back to article So you're planning on outsourcing some enterprise security

It makes sense to have a solid collection of security expertise within your organisation. And in fact most of us do: security is so core to most of what we do in IT that it’s a standard part of the syllabus for all the courses we do on, say, router configuration or Windows administration. These courses always have security …

  1. Anonymous Coward
    Thumb Up

    Go for it!

    I would definitely advise you to outsource your security expertise, preferably to one of the big consultancies. Even better if they're off-shore in a 'low cost' environment. Needless to say I wouldn't dream of doing such an idiotic thing, it'd be utter madness; but you're probably my competitors - so go for it!

    1. Daggerchild Silver badge
      Coat

      Re: Go for it!

      As a probable competitor I can assure you, we are doing just that.

      I believe I will be training my foreign replacement soon. Heh. Fine. I think 15 years of trying to save someone from themselves is enough of my life wasted.

  2. Anonymous Coward
    Facepalm

    Invulnerable!

    The FTSE100 company I work for has an Office 365 subscription Secure Score of 11. One securer, right?

    1. Anonymous Coward
      Anonymous Coward

      Re: Invulnerable!

      Secure Score of 11??? Out of what? 10,000,000 perhaps?

      Who says it is secure even if it is 11 out of 10? MS themselves?

      Snake oil salesmen abound in the IT Industry. Beware any that promise anything that you can't achieve yourself internally. These so called 'experts' are just beefed up car dealers in the Arthur Daley mould IMHO.

      Why do I say that?

      Well, I've worked with more than a few over the years. I got fired from one job after telling the boss what sort of porkies was being promised to the customers. I got the last laugh as the company went belly up a few months later. But, it taught me a lesson. Not sure what but I never went down the promise the earth road again.

      AC because some of those shysters are still in the business.

  3. amanfromMars 1 Silver badge

    THE BOTTOM LINE IN BOLD PRINT

    Nothing is ever secure, forever. Deal with it and accept that all promises of anything else are fraudulent and criminal with fools and their monies being easily parted a major sub-prime element of IT Great Games Play.

  4. Anonymous Coward
    Anonymous Coward

    The best way to defend

    Is normally to attack. If you can't attack the best way to defend anything is to be there and shoot out. Anything else can fail. Place your trust and security to another and the first thing they will secure is themselves.

    It's called having skin in the game, once you're compromised it's too late.

  5. nickx89

    In house crew knows the ground reality

    Outsourcing is just a temporary way and an excuse to solve the problem for once. Third party don't understand your business what it does, what are it's requirements, what are it's strength and weaknesses, what resources it lacks. In house crew knows the ground reality and how much water they the ship is in. They'd better tackle the problem once they are trained with the required skills.

  6. Anonymous Coward
    Anonymous Coward

    Unless it is the blind leading the blind

    "Security" experts, internal or external, need to be vetted by people that really are experts. Are your experts skilled in computer forensics or do they just try to string together log files? Are your experts aware that PS enables attackers to hide all kinds of stuff, and that Win 10 makes forensics even more challenging? Do your experts know how to tune your defenses, and keep them updated? Do you experts know the hows and whys for network design within the scope of security? Do...

    In my personal experience, most of those in the corporate world who are referred to as security experts don't even have a toolkit, let alone the knowledge of how to use it. Furthermore, outsourcing to security experts gets you a room of log junkies that flood your internal team with false positives, which eventually get tuned out, which eventually leaves you with a false sense that all is well.

    Bottom line, your are screwed regardless if you don't know what you are doing to begin with.

    1. DNTP

      Re: Unless it is the blind leading the blind

      I have a state license as a private security guard, as well as chemical safety and hazmat shipping certifications. I also formerly worked in general IT. This does not make me an IT security expert no matter how much my employer would like to be able to not pay other people to do this.

  7. steelpillow Silver badge
    Thumb Down

    Whuh?

    Nobody writes their own AV scanners.

    Nobody can outsource their responsibility for security.

    Somewhere between these two extremes lies your best solution.

    Yawn.

    1. Jim Preis

      Re: Whuh?

      https://yourlogicalfallacyis.com/middle-ground

  8. Jim Preis

    Didn't we have this same argument 10 years ago... "So you're planning on outsourcing some software development".

    1. Anonymous Coward
      Anonymous Coward

      Didn't we have the same argument......

      Didn't we have the same argument 20 years ago... "So you're planning on outsourcing some call centre operations".

  9. EnviableOne Bronze badge

    Outsourcing is the best way to fill an imediate, infrequent or highly specialised need, insourcing is the best way to fill an ongoing operational need.

    If its key to your business, the more control the better, so out-soucing, cloud sourcing or other ways of trying to make it someone else's problem, will always come back and bite you in the ass when something goes wrong

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019