Implementing information security solutions in SMBs

The pros and cons of different approaches to deploying and maintaining information security systems.

How to deploy an information security solution in a midsize business

When deploying and maintaining corporate information security systems, it’s logical to engage professionals. These experts can be either in-house or external — service providers or developers of the chosen solution. Each of these approaches has its pros and cons. After all, deploying an information security system for a business is a fairly complicated process, which, besides the software installation itself, includes the following preparatory and operational phases:

  1. Analysis of the information security risks — to identify vulnerable aspects, assess the likelihood of threats, and compile a list of necessary measures
  2. Development of security policies to regulate access to information and ensure its protection and integrity
  3. Selection and implementation of the solution
  4. Periodic auditing of the solution to make sure it’s effective and compliant with current requirements
  5. Incident response

A large business will have an information security department to handle these tasks. But SMBs face the choice of trying to deploy a security system in-house or outsourcing to third-party contractors.

In-house deployment

“In-house” means a dedicated employee (or department) with information security expertise. The company can try to find such a person 0n the market or train their own. The pros and cons of this approach are:

  • + The company controls the training process, can adapt that process to the company’s particular needs, or find a person with the necessary skills
  • + An in-house employee is better acquainted with the internal business processes, so can offer more effective and specific solutions
  • + An in-house employee will be able to respond quicker to threats and problems
  • + Company secrets won’t fall into the wrong hands
  • + It may be more cost-effective than engaging outside expertise, especially if the employee is already on the staff
  • + Training will raise the employee’s professional status, which may increase their loyalty
  • – Training will take a long time
  • – It can be more expensive to hire an off-the-shelf expert than a contractor, and will also take a long time
  • – A trained-up employee will probably know the subject area less well than an experienced infosec pro
  • – There’s no guarantee that such implementation know-how will be useful going forward; this is especially true if a dedicated employee is given the task — what will they do post-deployment?
  • – A trained-up employee might leave, in which case a new person or contractor will have to be found to maintain the solution

This approach is relevant for businesses that are growing or planning to scale up, as it will lay the foundation for the future of the information security department. However, if there are no such plans, or growth does not translate into infrastructure development, there’s little point in investing in new professional skills.

Third-party deployment

The market is full of service providers offering turnkey solutions: infrastructure audit; IT security system implementation and maintenance. Pros and cons:

  • + Saves time: no need to train or find anyone
  • + A specialized contractor is likely to have expertise and experience in the field of information security
  • + A contractor can offer a wide range of services that go beyond in-house capabilities
  • + More efficient use of own resources — all concerns about implementation are outsourced
  • + Fewer risks, plus the ability to transfer these risks to the contractor
  • – In the long-term, a third-party may turn out to be more expensive than in-house
  • – A contractor may not understand internal business processes, leading to poorly adapted solutions
  • – Lack of transparency: you can’t be sure how much the contractor really knows about the products being deployed
  • – Confidentiality issues may arise, as a third-party contractor will have access to your data, but you know nothing about the contractor’s internal security policies
  • – The company could become dependent on the contractor
  • – You won’t have a full understanding of what’s going on, with insufficient business control over the implementation and support process

On the whole, engaging a contractor is a sensible and common way of deploying an information security system. Typically, such service providers cooperate with solution developers, are certified, have partner status and provide guarantees. There is also a third way…

Vendor deployment

This approach is similar to the second one, the difference being that deployment is carried out by the developer of the solution, whose employees are guaranteed to understand it inside and out. Which means:

  • + No dependence on a third party: the solution will work as long as its developer remains on the market
  • + The vendor’s direct guarantee will further reduce the risks
  • + Configuration and deployment of products will be as fast and efficient as can be
  • + Minimizes downtime caused by incorrect configuration and long set-up times
  • + Maximizes the payoff of investments in information security, as expert configuration will ensure products work at their full potential

Most SMBs won’t even need third-party experts to be present on-site — server capacities are usually cloud-based these days, and in any case systems can be monitored remotely.

We offer Kaspersky Professional Services — our own package solution for deployment of Kaspersky’s information security tools. It includes a wide range of services: analysis of existing infrastructure and policies; development of policies and elimination of vulnerabilities; implementation and upgrade of solutions; support; encryption of data storage. Kaspersky has local teams around the world that speak your language and have the necessary expertise. Our package solution is perfect for SMBs, as it will lessen the load on the IT department or even eliminate the need for a full-time system administrator.