it-management/is-oracle-finally-delivering-the-network-computer  

If Larry Ellison and Oracle can not build and deliver a successful Network computer as they proposed doing in the 1990s then the next best thing is to incrementally piece together all of the component parts to deliver on their decades long dream. Oracle has just fitted another piece of the puzzle with Acme Packets... With this acquisition they bridge the divide between their database, an app running on a mobile device and the great ether between the two. 

Having an integrated communications service capable of supporting their front and back ends will only help to further deliver a homogeneous vendor solution to their growing global client list. 

Whether an organization chooses to  self host their servers, use a cloud based solution, or a hybrid cloud architecture, organizations continually strive to simplify and reduce the overall vendor count that deliver these critical services. Now Oracle can further deliver on this promise.

Oracle intends to integrate Acme's offering with its own communications product portfolio, alongside other core network products such as its network application platform and tools to manage service availability.

The move will enable it to help service providers monetize their IP networks, according to a statement from Oracle.

 That's a matter of perpetual concern for network operators concerned that they will become nothing but a commodity "bit pipe" as application providers reap all the profits.

Oracle faces a saturated market for the product among major telecommunications companies as  89 of the world's top 100 communications organizations are already Acme customers, it said. Oracle will use Acme's presence in those accounts to up sell customers on its broader array of offerings for communications providers.

A document about the deal released on Monday by Oracle includes a diagram showing how Acme's technology will fit within Oracle's "core network" product portfolio, in between sales, billing and supply chain applications on one side, and end-user applications and devices on the other.

Oracle also plans to bring on Acme Packet's staff following the transaction's close, according to the Oracle document. Additionally,  Acme employs "880 domain experts in IP networking."

"The communications industry is undergoing a dramatic shift as users become more connected and dependent on mobile applications and devices" said Bhaskar Gorti, senior vice president of Oracle Communications, in the company's statement. "Service providers and enterprises need a comprehensive communications solution that will enable them to more effectively engage with their customers."

The Acme Packet deal continues Oracle's spending spree. In December, the database giant announced a $810 million deal to acquire cloud specialist Eloqua, the latest in a string of acquisitions.

 

]]>
james.lee@mymediainc.net (James) IT Management Mon, 04 Feb 2013 21:10:02 -0500
Popular Tweet Topics Among CIOs http://www.itnewsandviews.com/index.php/entry/it-management/popular-tweet-topics-among-cios http://www.itnewsandviews.com/index.php/entry/it-management/popular-tweet-topics-among-cios

When CIOs and CTOs interact with social networks, what are they tech-talking about?  According to a study by Logicalis in their annual “Top 10 Tech Trends to Watch” there is plenty of tweeting going on.  The study, which analyzes CIOs’ and CTOs’ social media conversations, has helped determine the important buzzwords and trends on top IT execs’ minds.  Least surprising was the experts’ in-depth discussions about the cloud.  Most surprising was the fact that two of the top 10 topics included in-depth discussions about managed services.

“There’s no better way to find out what’s on customers’ minds than to tap into their social media buzz and hear just what they’re talking about,” says Lisa Dreher, vice president of marketing at Logicalis.  “Hearing first-hand what topics and concerns CIOs and CTOs are posting in blogs, forums, Facebook and Twitter gives us critical information that we can use to tailor our services to meet their needs.  It’s something every company should do at periodic intervals throughout the year, but particularly as the year winds down.  End-of-year discussions like these indicate clear trends that can drive innovation.”

What Are CIOs and CTOs Talking About? The following list indicates CIO and CTO top concerns today.

 

1. Cloud Computing is perhaps the most obvious topic of conversation. Within the Cloud space there were a host of critical sub-topics that included managed services for the cloud, the rising importance of hybrid clouds, moving applications to the cloud, and the ongoing debate over private versus public clouds.

