Until three years ago, CIO Chris Holbert of North American Scientific Inc. felt information security assessments were something he could take care of himself.
But then the 210-person, Chatsworth, Calif., maker of medical equipment hired its own sales force, which needed access to sensitive customer and product information. The company grew in size and complexity. Holbert no longer had the time to assess every aspect of his security at once.
In came outsourcer Avnet Enterprise Solutions in Tempe, Ariz., which provides Holbert with a "point-in-time snapshot" of his security status every 12 months, or any time changes in the business or his IT infrastructure call for it.
Consider an Outside Assessment If:
- Your staff lacks the time or skill to do thorough, annual security reviews.
- You need an objective security evaluation for regulatory or budget reasons.
- Your business could be crippled by the disclosure of sensitive information.
The outside firm brings expertise and objectivity that's difficult to find in-house. "So much changes so often, whether it's in application development, network connectivity, wide-area networking, security architectures and approaches, [that] if it wasn't somebody's job to know all of that, there's no way they would know if they're secure," Holbert says.
Holbert is typical of midmarket CIOs who look to outsiders when it's time to evaluate the security of their information systems, ranging from networks to servers to client PCs and databases. An outsourced assessment can take as long as a month and cost $30,000 or more. Holbert, for example, spends between 6% and 10% of his security budget, and about 1% to 2% of his overall IT budget, on such assessments. So clearly, they aren't for everyone.
But they are worthwhile at least once a year, proponents say, when a midmarket company lacks the time or skill to do them internally; when major changes may have created new risks; when external regulations require them; or when political or budget pressures call for an outside expert to prove the state of your security.
"If you've never done one, you need to do one," says Laura Koetzle, an analyst at Forrester Research Inc. in Cambridge, Mass. "If it's been more than a year since you've done one, you sure as heck need to do one. In the last five months, if you've grown by more than 50%, you need to step back" and assess whether your security has kept pace.
At North American Scientific, Holbert learned that wasn't the case. His first two assessments showed that, despite efforts to improve, the company still wasn't doing patch management correctly. One assessment also showed that he needed to segment his network into virtual LANs to improve application performance and to protect the systems on which software developers work.
A Sampling of Security Assessment Services
This was first published in March 2005