Enter vulnerability assessments. VAs allow organizations to pinpoint more accurately where their networks are likely to be weakest. They typically look for vulnerabilities in your organization's IT environment and include several tests on your computers (desktops as well as laptops), your network and your Web applications. Test results will allow your IT staff to correct any weaknesses through reconfiguration or patching as needed.
Each organization must determine whether to have the VA performed by internal staffers or to outsource that service. Having an outside firm perform the VA may be more costly, but it can provide results more quickly and often with more accuracy.
As an alternative, some businesses opt for a middle ground where some portion of the assessments are performed in-house, with the rest left to an outside provider. For example, a professional could design the right protocol for your organization's needs and then train your company's own IT staff to take over those duties in the future.
A combination approach can set specific projects in motion quickly (with outsourcing), leaving follow-up and ensuing projects to your in-house team.
VA as an in-house project will come at a price. The time spent training your staffers to learn the needed skills (which may be totally unfamiliar to them) will take them away from other tasks. If the company budget will allow that downtime, then training may be a good option.
Access to the IT professionals doing the training will be short-lived, however, and as the security environment evolves, your employees will need to be retrained in order to keep up.
Using outsourced professionals can relieve your employees from those added duties, allowing you to be more selective about the VA team members and how long you keep them on, and helping you stay within budget.
Once you've decided to outsource, your organization will have to hire the right company to do the job. Not only must the outsourcer understand your company's specific needs, but it should also be able to meet those needs at a price that's within your budget. Your company and your employees must be ready to share all relevant information with the outsourcing team so it can carry out its function. Reluctance to provide certain information is natural, since doing so usually tends to reduce security and staffers have been trained to ensure that client and company information remain confidential.
When the company you've entrusted with your needs further outsources parts of the project -- in other words, subcontracts -- information is exposed even further. Remember that subcontracted work could be inferior to that of your primary contractor, and your organization should determine at the outset whether a vendor will be subcontracting. If it is, you may want to include in your contract with the outsourcing company a provision enabling you to reject or accept certain subcontracted vendors. Or you may want to refrain from outsourcing with that firm altogether.
Outsourcing VA offers many advantages. Both established firms and newer companies that have untested employees or are simply understaffed are attracted by the expertise afforded by a professional vendor.
Such vendors offer their clients the benefit of their experience, whether it's from having had a good number of prior customers or just years of know-how gained from servicing a wide range of companies. Their client-focused approach will provide your organization with an assessment tailored to your company's needs and present it in a clear, concise format.
Douglas Schweitzer is a freelance writer and Internet security specialist in Nesconset, N.Y. Contact him at dougneak@juno.com.\