As you might expect, the greatest direct cost associated with the development and management of a security program is personnel. Some organizations outsource the complete security effort. This may be a good option if you just don't want to be bothered with the mechanics of data protection. However, you're still responsible for how the outsource vendor performs, the policies put in place, and the effectiveness of the services provided. Full outsourcing always makes me a little nervous. I like to have more control over my security environment. It can also be more expensive than doing it yourself if you're not careful. The biggest benefit of this approach is that you have a professional security team monitoring your network and managing incident response.
Another approach is to do it all yourself. This is not a bad way to implement security, assuming you or a member of your team has the skills, time, and desire to build and manage a security program. For a small organization, this could also mean a long term commitment by most or all of your IS department. Unless you're working for a large company with a dedicated security staff, this may not be the best use of your human resources.
A third way to implement a security program is to engage security consultants to work with your team to develop appropriate policies, procedures, guidelines, and baselines. As your staff works through the development and implementation processes, ensure that a knowledge transfer takes place. This provides a professionally built program and trained security analysts without committing your entire IS team to the project. Once the program is in place, you can outsource the parts of it more efficiently managed by dedicated service organizations. I prefer this approach. It optimizes your in-house staff while providing an adequate level of security to the organization.
In addition to personnel costs, there are technical costs related to monitoring and measuring the effectiveness of the program. Without the right tools and processes in place, you can't continuously improve your ability to protect your information assets while managing overall costs. Some of the tools you may need include:
- A port scanner to check for server and workstation vulnerabilities
- A network scanner to identify internal and external network vulnerabilities
- Penetration testing equipment and software
- Network monitors
- An intrusion prevention system
Finally, you will need resources to disseminate information to your staff. Employee awareness activities and employee training are key to securing your information assets.