GSA UK - Don't pass the buck for IT security

DOING BUSINESS BETTER. TOGETHER

Home
NEWS & INSIGHTS
Industry News
Don't pass the buck for IT security

Don't pass the buck for IT security

17 Feb 2010 12:00 AM | Anonymous

It's no secret that today's cybercriminals are far more sophisticated than they were just a few years ago.

Instead of labouring away in loose affiliates of code-obsessed hackers, they're key lynchpins in well-funded, highly organised crime gangs. They want to get their hands on your organsation's customer data, not just deface its website. And their motivation? Well, it's not just prestige and notoriety within the hacking fraternity that they're after; it's good, old-fashioned financial gain.

The name that Albert Gonzalez gave to his plan to steal data from the computers of major US retailers says it all: Operation Get Rich or Die Tryin'.

By the time the law finally caught up with Gonzalez, he and his co-conspirators had netted the details of some 170 million individual credit cards, lifting them off systems owned by a host of brand names well-known to US shoppers, including TJ Maxx, Barnes and Noble and OfficeMax.

So I was interested to see predictions from respected IT market research company Forrester Research last week that 2010 could be the year for IT security outsourcing.

But as the report, entitled Twelve Recommendations for your 2010 Information Security Strategy, points out, IT security is an area that few companies will be comfortable to outsource in its entirety. Instead, say Forrester analysts, they'll be looking for a 'co-sourcing' approach.

There are clear reasons for that. "Some companies employ outsourcing vendors because they want to wipe their hands clean of regulatory compliance or hand over a messy environment in the hopes that the outsourcer will be able to fix it," the report observes. "Those are obviously the wrong reasons to outsource."

"First, even if you outsource security, you're still accountable for the protection of that data," it continues. "Second, if you have a messy environment, the outsourcer does not have any incentive to fix it -- and the nightmare of managing that environment will be worse if a third party gets involved."

And, when it comes to IT security, the price of failure is often too high a cost to pay. If my credit card details are stolen from a retailer's servers, I'm going to blame the retailer, not its outsourcing partner. The brand damage will be theirs, whomsoever they choose to point the finger at. Organisations can't pass the buck for IT security. Understanding and addressing any existing security issues is surely a pre-requisite for outsourcing IT.