Would you let a doctor fix your car?

Five reasons why you shouldn't let your in-house staff develop your security systems

Five reasons why you shouldn't let your in-house staff develop your security systems

I am tired of reading about IT security disasters, especially when so many of them could easily have been avoided. It seems as if every week another big-name organisation has its security breached, resulting in customer information being made available to the wrong people, its Web sites crashes or its money is lost.

Despite the significant press attention that these breaches receive, they keep on happening. Why are so few people taking any notice?

I know nothing about cars, so I take my car to a mechanic to maintain and repair it when necessary. I know nothing about medicine so when I am unwell I go to a doctor - most people do the same.

And yet, time and time again, people try to develop or implement security systems, which must be one of the most vital parts of any IT infrastructure, in-house. And then there are large-scale disasters when it all goes wrong.

There are five main reasons why security should not be developed in-house:
  • Of all the aspects of application development that managers want to complete in-house, is it sensible that security should be one of them?
    I know that comprehensive security can't be bought off-the-shelf, and I know that each organisation and application is different, but that does not mean you need to do it yourself. You would be much better off if you found someone who could analyse the way your organisation works and design your system individually, but based on their experience and understanding of IT security.
  • Security is complex, especially in larger organisations. How do you know you have thought of everything?
    There are so many aspects to consider: what happens when someone's job changes and how do you manage their new access rights? Do you want your customers still to place orders electronically if their account is overdue? What about if the stock market slumps, does that affect what trades people can perform? Who decides what actions different individuals and groups can perform on the system?
    Can you guarantee that you have thought of everything? Would you bet your job on it?
  • Developers are required to understand many different applications, often resulting in a situation of "Jack of all trades - master of none". This may be acceptable for developing some business applications but, out of everything, shouldn't security applications be developed by experts?
    Bad security can directly influence customer confidence in a company and its Web site, directly affecting sales - is it worth the risk? Do you hire IT development staff specifically based on security skills and experience? If not then your team is almost certainly not good enough to provide the level of security your company needs.
  • If security is being developed in-house, how much do you trust the team that is developing it? Security systems that are developed from the inside will be easier to break into from inside. It is widely known that the majority of security breaches are from within an organisation. Do you want to be responsible for appointing that team and making those decisions?
  • Isn't it easier to leave the worries about security to someone else? Show me one IT manager who needs that level of stress. Wouldn't it be easier to outsource the development of security systems, with a rigid service level agreement and let someone else worry about keeping it up and running?

IT managers need to realise that security is more than just virus protection and keeping the bad guys out. It is even more important to be able to let the good guys in and manage what they do once they are into your system. This access management approach combines authentication - "who are you?" - with authorisation -"what are you allowed to do?" Have you thought about access management, and the implications that has on development?

An IT manager who realises the potential of security as a business enabler is also likely to appreciate that security developed in-house is likely to fall short of its potential, therefore outsourcing is the only real option.

Managers and IT developers should be realistic about what can and cannot be done in-house, and for something as essential as security are you sure you want to take the risk of doing it wrong?

Paula Palma is vice-president and managing director for Europe at Entegrity Solutions

Read more on Antivirus, firewall and IDS products