Once that person is in place, the next step is figuring out the current state of the information security program. Does one exist? How effective is it? A service provider can help build an architecture for security, which will involve learning what needs to be protected, where the information is, how various systems gain access to nd use the data and then figuring out the best way to protect the implementation. There are a variety of organizations that can do this.
Concerning implementation, service providers can help to install new gear and manage the infrastructure. One option is a managed security services (MSS) provider, which assists with the operational responsibilities of managing the devices. The MSS market is maturing, so providers should have a long and successful track record of providing pertinent services. Secure data centers, lots of certified staffers and significant financial resources are all important criteria of providers.
Compliance is a totally different issue; it's more about defining where the organization needs to go than the day-to-day work to get there. I always counsel clients to think about security first and let compliance follow. Documenting and substantiating the implemented security controls is enough for most auditors.
This was first published in April 2008