What are the risks associated with outsourcing security services?

What are the risks associated with outsourcing security services?

Our company is looking to outsource services, including information security. What are the key pros and cons of relying on a service provider for information security, and are there any 'red-flag' circumstances when security shouldn't be outsourced?

    Requires Free Membership to View

    Login

    SearchSecurity.co.UK members gain immediate and unlimited access to breaking UK industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.co.UK today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.co.uk you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.co.uk is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

I could probably write a book about the entirety of that question. But in an abbreviated nutshell, it's very important to tightly scope what you mean by "outsourcing information security." I've long held the opinion that nobody gets an award for doing everything themselves, so I'm a big fan of tactically outsourcing certain functions where an internal resource can't really add value. Something like email security or firewall monitoring are good candidates for that.

But I strongly believe that responsibility for the organization's information security program must reside internally. Security is a business function and thus the security program manager (let's call this person the CSO for argument's sake) needs to be on the ground internally to build credibility, be in the loop and relay the value of security to the rest of the executive staff.

It's not clear to me how an external party has the desire, capability or incentive to take full accountability for security. At the end of the day, I believe in the "fired doctrine." Meaning if something goes wrong, who is going to be fired? I doubt it's someone on the outsourcer's team, so it's pretty important to keep control of the security program internally.

Another analogy is whether you'd outsource the CIO. Even if the rest of the technology operation were moved to a service provider, you probably wouldn't -- so why would you outsource security program management?

For more information:

  • Application security expert Michael Cobb explains whether it's right for your organization to outsource email security services.
  • Visit SearchSecurity.com's Compliance School to learn more about compliance best practices across an extended enterprise.

    • This was first published in July 2007

    Back to top