The risks of employing security service providers not up to the task are almost incalculable. The most devastating of these include the compromise of business information systems or the loss, or even theft, of valuable data only to be sold on or exposed to the world through nefarious intent. The business impact could be so severe that some businesses may cease to operate with the loss being measured through the bottom line and also through the loss of confidence of their customers as well as partners.
With the stakes being this high, organisations need carefully to assess the credibility of a security services provider. This is very difficult if not impossible to do in South Africa, due to the scarcity of specialist information security skills combined with a necessary track record.
Historically, information security is an afterthought - something that doesn't even bear consideration when designing or delivering key information infrastructures in modern Western economies.
I would also caution against assuming that "big names" automatically guarantee a required level of specialist skills and experience. For many large entities, their main business is generally mainstream information technology services, with their security business being a minor service line. Even the larger multinational firms that do business in South Africa face the same challenges when attempting to resource specific customer engagements due the paucity of local skills.
Meanwhile there are organisations that opt instead for internal security teams over external suppliers. But the case for using external specialists is undeniably strong, especially in instances in which the business security requirement is driven by a broader company audit, industry regulation such as the Protection of Personal Information Act (POPI) or is linked to a legal process. Also, for some organisations, serious security failures could be uncovered during an assessment process and in order for a frank analysis of the findings to be possible an independent, purely objective supplier is preferable.
External providers also monitor underground boards, chat rooms and unconferences (the term given to participant-driven, free events) where zero-day vulnerabilities, exploits and stolen data are typically exchanged. For most companies, staff engaging in these activities using company time and equipment is against security and ethics policies.
Information security is unquestionably one of the fastest evolving global industries and in order to stay current and be informed on the latest vulnerabilities and hacker techniques, for example, experts must regularly attend international security conferences, none of which are held in South Africa. By using external information security specialists, companies are offloading the expense of sending their staff to these conferences.
Information is the new oil. It is what drives business and also what governs society. Information assurance and security will allow business and government to operate and deliver the necessary products and services to the populace, therefore government and the private sector should both be championing the development of information security experts in South Africa.
