Attention, tech-industry decision makers: Outsourcing isn't necessarily the bad word you think it is.
Those working in development and related fields certainly understand why businesses outsource, but there's no denying some people have formed bad associations with the concept over the years. From poor customer-service experiences and insurmountable language barriers to displaced jobs, most folks only mention it when they're about to complain.
But it doesn't have to be that way. Eliminating the associated stigmas should make it easier for people to recognize the benefits of this modern convention. Here's a closer look at the practice formerly known as "outsourcing" and how it can be a great thing for any business looking to bolster overall software security.
If you keep up with this blog, you're likely aware of the benefits of a comprehensive approach to security. But if not, here's the rundown: In a scene where software often comes in iterative chunks instead of the single-shot products of yore, finding and fixing security flaws at set intervals (or worse, making this the last task before release or deployment) isn't the best idea. That said, treating security as a top priority from the onset means a lot more than committing to writing stronger code. Security-minded developers should test their wares at all times, keep their organizations primed on the latest security threats making the rounds and train people on existing issues and how to avoid them.
The problem often comes down to cost. A company dedicating itself to a new outlook on security needs all kinds of adjustments, and those changes cost money. Alterations to practices and procedures aside, truly focusing on security often means hiring experts — people who know the ins and outs of AppSec and can effectively take the heat off employees whose main job should be writing code.
Worse, even if a company does have the resources to bring on a dedicated security person or team, the need for actual personnel exists in a weird sort of feast-or-famine state in most shops. Desperately needing a warm body in the security seat 80 percent of the time is enough to warrant bringing people on, sure. But that doesn't make that remaining 20 percent sting any less, especially if you're the one cutting the checks.
This is where information security consulting can really make a difference, thanks in large part to both the scalability and experience it offers. And really, those two benefits play into one another: An experienced consulting group won't just know how to avoid and fix serious issues, but will also be well-versed in tailoring solutions to an individual client's needs.
Perhaps more importantly, information security consulting can help a business figure out exactly what those needs are. As you know, transforming into a security-minded workplace isn't easy by any stretch of the imagination. Eliminating the trial and error that comes with it can save tons in terms of cash, time and frustration — a perk bound to make every arm of a business's operations happier.
However, it is easy to swing the pendulum too far with consulting. Security isn't like a typical IT project that a consulting firm can implement and walk away declaring victory. Security is an on-going program. There will always be new applications to onboard, new developers to coach on security best practices, new regulations to convert into testing policies, or compliance reports to generate. The potential pitfall with continuous programs is enterprises treating their consultants like outsourced employees tasked with activities which rack up thousands of billable hours.
The brilliant middle ground is to focus on the information security service as a whole rather than solely the consulting aspects. Generally speaking, providers of information security services will have experience dealing with issues in a lot of different business contexts. Just as successful cloud-based platforms get better as developers learn from how customers use the platform, these information security services become stronger as consultants use their lessons learned to automate tasks, document processes that work and simplify integration between security and development technologies. Enterprises starting up security programs simply don't have the luxury of cultivating that experience internally from scratch. Instead, bringing in a guide or coach with process and automation kits enables implementation of a stronger security program more quickly — and without racking up thousands of billable consulting hours.
None of this is to say a company shouldn't have dedicated security people. If anything, turning to information security services is a way for a business to have the best of both worlds; plus, the smartest way to cultivate a security culture always starts with expert help. Though it may seem a bit prescriptive (and we know every company's best solution is a personalized, complicated thing), it makes sense that any company with security concerns would want the best results for the lowest cost.
Wanting good returns isn't specific to the development industry, after all — it's universal language for good business. Offering a secure product and setting yourself up for future security successes certainly meets that definition, too. That makes bringing in experts a good idea, no matter your security goals.
Photo Source: Flickr