As of the start of this blog, I am in my second course for my Masters of Science in Cybersecurity. This is an archived posting from the first course.
Topic – Cyber Security Issues related to Outsourcing IT Services
Discuss the cyber security issues associated with outsourcing IT services and how can they be addressed.
From January 27, 2012
When outsourcing IT services, a company is placing either access to their network, their Intellectual Property, or both into the hands of another company. That other entity's primary objective becomes to hold onto that contract. All other priorities are viewed from the perspective of that objective, be it service quality, data protection, or any other facet of business. The secondary objective is protecting the company's image with regards to how it will affect the establishment of future contracts. Thus, the defense of the outsourcing companies IP or network will be funded only as far as it takes to defend their own image. Thus, companies that are being outsourced to create a weak spot in the security posture of the outsourcing entity. An example of this can be seen in the example of a low sophistication attacker Anonymous stealing .mil email addresses and passwords not from DOD but instead from a company they outsourced to, Booz Allen Hamilton. (CBSNews)
The reasons that companies who do not have an intrinsic interest in protecting information do not do a good job protecting it is summed up quite well back Vacca on page 5: “For most organizations, the cost of creating a strong security posture is seen as a necessary evil, similar to purchasing insurance. Organizations don't want to spend the money on it, but the risks of not making the purchase outweigh the costs.” When the data at risk isn't their own, the risks fail to outweigh the cost, so long as enough is spent to support the image of a strong security posture. After all, at the end of the day they win if they still have the contract, but the original company only wins if their network or data is still safe.
Vacca, J. R. (2009). Computer and information security handbook. Burlington, MA: Morgan Kaufmann.
CBSNews (July 11, 2011). Anonymous at it again: Defense contractor hacked Retrieved from: http://www.cbsnews.com/stories/2011/07/11/scitech/main20078614.shtml
No comments:
Post a Comment