Predictions are that the IT security situation in Canada will worsen
‘Canadian companies are over-confident and lax when it comes to their IT security. Business leaders aren't taking it seriously and IT leaders aren't providing best practices’. This is a recent stunning comment from Vito Mabrucco who is responsible for managing IDC's U.S. based global consulting. In an uncertain world, there is bound to be an unexpected event or failure that will bring it back to ‘top-of-mind’ status for IT and business executives for 2008. I predict a sudden surge in growth managed security services because the security function can now be outsourced. IDC also sees this potential for growth. (Source: http://www.itbusiness.ca/it/client/en/home/News.asp?id=46737&PageMem=2)
Why this hesitancy to evolve security strategy? Why are business leaders not taking security seriously? In Canada, legislation has not yet mandated security as a governance issue, except obliquely through privacy legislation. The same holds true in the US. We have Bill C-198 that has legislated reporting compliance for the private sector and has set the tone for quasi-public organizations in reporting, operational, and financial controls. These rules (except for privacy legislation and some security policies) do not apply to the public sector.
Leaders have not woken up to the fact that their organizations use their systems as the backbone for these reporting and control processes. Any major breaches and damage to their IT operations will taint the integrity of their organizations. Many ill informed executives are building walls around their organizations as an afterthought rather than building security throughout all of their procedures, databases and processing.
Should security be outsourced if not properly done in house or if there is a lack of confidence in IT by senior management? The answer is yes! Boards of Directors, Executives IT leaders and auditors must assess the competence of their teams to be absolutely sure they are effectively managing a rapidly changing landscape of IT security. If they cannot afford or do not have a team that can protect them they need to go outside and hire some real talent to manage their IT security. Managed security service providers are a real answer.
What criteria should be used to select a managed security provider:
- Does the IT security managed services vendor understand your business and all its’ risks?
- Are they ‘on top of their game’ to proactively protect and manage you environment?
- Are they cost effective?
- Can they work with your executives and team?
- Do they have offerings that will fit into all of your environments and be proactive in averting all reasonable treats?
- Do they have a good range of products and services?
- Can they communicate well on what they are doing and what counter measures they are taking?
- Can they lead you and your organization through appropriate transitions and changes to make this effective not just around your systems and process, but embed proper security in all that all you and your organization ode?
- What are their best practices for the security domain?
- How are they evolving on a day-to-day basis to protect the information assets of their client organizations and their vital information assets?
Who are the up and coming managed security providers? The telecommunications carriers are now offering good managed IT security offerings. These are telecommunications companies, like Bell, Telus, Allsteam , SIs, ISPs, ASPs, security software companies like CA, Symantec, HP, IBM, CISCO, the big 4, offshore providers and specialty IT security firms.
IT security is a high stakes game. Zero day threats require immediate action and there must be constant monitoring of the external and internal environments to be sure there are no intrusions. It is now a fact we have to manage our information assets like ‘Fort Knox’. If it is not done properly you could have huge operational, reputation and financial losses.
