Very much a trend over my entire career has been the gradual reduction in the number of people employed to manage the IT in businesses. When I started in the early nineties, individuals might be employed to manage a single server or device. Now it is not unusual for a handful of people to be managing networks of dozens of sites and hundreds of machines.
The reasons for this trend are many, but it has inexorably led us to a market where critical business applications and data are in the hands of third party suppliers, with small numbers of employees required simply to manage these supplier relationships and their respective SLAs. This has had a significant positive effect on the cost of IT to the businesses making these decisions and, in most cases, has not negatively impacted the access to the functionality required by the business process.
Unfortunately the resultant networks are inevitably more complex in nature, with numerous perimeter devices and multiple providers sharing responsibility for the security of the whole. This is not just a qualitative problem that can be solved by negotiating a better SLA. Numerous penetration testers I have spoken to about the results of tests on corporate networks and service provider networks have taught me a simple and very powerful truth.
Nobody cares about your security as much as you do.
Service providers, as much as their marketing might suggest otherwise, have a focus which is much broader than an individual customer. Their systems, people and processes are geared to optimise their own business objectives. This may include the mitigation of risk associated with a customer suffering from a data breach – but the numbers suggest that data held on third party servers or in third party facilities is more at risk.
This suggests to me that there is a category of data, application or business process, that should not be outsourced and that risk analysis of outsourcing should take into account the fact that outsourcing increases risk of data loss.
Perhaps there is, after all, a minimum number of IT staff that should be employed for a given scale/complexity of network simply to enable the business to keep its crown jewels safe.
