An ideal external supplier will have sufficient resources to allow one-stop shopping in both technical expertise and geographic availability assigned to major areas of the corporate organizations operations (e.g., if most new business will be in Asia an external consulting source located only in the midwest U.S. will likely result in very high travel costs and probably not be as desirable as a larger organization with local/indigenous staff that can provide local response both in language and in a culturally appropriate form. Expertise and willingness to forgo predatory pricing in favor of a long-term relationship and a broad scope of services designed to supplement the corporate regular staff is also a highly desirable characteristic.
A project focus and the creation of high-impact deliverables must be the principal contribution of the supplemental external consultants. This approach makes obtaining resources more credible. A relatively small regular IPS staff can be effective even in the era of rapid business and technical evolution by carefully managing a cadre of external consultants assigned to key projects.
External assets to leverage also include the following:
- External audit company All publicly traded U.S. firms are required to have their financial state evaluated by a CPA/accounting firm. Its possible to use them to both provide supplemental staff for specific reviews as well as to communicate the need and benefit of controls to the organizations management in areas of significant exposure.
- The FBI or the national equivalent These have limited capability to reach out to the respective business organizations. However, law enforcement staff are very effective as a high impact awareness tool. They can often provide either published documentation or actual briefings to executives on the nature of computer crimes and other threats to the organizations proprietary information. They should be listed on the risk matrix with primary responsibility for economic espionage directed against the organizations trade secrets.
- National computer emergency response team (CERT) Many countries have established their own computer emergency response teams which are valuable allies for the corporate information protection manager in the battle to manage risk. Their statistical data provide the basis for assessing actual events and the methods used by intruders against others. Its easy to use their data, but leverage of their staff is very unlikely. Even if they wanted to, most are severely understaffed even for their primary role of documenting and reporting to the community the latest trends and methods employed by intruders. Dont expect them to resolve cases of intrusions, thats up to the organizations VPT.
- Peer contacts These should never be underestimated. The information security community is relatively small; the largest organizations have only thousands of members (ISSA, ISACA, CSI, etc.). Take a note from the computer criminals in the underground: they use all available means to share expertise in defeating control and security measures. The information security professionals need to share hard-won expertise with their peers. This is especially easy if one develops contacts in different and noncompeting industries, (e.g., banking and aerospace or financial services and manufacturing). Once a level of personal trust is established between the contacts, they can freely discuss incidents and mutual or common problems of technology.
- Professional organizations These are the key to broadly sharing the collective knowledge of the profession about the opposition. The best advice is to get active and share! Local, regional, and national association meetings, such as these sponsored by ISSA and ISACA, provide outstanding forums for developing a personal network of contacts. An inexpensive way to start is to attend local chapter meetings of relevant professional associations. Make this a defined component of your information protection strategy reach out and matrix another organizations experts for your problems, then return the favor!
Other Sources
University students (undergraduate and graduate) as well as faculty have the potential to perform some of the supplemental tasks for IPS such as technology assessment, documentation of current systems, or other tasks depending on the unique needs of the organization or the capability of the university. For those fortunate enough to have degree programs in information security or information systems auditing, the fit is likely to be even better. It is often possible to use the internship phase of a degree program to accomplish specific projects (such as application or systems security evaluations).
Never underestimate the value of personal informants as a potential source of both threat data, indications and warnings about new threats and countermeasures, or actual criminal activity directed towards the organization.
|