Choosing an information security services provider

I've removed advertising from most of this site and will eventually clean up the few pages where it remains.

While not terribly expensive to maintain, this does cost me something. If I don't get enough donations to cover that expense, I will be shutting the site down in early 2020.

If you found something useful today, please consider a small donation.

Some material is very old and may be incorrect today

© December 2006 Michael Desrosiers

2006/12/20 Michael Desrosiers

This month's topic is about what to look for in choosing a information security services provider for your organization.

Choosing an appropriate security service provider is not the easiest of tasks. Handing over the security of your networks, systems and data to someone else seems like a defeatist move or an acknowledgment that the threats are more than your organization can handle. The truth is that tapping into a security service provider might be the best way to protect your company and comply with the litany of corporate and government regulations. As a business, you must know what's on your network or in your systems and must clearly define how the provider is going to help your company meet its security and compliance needs.

A lack of in-house resources and expertise is most often the contributing factor for soliciting an outside consulting firm for these services. In the information security world, it's the high stakes game of what came first, the "chicken or the egg." Most businesses don't feel like they possess the specialized and focused knowledge on their staff, especially with the rapidly growing numbers of issues and exposures that are currently at hand. They need to be concerned about who is trying to do a port scan against their systems or if the network contains ad bots or spy bots trying to communicate to the outside world. The ability to detect and avert downtime is crucial to any organization, but particularly in today's global economy. Outsourcing security can also save an organization annually, by cutting the cost of hiring full-time staff. Yearly security assessments on the products and services an organization uses is in line with the ISO17799 security framework guidelines and current best business practices. Industry estimates conclude, that it costs about 50% less to outsource this expertise as it would be to hire a security staff and buy the necessary technology.

Before opting to outsource any aspect of your security, a company truly needs to be able to clearly define all access points and data flow into its data infrastructure and to how the service provider will access and protect that information. Security, like any other service, must be managed and that typically costs about 10% of the contract when you factor in the time and effort of your existing IT staff to do it.

There you have it. As your business grows, it is becoming more and more evident that an eye must be kept on the exposures and liabilities that come with this growth and expansion. Security service providers can not only provide the necessary skills needed to protect your assets, but provide flexibility in how they are engaged. One word of advice, do your homework. Have the provider present your business with their firms personnel and professional references and certifications.

To respond to this or previous newsletters or to inquire about an on-site presentation, please feel free to call us at 508-995-4933 or email us at [email protected]

Michael Desrosiers
Founder & Principal Consultant
m3ip, Inc.
We Manage Risk, So You Can Manage Your Business
(O)508-995-4933
(C)774-644-0599
[email protected]
http://www.m3ipinc.com

If you found something useful today, please consider a small donation.

Got something to add? Send me email.

---

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us