I keep seeing the same analogy again and again in the security press. Mostly it goes like this: "It's good to outsource your information security; your burglar alarm uses a monitoring service, right?" The most recent one I came across was this one - and it's the same tired metaphor. This time, it's David Beesley (huge picture of his head found here) from Network Defence (an outsouring provider) telling us that "outsourcing your network security is as easy as outsourcing your office security." The truth is though, that they are not the same. Here's why:
The dynamics of "office security" (physical security) change according to locality; meaning, once you wire a facility for burglar, fire, ingress/egress - that's it. You don't have to go back in and rewire the alarm system until the facility changes in some way. And how often do the facilities change? Once a decade? Twice? Even if you swapped facilities every year, it's still pretty infrequent. But, as we all know, information security has nothing to do with locality - instead, it's tied to business process, personnel, and technology. Now, how often do you change any of those? Once a year? Twice a year? Probably not. We have to update patches, we have to keep education balanced with attrition, we might want to change our business processes for better efficiency... In fact, the infosec landscape changes to some degree every day.
No - unfortunately the only thing "network security" has in common with "office security" is the fact that they happen to have a similar spelling. "Lead guitar" and "lead pipe" have similar spelling; are they the same?
Posted by Ed at November 7, 2005 11:56 AM