It makes sense to have a solid collection of security expertise within your organisation. And in fact most of us do: security is so core to most of what we do in IT that it’s a standard part of the syllabus for all the courses we do on, say, router configuration or Windows administration. These courses always have security …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Wednesday 23rd August 2017 09:03 GMT Anonymous Coward

Go for it!

I would definitely advise you to outsource your security expertise, preferably to one of the big consultancies. Even better if they're off-shore in a 'low cost' environment. Needless to say I wouldn't dream of doing such an idiotic thing, it'd be utter madness; but you're probably my competitors - so go for it!

9 0
1. Wednesday 23rd August 2017 22:59 GMT Daggerchild
  
  Re: Go for it!
  
  As a probable competitor I can assure you, we are doing just that.
  
  I believe I will be training my foreign replacement soon. Heh. Fine. I think 15 years of trying to save someone from themselves is enough of my life wasted.
  
  1 0
Wednesday 23rd August 2017 09:26 GMT Anonymous Coward

Invulnerable!

The FTSE100 company I work for has an Office 365 subscription Secure Score of 11. One securer, right?

1 1
1. Wednesday 23rd August 2017 10:42 GMT Anonymous Coward
  
  Re: Invulnerable!
  
  Secure Score of 11??? Out of what? 10,000,000 perhaps?
  
  Who says it is secure even if it is 11 out of 10? MS themselves?
  
  Snake oil salesmen abound in the IT Industry. Beware any that promise anything that you can't achieve yourself internally. These so called 'experts' are just beefed up car dealers in the Arthur Daley mould IMHO.
  
  Why do I say that?
  
  Well, I've worked with more than a few over the years. I got fired from one job after telling the boss what sort of porkies was being promised to the customers. I got the last laugh as the company went belly up a few months later. But, it taught me a lesson. Not sure what but I never went down the promise the earth road again.
  
  AC because some of those shysters are still in the business.
  
  2 1
Wednesday 23rd August 2017 11:16 GMT amanfromMars 1

THE BOTTOM LINE IN BOLD PRINT

Nothing is ever secure, forever. Deal with it and accept that all promises of anything else are fraudulent and criminal with fools and their monies being easily parted a major sub-prime element of IT Great Games Play.

3 1
Wednesday 23rd August 2017 11:58 GMT Anonymous Coward

The best way to defend

Is normally to attack. If you can't attack the best way to defend anything is to be there and shoot out. Anything else can fail. Place your trust and security to another and the first thing they will secure is themselves.

It's called having skin in the game, once you're compromised it's too late.

0 0
Wednesday 23rd August 2017 13:44 GMT nickx89

In house crew knows the ground reality

Outsourcing is just a temporary way and an excuse to solve the problem for once. Third party don't understand your business what it does, what are it's requirements, what are it's strength and weaknesses, what resources it lacks. In house crew knows the ground reality and how much water they the ship is in. They'd better tackle the problem once they are trained with the required skills.

0 0
Wednesday 23rd August 2017 16:55 GMT Anonymous Coward

Unless it is the blind leading the blind

"Security" experts, internal or external, need to be vetted by people that really are experts. Are your experts skilled in computer forensics or do they just try to string together log files? Are your experts aware that PS enables attackers to hide all kinds of stuff, and that Win 10 makes forensics even more challenging? Do your experts know how to tune your defenses, and keep them updated? Do you experts know the hows and whys for network design within the scope of security? Do...

In my personal experience, most of those in the corporate world who are referred to as security experts don't even have a toolkit, let alone the knowledge of how to use it. Furthermore, outsourcing to security experts gets you a room of log junkies that flood your internal team with false positives, which eventually get tuned out, which eventually leaves you with a false sense that all is well.

Bottom line, your are screwed regardless if you don't know what you are doing to begin with.

0 0
1. Wednesday 23rd August 2017 17:17 GMT DNTP
  
  Re: Unless it is the blind leading the blind
  
  I have a state license as a private security guard, as well as chemical safety and hazmat shipping certifications. I also formerly worked in general IT. This does not make me an IT security expert no matter how much my employer would like to be able to not pay other people to do this.
  
  0 0
Wednesday 23rd August 2017 18:43 GMT steelpillow

Whuh?

Nobody writes their own AV scanners.

Nobody can outsource their responsibility for security.

Somewhere between these two extremes lies your best solution.

Yawn.

1 0
1. Wednesday 23rd August 2017 19:51 GMT Jim Preis
  
  Re: Whuh?
  
  https://yourlogicalfallacyis.com/middle-ground
  
  0 0
Wednesday 23rd August 2017 19:52 GMT Jim Preis

Didn't we have this same argument 10 years ago... "So you're planning on outsourcing some software development".

1 0
1. Wednesday 23rd August 2017 22:48 GMT Anonymous Coward
  
  Didn't we have the same argument......
  
  Didn't we have the same argument 20 years ago... "So you're planning on outsourcing some call centre operations".
  
  0 0
Thursday 24th August 2017 12:43 GMT EnviableOne

Outsourcing is the best way to fill an imediate, infrequent or highly specialised need, insourcing is the best way to fill an ongoing operational need.

If its key to your business, the more control the better, so out-soucing, cloud sourcing or other ways of trying to make it someone else's problem, will always come back and bite you in the ass when something goes wrong

0 0