"We're too busy to do IT security”. Really? That’s the point. Time to outsource

Let’s face it: convincing companies on being proactive and taking a holistic approach web and network security isn’t always an easy gig. Many of companies "get it", unfortunately, many more remain in denial. Their response is similar to poking your fingers in your ear and saying "la-la-la, I can't hear you".

Some objections are pretty standard. For example:

“We haven’t budgeted for conducting security analysis, so we unable to do it.” OK - understood. No money to check for potential attack vectors that could cost your business time, money, and effort. I understand, many IT departments are challenged with doing more with less these days.

Consider this: have you budgeted for the damage-control campaign when all your customers’ financial information ends up in the hands of joe hacker who in turn resells the information to willing buyers? In this same budget, are there funds set aside for emergency IT work to plug security holes that could have been identified before the attack? Then there is the added chore of reporting to the company's executive an attack took place, and that it was both foreseeable, and preventable.

I'd much rather tell my boss what the problems were, than for them to learn about it from an angry customer. By knowing what needs to be secured in advance, you can easily plan for costs related to securing your applications, rather than paying in multiples to solve it when a crisis occurs.

Another objection goes:

“We’ve never had a problem in the past. Why do we need help with IT security? Our website is so small nobody will try to attack us.” I'm sure that the IT managers at eBay and CIBC probably raised the same objection before they had some very public problems regarding web application security.

Waiting for a security incident to happen to justify the investment is just like waiting to buy car insurance AFTER you have an accident. My experience has been that small business has a lot to be concerned about.  Often with limited resources, a compromised web application can operate for weeks undetected due to limited monitoring resources in smaller companies. By the time the issue of security is discussed - it is more often during a crisis, rather than planning to avoid one.

I think perhaps one of  my favourite objections to security assessments has to be the following:

“My staff and I are so busy, we don’t have time for IT security scans or testing”.  Again, lack of resources is not an excuse for lack of planning. Security analysis is a highly specialized discipline and it is completely unrealistic to expect any day-to-day IT team could manage the depth of analysis a third-party consultant focused in this area could provide, likely for less cost to your business.

Many firms contract and outsource IT services, prepared on-demand, not when someone is capable of 'getting around to it'. The other advantage is that the detailed reporting provided makes your department look like geniuses, for identifying risks, and for obtaining an actionable plan for dealing with them. Let someone else do the work, you take the credit.

“I don’t have time to take care of IT security” is the the very reason why companies should seriously consider outsourcing this critical part of maintaining their organizations electronic assets. Your web applications and network aren't  going to fix themselves.

(Contributed by Emerson Killam, PCIS Web Security Analyst)