Posted by Ed Welsh, Director, Security & Compliance on September 18, 2009 11:39 AM
Engaging a third party to manage the controls, monitoring, and maintenance that secure a company's most important data assets can seem counter to the security of that data. I would venture that the opposite is actually true.
The employees a company hires are typically selected and trained for their productive abilities that have little to do with securing data. Even in IT, the technicians are judged first on their technology know-how and project experience, while security knowledge is either not considered or to be gained after hire, if at all.
Employees are selected and rewarded based on a "productive mindset" to achieve goals in the quickest and most effective method available, especially when teams are small and bringing innovative products to market quickly is the main goal. This mindset tends to disregard, or at least, fails to account for security and compliance measures. Teaching and instilling the practices required to obtain a "security mindset" takes time and resources, which are rarely available nor quickly obtained. For example, a productivity-based team can successfully bring an online product and e-store to market quickly, but would it also manage regular server updates and management of a web application firewall to protect the underlying systems? Probably not and understandably; it is not their expertise and anyone who has spent time in IT security consulting can confirm that a poorly executed or non-existent security program is as close as the nearest business.
Because of these issues, engaging with an external data security management service becomes a responsible business management decision. Handing the various security controls, audits, monitoring and patching to people trained for the purpose and with a "security mindset" allows companies to concentrate their talent where it is needed...building better products. And when the company is innovative, requiring agile thinkers using fast development models, taking advantage of the built-in security practices provided by a managed data security provider allows it to maximize the positive aspects of that model, while reducing the security risks imposed by it.
Further Reading
Security in a Reputation Economy - Bruce Schneier