FRSecure Article

Should you hire FRSecure or fix things yourself?

Commentary from Kevin Orth, Vice President of Operations


Recently we spoke at an iCPSI conference in Iowa, and got this question in front of 120 hospital administrators and staff from hospitals all over Iowa.

It’s an interesting question, and here’s our answer:

Of course you should hire us. It had to be said, so I got it out of the way early.

The real answer: It depends

As with any outsourcing question, it really comes down to a few things: a) Do you have the expertise internally, and b) which way is more cost effective. And, for information security, c) will you do it?

If you start with the end in mind, then the question becomes simpler. Ultimately what every business should have is an internally owned information security program. That means you have leadership buy-in, a driver (program manager), and a strategic program that fits your business.

As programs develop, the need for independent, external review becomes apparent. Good program managers don’t believe they have everything perfect (because it’s not possible). They have appropriate controls in place and they know why, and they understand that someone from outside the forest needs to look at the trees occasionally.

We talk all the time about transferring knowledge to you, and this is why. Long term, we want you to own your program and have us review it occasionally to make sure things are going well.

So that’s the end goal. How you get there depends on where you’re starting from.

• If you have no formal information security program, then you need to start one. It takes a manager that will drive initiatives and leadership buy-in that the program needs to be prioritized and budgeted for. This can be done internally, but if you are having trouble getting started, then a company like FRSecure can help. This doesn’t need to be a big money commitment. We can guide the effort and help leadership understand the importance. You can still do the work, but now you have a partner that you can turn to for direction.
• If you know for sure there are holes, then the same guidelines apply. The caveat is that you should review progress in 6 months. If you haven’t made any progress (likely because you have other, higher priority efforts that need attention), then you may need someone like us to help drive the program forward. Again, it looks similar to the above example where you need leadership buy-in and a driver behind the program so that it can get prioritized.
• If you have some controls in place, but it’s more reactionary than strategic, then a company like FRSecure can be of great value to you. By taking your program from reactionary to strategic you get a tremendous amount of return on security investments (ROSI).
• If you feel like you have a fairly strong program, then it’s time for outside review. This isn’t our opinion, it’s simply an information security best practice to make sure you’re not too close to the trees to see the forest.

Ultimately your goal should be a solid, strategic program. That involves appropriate technical, administrative and physical controls, training and awareness, regular reviews that you conduct, and independent review every year or two. If you feel you can get to that point on your own, then go for it. We’re here to be a resource if you need to bounce ideas off someone who’s done it before.

FRSecure was founded because as Evan Francen was building his first information security programs he didn’t have anyone to help guide him, so inevitably mistakes were made. With twenty years of experience, dozens of security programs established and hundreds more assessed, FRSecure analysts have refined and streamlined the information security process. Without this sort of experience, most companies inadvertently choose to reinvent the security wheel and make the same mistakes as they build their program.

We truly thrive on seeing the “Ah-ha” moments our clients have when they start to really get what we’re talking about.


Contact me here