Karn Griffen over at the the Information Security Gurus blog mentions my post about getting out of security management.Â He has a good post today about how we should all be getting out of the front lines when there are so many possibilities with outsourcing.Â He also commented on that same post, where he said the following:
If I can turn on secure networking services, complete with IPS, Virus, Spam filtering, etc. and the company I outsource this to will provide me an SLA that guarantees the service parameters Iâ€™m looking for, why would I bother with a full-time person (or more) to do these things.
While I agree with Karn on this point, the question that comes to my mind is if you can’t convince an exec that security is needed at all, then why would heÂ / she do either?
The big problem is that execs often cannot justify security at all as a cost.Â The ramifications to notÂ spending money on security are still so light.Â Â Much of the legislation out there still does not have teeth.Â The media is getting tired of printing stories about this stuff because readers are tired of it.Â Some non-governmental regs like PCI are starting to get somewhere, but that is not anywhere close to where it needs to be.
So unless you can convince your execs that security is needed, they ain’t gonna spend money on it, no matter if you outsource or insource it.Â
But let’s play devil’s advocate here and assume that all exec’s get smart and buy off on security.Â Then, the SMB exec’s get even smarter and see Karn’s point that they can outsource.Â Where does that leave guys like me getting out of operations and trying to sell security?Â Should IÂ be selling to SMB’s now when I know they would be better served by outsourcing?Â Â Do I sell to MSSP’s?Â Better yet, do I have to start working for MSSP’s, sitting in a chair watching packets go by?Â Do I lose even that job to ever-more sophisticated UTMs / IPSs / heuristic filters that can figure this stuff out better than I can?Â Does the UTM take over for those MSSPs where there are only 2 or 3 viable options for them to filter traffic for their clients, essentially killing much of the security market?Â Â Are the enterprise-type clients enough to hold up the market?Â Does the technology get so good that even enterprise clients can use it?Â Does my job just go POOF in 5 – 10 years?Â AAAAAAAHHHHHHHHH!!!!!!!!!!!
Karn, you are on to something, but I’m not sure it’s good.Â But good or not, is it inevitable?