As an information security professional for more than 25 years, I have absolutely no problem with outsourcing ANY IT security function EXCEPT logs and records.
The end goal of IT security should be exactly the same as it is for IT – to become invisible. Like electricity, IT infrastructure’s evolutionary objective is to become an invisible “point of service” deliverable.
In the US in the 1930’s companies employed Vice Presidents of Electricity. These roles were critical because electricity was generated on site and if it failed – companies lost money. Electricity VPs were key board members until of course electricity came on to commercial grids and became a point of service product. When it did, needless to say the role of Electricity VP quickly disappeared. The analogy can be found in virtually any technology. The goal of technology is to become invisible. Cloud computing is the clearest evidence of this evolutionary trajectory and IT security must follow suit.
Trust must become a commercial deliverable if we are to move forward. Until then, security will always be a “bolt on”. Consequently, I think we should actually encourage the outsourcing of IT security requirements. The sooner we do this, the sooner the market will respond and provide integrated security solutions giving terms like “security by design” real meaning.
Meanwhile, I wouldn’t hesitate to outsource the most sensitive of IT security functions under strong service level agreements clearly detailing legal liability responsibilities and consequences. The key is to implement effective quality control measures on the service provider’s deliverables.
Richard Hollis is a member of the ISACA Government and Regulatory Advocacy subcommittee