I was talking with a colleague recently about IT security and outsourcing (it’s a subject close to my heart, and my company’s) and we both agreed that the one thing that absolutely cannot be outsourced is responsibility.
That is the responsibility to ensure that a company complies with legal, regulatory and industry requirements such as Data Protection, PCI-DSS and so forth.
Other than that, you can outsource pretty much all the implementation and/or the operation or management of IT security, provided you know what you are outsourcing.
But the sting in the tail here is that you must know what you are outsourcing – and that means identifying by contract what is being outsourced, what standards must be met, how that is to be monitored, and how any redress is to be handled should things go wrong.
If your company has no IT security expertise (and being able to set up a user account on a network really does not count), the first thing you should consider doing is outsourcing the IT security management to a specialist firm (and IMHO, not the IT supplier) which can ensure that you have appropriate policies, procedures and operational guidance in place. This can then form the basis of further outsourcing.
Read more about IT security outsourcing
- Start with capability gap when outsourcing security
- Outsourcing of IT security is not for everyone
- No one-size-fits-all approach to security outsourcing
- Business cannot outsource accountability
- Effective quality control key to security outsourcing
- IT security outsourcing should be informed and risk-managed
- Three considerations to outsourcing IT security
The specialist IT security firm could also offer overall security management of your organisation’s IT environments, including the undertaking of security reviews and audits and security awareness training for company staff.
Of course, outsourcing your IT security management can have its dangers, but these can be minimised by putting in place appropriate and effective management of the outsource, keeping in mind that one of the functions of IT security is to ensure that your company's obligations (legal, regulatory and industry) are met.
Peter Wenham is a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management.
This was first published in May 2012