I read recently an interesting article by Ilya Bogorad of Bizvortex Consulting, writing for Tech Republic earlier this year where Bogorad makes the point that often IT departments are limited by principles held high up in the organisation (ie. non-technologists making technology decisions that don’t work), or by not having the resource or specialist skills in-house to do everything that the organisation needs.

So much of what a business does now is underpinned by IT of one sort or another that it would require most businesses to double the size of their workforce if they were to retain an expert in every area.

The job of an IT department has shifted significantly in the last few years. IT is widely seen as a strategic, not a tactical, function of the business.

The job of the IT team is to set and implement an IT strategy to meet a business need, rather than developing the tactical technology to support the business need – which, more and more, is left to specialist experts.

Nowhere have we seen this more than in security.

There was a time when it was considered enough to put a firewall in, decide which major AV company to go for (probably based on cost alone), and then let security run itself.

Fast forward a few years - through some high profile security breaches; a whole range of compliance legislation; an army of sophisticated hackers, spammers, phishers, and other scammers; and the advent of ‘Web 2.0’ with its social media, mobile Internet, and ‘always on’ connectivity - and the security landscape looks very different.

We’re finding that, increasingly, companies are opting to outsource their security.

Not just to solve a resource issue, or as a cost saving measure (as with the early days of outsourcing offshore), but because it isn’t the job of the IT department any more to have the level of specialist knowledge required.

Their role is more strategic than tactical.

Technology decisions shouldn’t be taken by non-technology personnel, but should look like this:

1.    Business unit head (CXO) sets business priorities to meet company strategy and objectives
2.    Head of IT sets IT strategy and objectives; sets priorities and makes appropriate IT decisions to support business requirements
3.    Specialist technology teams implement the necessary technology to deliver the systems required, including how to secure them
4.    IT department supports the business use of that technology

It is at point 3, above, that outsourced experts come in – brought in as part of a strategic process, but working with the teams who will support the business day-to-day.

The advantage of an outsider, in my view, is that they’ll have a wide view of what’s possible, will have experienced what needs to be done in countless other companies (and so can effectively advise with the benefit of hindsight).

They will also be aware of the impact of the latest technologies and platforms, understand where the newest security threats come from, and know where to look for system and network vulnerabilities (and how to fix them).

But most importantly, a security expert in a managed service company will take responsibility for the proper implementation and operation of the defences.

The company’s IT team should not be dealing with the minutiae of the operation, like downloading the latest patch, or setting a firewall rule.

That really isn’t what they are paid for.

By delegating those tactical tasks they can focus on the strategic planning that drives the business and makes the IT department a business benefit, generating profit and not just a business overhead.

Follow Simon and Network Box on Twitter

Simon Heron has over 19 years experience in the IT industry, including nine years experience in Internet security. During this time he has developed and designed technologies ranging from firewalls, anti-virus, LANs and WANs. Simon has an MSc (attained with Distinction) in Microprocessor Technology and Applications, and a BSc (Hons) in Naval Architecture and Shipbuilding and is a CISSP (Certified Information Systems Security Professional).  Prior to Net Caboose, Simon co-founded Network Box Corporation (UK) Ltd and was Managing Director, finally merging this franchise with the parent company in 2006. Before Network Box, Simon co-founded and was Technical Director of Cresco Technologies Ltd, a network design and simulation solution company with customers in the USA, Europe and China. Simon started his security career when he worked for Microsystems Engineering Ltd, as a Project Manager, where he implemented network security for the company. Simon began his career as a digital hardware and software engineer, developing pioneering speech recognition technology before moving on to work for the British Antarctic Survey (B.A.S.) as science project leader. While at the B.A.S. he spent two Antarctic winters at the research station Halley in the Antarctic, developing and enhancing graphical technologies in the harshest of conditions. Simon also has a company called Net Caboose which deals with Identity and Access Management and is also development house.

Network Box Limited (NBL) is an international managed security services company, specialising in unified threat management (UTM).  It continuously defends the networks of its customers using PUSH technology to instantaneously update protection, from 12 Security Operations Centres spread around the globe.  NBL’s customers in Asia, Australia, North America and Europe include companies such as BMW, Nintendo and Toyota, as well as banks, utilities companies and government organisations.

*   *   *

Stay Informed With ISR News Feeds and Email Alerts Here: 

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com