Who is responsible for security?

Of course, like health and safety, security is everyone’s responsibility. But, when it comes to the software systems you use, it’s important to have a named person or team who work to ensure the security of your data.

How much this person/team has to do will depend on the approach to risk that you’re taking (see my post on Weighing up the risks: a sensible attitude to security).

If you’re in a high-risk situation, where it’s essential to maintain the integrity of your systems (and to be seen to have done so), then there are common tasks that need to be done:

1. Regular (at least annual) security testing against the OWASP Top Ten
2. Installing software updates as they are released
3. Ensuring that bespoke or 3rd party code without regular updates is looked at regularly to ensure it is still secure
4. Ensuring the server environment is hardened appropriately
5. Monitoring for attacks

Whether this role is done by someone inside your organisation, or outsourced to another company depends on a number of factors:

1. Do your people have the skills needed?
2. Do your people have time to do the job properly?
3. Do you have enough people to cover for absences?

It’s tempting to think you can go it alone. Particularly with common open-source software like WordPress, Drupal and Moodle. It’s often easy to set up and to add additional functionality using plugins. But keeping it secure and well-maintained can become a significant task.

In most cases, I would tend to recommend outsourcing. Unless you’re prepared to create a team that has in-depth knowledge of the application software and underlying server platforms, it’s far better to work with an existing company to mitigate your risk.

I can help you understand your risks and advise on your particular options for mitigating them. Contact us to find out more about my services.

If you'd like to discuss this article, or how I can help you, get in touch.

Posted: 08 May 2014

Tags: Project management Supplier selection

Related articles