eBCVG - The benefits of outsourcing:
By Jane Frankland
Whether a company wants to outsource all or part of its security assessment, the financial benefits of doing so are immediate. As security assessments and penetration tests are conducted periodically, organisations can choose whether to carry the staff overheads all year round, make staff cuts or simply allocate the resource elsewhere in the department. Organisations that make staff cuts don’t have to maintain specialist, emerging assessment and testing skills, instead they are just bought in. Providing a security assessment supplier is chosen astutely, a company can receive a better return on its IT security investment (ROSI) by being able to identify and resolve vulnerabilities and weaknesses in any of its systems and applications more quickly. For example, in software development, if security assessment is included earlier in the software development lifecycle an organisation can achieve faster delivery times and produce software that is less prone to vulnerabilities. IBM actually reported that the cost to fix an error found after product release was 4 to 5 times as much as one uncovered during design, and up to 100 times more than one identified in the design phase. And, irrespective of whether a company is development driven, further costs can be realised as damages to reputation from either compromise or negative publicity can be reduced.
Security policy involves formulating a well-rounded set of policies and procedures to enable an organisation to gain protection of its vital resources and support of its business needs at all levels of its organisation. Through documentation, education and review, an organisation can determine whether the rules governing its procedures, standards and guidelines on its information assets are adequate and being met.
In the case of security policy management, organisations are being encouraged to build security policy and processes into their business models. With guidelines such as BS7799/ISO17799 in place, the external consultant is increasingly relied upon as an independent source for the assurance of an organisation’s compliance. The benefits associated with outsourcing in this area of the business include better allocation of resource and greater assurance that risk thresholds are being identified, existing policies are in line with changes to systems, methods of business and IT strategies and also that operational documentation for compliance against appropriate standards (BS7799/ISO17799, DPA, ISO 2001 HIPAA, FSA etc). This in turn ensures greater confidence in terms of business and investment, and can help lower high insurance policies.