 

2. Mobility: Holiday gift giving included many new electronic devices that will make their way into corporate environments.  CIOs and CTOs, bracing for the influx of new gadgetry and the impact of that wide assortment of devices on corporate IT systems and security, were talking about mobility with increasing fervor toward the end of 2012, making the bring-your-own-device (BYOD) movement and its associated management and security issues top-of-mind among social media conversations.  “Logicalis commissioned a significant BYOD study in late 2012 that showed the U.S. is ahead of other countries in asking employees to sign BYOD agreements, something that CIOs and CTOs are surely discussing now, at the start of a new year,” says Mark Kelly, Logicalis vice president of Communication & Collaboration.

 

3. Security: From the impact of BYOD to the possibility of data loss due to super storms and other disasters, CIOs and CTOs tasked with keeping their companies’ data secure – both physically and systematically – have had plenty to talk about.

 

4. Vendor Management: Managing a data center is hard enough from a technical perspective, but the asset and contract management that necessarily goes with it adds burdens that IT execs are beginning to realize can be effectively outsourced.

 

5. Big Data: When it comes to data-intensive operations, IT pros are faced with an array of challenges from meeting peak demands for computing horsepower to how to store all the data created.

 

6. Social Media: Not only is social media a convenient way to tap into the thoughts and opinions of colleagues, but it’s also becoming “the world’s fastest, largest and most accurate focus group,” Dreher says.  “CIOs and CTOs are clearly learning to tap these resources to see what IT trends they need to plan for and to find out what strategies their peers have employed that they too might want to adopt.”

 

7. Data Center Efficiency: Running an efficient data center without unnecessary redundancies and wasted computing power is a top priority for IT pros today.  Driving data center efficiency through virtualization requires CIOs to focus on key issues such as data center optimization, cloud computing, removing old IT assets, network rationalization, and managed services.

 

8. Innovation: Change is happening every day and a new normal has to be developed.  With data centers at the heart of most corporations, CIOs and CTOs have to re-think end-user computing, modernize application development and evolve their infrastructure before the need for the services and solutions they’re creating even exists.

 

9. Outsourcing: Two areas of surprise in this year’s study included the increase in discussions about vendor management and about outsourcing.  Top IT pros are beginning to see the advantages of doing what makes them a specialist in house, and turning over the reins for more mundane tasks to an experienced third party’s managed services team, freeing both time and resources to focus on more strategic technology projects.

 

10. Data Storage: As corporations rely increasingly more on their data and information, storage discussions among the technology experts supporting these companies naturally included everything from storage requirements to the solutions needed to meet those data management requirements.

]]>
james.lee@mymediainc.net (James) IT Management Mon, 28 Jan 2013 22:18:19 -0500
CISO Challenges: The Build vs. Buy Problem http://www.itnewsandviews.com/index.php/entry/security/ciso-challenges-the-build-vs-buy-problem http://www.itnewsandviews.com/index.php/entry/security/ciso-challenges-the-build-vs-buy-problem

In a previous post, I wrote about some things that were interesting from a very neat conversation with a healthcare CISO.  This post is a follow-up to that initial post, discussing the very real Build vs. Buy problem many CISOs are running into.  Whether it's for lack of available talent, time, or simply priorities, CISOs have to make this decision nearly every day so this post discusses some of those choices, their consequence and rationale.

 

First off, let me explain what I'm talking about, just to level-set.  The "Build vs. Buy" problem in Information Security (not unlike anywhere else in IT) is a dilemma faced by the security leadership when trying to best service the business need with the available resources.  At some point the decision needs to be made whether to "do-it-yourself" (DIY) or outsource it to someone else.  The added catch is that in the healthcare industry some things you need to think twice through, because of regulations.

 

Why Build vs. Buy

 

Where does build vs. buy show up the most?  While no organization, in size or in market-space, is immune to wrestling with this question the group that has to deal with this most is the SME (Small to Medium Enterprises).  When you're faced with all the issues that make you a target while battling with the small-scale budget and resource issues - you simply have no choice but to split the work and outsource some of it.

 

Budget finality means that you can't hire 10 software security experts to staff a team because you can't afford more than 1 or 2 - yet your organization has 300+ applications which undergo regular release cycles, some of them are even agile and there's just no way to keep pace.  Then there's the security infrastructure which needs constant care, updates, and tuning to your organization's pulse and you again simply don't have the manpower to keep pace.  

