A lack of compliance amongst managed service providers (MSPs) in adopting global security standards puts enterprises at risk, warns a security expert.
Australia lags behind adopting a common security standard that provides a yardstick to measure the security capabilities of an MSP, according to Pete Sandilands independent security expert and former managing director of security software specialist, Checkpoint.
"The point effectively is that all western-based organisations, apart from [Australian enterprises], are working from the same standard definition," he said. "We still need education amongst corporate organisations that there is a definition of good security to run with and use."
"Until now, there has been no real way to measure the quality of an MSP's security, or even its expertise," Sandilands said.
"With the current emphasis on corporate auditing and control there is a desperate need for a security benchmark for managed service providers. At the moment no such benchmark exists."
Security standards, such as the British Standards Institute's BS7799 registration, are used as a benchmark to assess security risks on a business basis. The British benchmark registration defines a security management structure. This is a structure Sandilands believes should lie at the heart of any managed security service.
The British benchmark, a mandatory for managed data service providers working for the British Government, was recently ratified as international standard ISO7799, and would supersede Australia's ASO4444-1, according to Sandilands.
However Steve Bittinger, Gartner research director, said Australia doesn't stand out as being non-compliant with these standards.
"If you look across the world there is probably not a huge level of companies that are certified against these standards anywhere," he said.
"We need standards in security. You could say there are more standards than we need. But there is lots and lots more involved than creating a good standard and complying with it," said Bittinger.
"Too strong a focus on standards is not helpful [in security]. Instead focus on how you've organised the enterprise's security across everything."
To this end, Bittinger said, "outsourcing is crucial."
"Security is a complex issue. An enterprise where security isn't the core business is going to find it difficult. Only specialists in security are going to have any hope in dealing with the complex issues in security."
Apart from a slow recognition of a national security standard amongst MSPs, Sandilands said complacency amongst enterprises regarding information security is the biggest hindrance facing the security outsourcing market.
"There's an attitude [amongst businesses] that 'it won't happen to me. Why would anyone attack me? Why should I outsource security?'" said Sandilands.
"Security is an area of specialist knowledge and skills. People with that knowledge are few and far between. For any organisation that is attempting to act on the Internet, how can it do its own security? Most have got no idea. They are going to have to utilise outsourcing in order to have that skill set," he said.
"Most organisations don't even have full IT departments let alone full security staff," he added.
"There's a real view that [information security] is an IT problem, not a corporate problem. You mention security, and they say 'give it to the IT guys. That's their issue.' In reality it's much, much broader than that," he said.
"It is 'information security', not 'information technology security'. That's an important distinction," he said. "Whether it's on a server or in manilla folders, information is an asset and it needs protection."