The result is that business and government could end up employing inadequately skilled resources that offer short-term or tactical solutions to security issues, leaving company systems vulnerable to cybercrime.
Drew van Vuuren, CEO of information security and privacy practice 4Di Privaca, says the risks of employing security service providers not up to the task are almost incalculable. The most devastating of these include the compromise of business information systems or the loss or even theft of valuable data only to be sold on or exposed to the world through nefarious intent.
The business impact could be so severe that some businesses may cease to operate with the loss being measured through the bottom line and also through the loss of confidence of their customers as well as partners.
“Historically, information security is an afterthought – something that doesn’t even bear consideration when designing or delivering key information infrastructures in modern western economies,” Van Vuuren says.
He also cautions against assuming that “big names” automatically guarantee a required level of specialist skills and experience.
“For many large entities, their main business is generally mainstream information technology services, with their security business being a minor service line. Even the larger multinational firms that do business in South Africa face the same challenges when attempting to resource specific customer engagements due the paucity of local skills.”
Meanwhile, there are organisations that opt instead for internal security teams over external suppliers. But the case for using external specialists is undeniably strong, especially in instances where the business security requirement is driven by a broader company audit, industry regulation such as the Protection of Personal Information Act (POPI) or is linked to a legal process.
Also for some organisations, serious security failures could be uncovered during an assessment process, and in order for a frank analysis of the findings to be possible an independent, purely objective supplier is preferable.
External providers also monitor underground boards, chat rooms and unconferences (the term given to participant-driven, free events) where zero-day vulnerabilities, exploits and stolen data are typically exchanged. For most companies, staff engaging in these activities using company time and equipment is against security and ethics policies.
“Information security is unquestionably one of the fastest evolving global industries, and in order to stay current and be informed on the latest vulnerabilities and hacker techniques, for example, experts must regularly attend international security conferences, none of which are held in South Africa,” says Van Vuuren.
He adds that by using external information security specialists, companies are offloading the expense of sending their staff to these conferences.