 

Change control, application security reviews, incident response, policy review, audit preparation, acquisition due-diligence... all of these require people, money and more importantly time which is a precious commodity - but you've got it all in short supply. Here's one way of looking at making the decision of what to build, and what to outsource...

 

When to Build vs. Buy - Talent, Time, Priorities

 

When trying to decide what to build vs. buy, there are 3 key things to consider:

 

Does your organization have the in-house talent to handle the activity as an expert?

Do your in-house resources have enough time to perform the activity well?

Is the activity a business priority?

When thinking through these three questions, it can be daunting to make the decisions necessary to move forward.

 

Expertise (talent) in Information Security is in short supply - this is no secret.  We're at nearly full employment in Information Security disciplines across the board, and recruiters are having to lure good employees away from current employment rather than having resumes come to them.  

 

Finding the right person to fit into your organization is proving increasingly difficult - especially when employees know they have a choice.  Being able to choose means that the cost of talent acquisition is going up, which means this puts an even bigger squeeze on the SME budget.  The typical SME has no more than 6-8 full-time Information Security employees at any given time, not because they don't want more, but because more is simply not affordable.  

 

With 6-8 full timers on staff, and a mountain of work to do, you have to pick the things that your people are good at, hire for the things that are critical that you're missing, and outsource the rest.  The more specialized the work, the more likely it is you'll be outsourcing it - unless it's a business critical task.  

 

SCADA systems security is one of the most specialized of the specialized - but you're probably not going to outsource that work if your company makes smart-meters ...at least I would hope not.  In the health care space, if you're making heart monitors that may be operating over some sort of wireless mode, you're going to hire the type of security people who understand security, wireless communications, and purpose-build devices and yes those are extremely rare and you'll pay a premium for them... but even though you're more likely to find a software security expert available, you'll likely outsource that rather than the business-critical work.

 

Just because you have 2 people who are software security experts doesn't mean they've got the time needed to handle the 300+ applications in the typical SME out there.  With the rapid release cycles of certain types of code, or the excruciatingly painstaking type of work it can be - often times we'd need 10x the resources to get the job done.  This is a perfect opportunity to outsource - at least part of the task to someone else who has efficiency in scale and expertise.  

 

I made a reference to outsourcing part of the work because there are certain parts of even commodity activities which require someone who is close to the business, with context, to make appropriate risk decisions.  Outsourcing the work that can be automated, context-agnostic is a great way to get yourself added efficiency and scale without having to acquire more talent... and it can often be much more cost-effective when purchased on an "as needed" basis or "by the drink" if you prefer.

 

Lastly, it comes down to a matter of priorities.  You'll see this come up often but more often than not it comes down to priorities.  Does your organization require a forensics investigator on staff?  Probably not... unless you're in a high-risk business and you go through that activity often.  You probably don't need a full-time security-compliance person, but they're helpful to have around when you have to do those mapping and auditing exercises, a few times a year.  

 

Do you really need to have a staffed Security Operations Center 24x7?  Probably not ... but it's one of those nice-to-have activities which can be outsourced to someone else, and the second-level support can be brought back to your in-house staff for escalations support in a crisis or suspected incident.  

 

Here choosing the right partner is important because you simply can't just trust anyone who can sit down and stare at blinking lights all day.  Additionally, I've seen organizations outsource the execution of change management... and while it may sound dangerous and critical to the business ... the trick is in the how.  It's perfectly natural to want to keep the review and governance part of change management in-house, and I would expect that to be critical, but the actual execution of the tasks ...not so much.

 

In my previous organization a change-management analyst on the security team would review changes and help make architecture/design decisions and then at the appropriate change windows (usually middle of the night, and weekends) the changes would be executed by some outsourced contractor who just looked at the logic approved, and made the appropriate mouse clicks, or keyboard inputs, executing the change, and verifying integrity of the change and system sanity afterwards.

 

If a change went wrong the person who approved it would be paged from his slumber - but there was no reason for that person to be working 24x7 when a contractor hired to only execute changes would do just fine.

 

 Cross-posted from Following the White Rabbit and infosecisland.com

]]>
james.lee@mymediainc.net (James) Security Wed, 23 Jan 2013 22:05:06 -0500