I am sure that outsourced security varies in quality and effectiveness, as does perforce 'outsourced' auditing.
My now extended observation of it in several mainframe shops has not, however, been encouraging. Exclusive preoccupation with security seems to lead ineluctably to rigid, rote, highly standardized measures that make systems increasingly awkward and unworkable without in fact making them more secure. It must be conceded that many of these deficiencies are not specific to security. Suboptimizing, a department's pursuit of its own objectives at the expense of those of the organization it serves, is ubiquitous. There is another problem too, and it is a harder to talk about politely. I have never met a fulltime computer-security person for a mainframe shop who really knew much about the operating system he or she was attempting to defend. Moreover, I have never met a highly competent z/OS or z/VM systems programmer who was willing to devote herself or himself exclusively to security for a single shop. There is a severe, all but sui generis paucity of both talent and long experience with the target operating system among these security people; and it is not at all clear how these deficiencies can be remedied. Part-time attention to security by a few talented, appropriately experienced people is all but certain to be much more effective than that given to it by a much larger group of dedicated mediocrities; but this notion is unpalatable to many CIOs for the obvious reason. John Gilmore, Ashland, MA 01721 - USA ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
