IT security - a specialised skill, not for the novice
By Dries Morris, Operations Director at specialist IT security company, Securicom.
The complexities and continuous evolvement of IT security threats have made managing them a specialist field. Nobody without the necessary experience, technical skills or understanding of trends can adequately manage the threats facing companies today. Companies can't expect anyone without the know-how to do it. So says Dries Morris, Operations Director at specialist IT security company, Securicom.
“Companies are coming terribly short, falling prey to all manner of IT security-related threats because they are not up to speed on emerging trends and don't have the technologies or resources in place to protect their networks and critical business information.
“The deployment and management of appropriate solutions, as well as managing and resolving threats, requires specialised skills. As with other specialised functions, IT security, in the absence of appropriately-skilled people in-house, should be outsourced to an expert third party,” he says.
Morris says that to put up effective resistance against internal and external threats, companies nowadays must rely on a plethora of security systems, each one focused on identifying and stopping certain threats.
He believes that none of these systems should ever be left unmonitored and says staying on top of the status and events on security systems is a full-time job. When that job is done part-time and half-heartedly by someone whose core function is something else, IT security systems, no matter how expensive or best of breed, will be ineffective.
This leaves the business open to risks extending from reputational damage and theft of intellectual capital, right through to financial losses and legal action arising from non-compliance with legislation.
Unfortunately, a lot of companies don't understand the risks, or how high the costs can be until it actually happens to them,” says Morris, adding that 70% of the South African companies surveyed by a top security software vendor in 2011 had experienced cyber attacks in the past year. Ninety-eight percent of the survey respondents reported losses from such incidents. The top three losses were downtime, theft of intellectual property and theft of corporate data.
“When you understand how complex the field of cyber security is, and how high the stakes are, you understand that leaving this function to someone who is not properly qualified is a terrible strategy.”
Morris says the trend towards outsourcing IT security has bourgeoned dramatically in the past five years, as companies come to terms with the fact that they aren't equipped to keep pace with how quickly threats evolve and how sophisticated the modes of attack are. However, he says some companies are still hesitant to adopt an outsourced strategy and would rather keep the management of their infrastructure and data in-house.
“Not ideal when you consider that about 90% of IT security breaches occur from within the business, either intentionally or unintentionally,” says Morris, adding that outsourcing has a number of benefits.
Outsourcing IT security to specialist consultants allows companies to tap into the skills of a team of experts whose business it is to stay ahead of security threats and trends. Managed services typically have a lower cost of ownership and ensure that IT security costs are predictable.
“A lot of the companies we work with report that our solutions promote their internal team's career development. It might seem counterintuitive at first, but managed security services present a number of opportunities for internal IT staff because employees previously engaged in maintenance activities can transition to more strategic functions instead of working to keep the lights on.
“Though difficult to quantify, changes in staff priorities often matter more than simple 'bean counter' savings. The effects and dividends become clear as time marches on, and as the organisation becomes smarter and more agile.”