Outsourcing information security Featured

3:03am EDT August 30, 2006
Companies are faced with an ever-increasing need for information security. Today’s businesses are confronted with how to protect their customer’s information, ensure confidentiality, and continue to process information to conduct business. Hackers, lost or stolen data, or the use of a company’s system for illicit activities have all become concerns for small and large businesses alike.

The privilege of having access to electronic communications systems (the Internet, bulletin boards, e-mail) also carries responsibilities. Abuse of those responsibilities can have far-reaching business implications — not to mention the legal complications that can easily arise.

With companies like Marriott Vacation Club, ABN Amro and the U.S. Department of Justice struggling with how to protect information, what can your business do?

“We advise companies on how to have reliable information systems,” says Catherine Bruder, CPA, CISA, CISM, MSPA and director at Doeren Mayhew. “We help them with ways to ensure the availability, security, integrity and maintainability of their information systems, and help them identify cost-effective ways to address their information system business risks.”

Many companies have turned to outsourcing for information security. Managed security service providers relieve some of the burden of protecting sensitive data. They can manage devices, events and even data backup to protect a business from break-ins and/or service disruptions.

Smart Business spoke with Bruder about outsourcing information security services.

Do managed security service providers relieve businesses of securing their information systems?
No, they provide the business with shared resources who are experts in assessing the business risks and in monitoring those risks. The business must retain responsibility for establishing company security policies, training employees on security practices and — most importantly — a strong security ‘tone at the top.’

What is the greatest advantage of using a managed security service?
First, the number of qualified information security personnel is limited and therefore, their prices continue to rise. Salaries for these individuals are often $75,000 or more.

Second, information systems require 24/7 security monitoring. This requires a company to hire more than one professional to monitor systems. Managed security service providers are able to monitor multiple companies simultaneously, thereby spreading the cost of the service across multiple clients. Outsourcing is usually less expensive for a company than hiring internal information security professionals to monitor and manage the company’s information assets 24/7.

Third, information technology security involves many different system skills. Typically, individuals will specialize in a specific IT discipline such as Cisco or Microsoft products, or they will focus on firewalls or routers, but usually will not cover all areas. The managed security service provider has the ability to acquire and retain experts in the different aspects of information security and share them across their client base. This enables the client to have experts when they need them but only pay for them on a fractional basis, thus providing the company with more expertise at a lesser cost.

How should a company begin evaluating the need for a managed security service provider?
Start with a security audit that can accurately assess your company’s information security risks. With this information, you will be able to determine what type of security practices you need to develop internally and which areas you should outsource. Information from the security audit will also help establish guidelines for a service-level agreement between your company and the managed security service provider.

What should a company consider when evaluating outsource providers?
Written service-level agreements. Because many companies resist the technical jargon involved in these service-level agreements, they do not always receive the service they desire or were expecting. The specific characteristics and attributes of the agreement along with operational security practices of the provider should be understood before entering into the agreement.

Because your managed security service provider will have access to sensitive customer information as well as confidential company information, it is important that the company you choose is a trusted partner. Signed confidentiality agreements as part of the contract also help to mitigate the risk.

CATHERINE BRUDER is a Certified Public Accountant, Certified Information Systems Auditor, and director of Doeren Mayhew, a regional accounting firm in Troy, Mich. Doeren Mayhew provides a wide range of professional services to middle-market companies. Reach Bruder at bruder@doeren.com or (248) 244-3295.