Business growth in today`s e-enabled environment is seriously jeopardised if enterprises do not take appropriate action to secure their information and communication infrastructures, says Sean Reuben, Computer Sciences Corporation country manager for Global Security Solutions (GSS) in South Africa.
The increased mobility of the workforce accessing the corporate network via a variety of external devices and connectivity media, coupled with the need to give some access to suppliers and customers while protecting the integrity of the business information and managing privacy issues all contribute to the complexity of corporate security.
"Companies face numerous security threats and are finding it increasingly difficult to keep pace with these," says Reuben. "On the technology front, the blended nature and complexity of attacks, including worms and scripted tools, means the technical threat to business operations is increasing.
"The `window of vulnerability`, or the period between the identification of a network or operating system vulnerability and an attack, is shrinking at a rapid rate. This means that companies have a dilemma between sustaining a fortress mentality - that cannot survive the demands of a modern, collaborative business model - or investing more effort and money in protecting their vulnerable business operations."
Reuben says that the high level of skills and expertise needed to achieve effective security is the main reason companies turn to some form of outsourcing solution. Many also realise that security is not a core function of their business and it can best be managed by external specialists. Contrary to the traditional model, seldom is the reduction of costs cited by companies as a reason to outsource security services.
Complying with, and managing new legislative and corporate governance requirements are also driving companies to consider outsourcing risk management to specialist service providers.
"It is important to realise that information security consists of multiple activities. The strategic ones are best left in-house and the tactical ones can more effectively be outsourced," adds Reuben.
Basic security outsourcing, he says, is usually product related and includes firewall management, anti-virus management, anti-spam management, intrusion detection systems (IDS) and intrusion prevention systems (IPS).
"Often these are point solutions dropped into the infrastructure by product vendors or their value-added resellers who then have little -if any- further involvement in the security management process."
Security management, on the other hand, aims to provide end-to-end service management by skilled specialist staff and encompasses a wide range of overlapping disciplines such as network security, identity management, information risk management and confidentiality services.
Network security includes firewalls, IDS, IPS, anti-virus management, security patch management and network port lockdown.
Identity management includes user account provisioning, password management, role-based access control, and strong authentication, such as two-factor tokens or biometrics.
Information risk management embraces risk assessment and risk management programmes, security policy consulting, assurance in the form of regular risk reporting, certification and accreditation of processes and applications, and vulnerability assessment and penetration testing.
A key component of security service management is confidentiality services. These include data privacy policies and architectures, virtual private networks (VPN), public key infrastructure (PKI), digital rights management and secure data services.
"For corporates that see information security as a strategic necessity, it is wise to look for a service provider that offers a process management service rather than a box-dropping service. Linking security processes to business processes is the trend for these corporates, who also want a clear ROI on their security investment."
Reuben says that four criteria are important when choosing a security service provider: Trust, quality of staff, breadth of service and avoiding conflicts of interest.
"It is important to check the provider`s track record and financial strength and viability by verifying their professional references and visiting their client sites and discussing their service level performance with these clients."
As security technology changes constantly, providers` staff need to be well qualified and there should be a programme in place for constant skills upgrading. In determining the mix of skills required, there needs to be a balance between highly paid skilled staff and those performing basic maintenance tasks.
When it comes to breadth of service the provider must not only be able to provide the basic services the enterprise wants, but should also have skills in integrating point solutions from different vendors so as not to aggravate management overheads.
Critically, he says, it is important to avoid conflicts, but, where it becomes impractical and costly, the customer-retained management group needs to have a closer oversight into the service provider`s activities.
Managing whether an outsourced security service provider is delivering to expectations depends on measuring and monitoring on three levels - service criteria, security metrics and business metrics. These should be clearly stipulated in the service level agreements at the start of the contract implementation, but should be open to negotiation and update to reflect changing business requirements.
Share
CSC offers the South African market a wide range of services, including systems integration, application and infrastructure outsourcing, and business process outsourcing, as well as customer relationship management (CRM) and healthcare and financial services solutions.
In South Africa, CSC also provides Business Process Outsourcing (BPO) services to manage the policy processing and administration for its U.S. and UK financial services customers, which include life and pensions providers, short-term insurance and banking. By combining international best practices with local expertise and knowledge, CSC is one of the fastest growing information technology (IT) companies in South Africa.
A leading IT services provider, CSC adds value through its collaborative approach to delivering fast, reliable and flexible solutions. CSC opened its doors in South Africa in November 1999 and today has offices in Johannesburg, Cape Town and Richards Bay. It is continuing to expand rapidly in South Africa and is extending its services to the rest of Africa. For more information, contact 021 529 6500 or 011 686 5400.
CSC
Founded in 1959, Computer Sciences Corporation is a leading global IT services company. CSC`s mission is to provide customers in industry and government with solutions crafted to meet their specific challenges and enable them to profit from the advanced use of technology.
With approximately 90,000 employees, CSC provides innovative solutions for customers around the world by applying leading technologies and CSC`s own advanced capabilities. These include systems design and integration; IT and business process outsourcing; applications software development; Web and application hosting; and management consulting. Headquartered in El Segundo, Calif., CSC reported revenue of $14.9 billion for the 12 months ended July 2, 2004. For more information, visit the company`s Web site at www.csc.com.
Editorial contacts