From a theoretical perspective, any security service could be outsourced. There are security suppliers out there that enable organisations to outsource their firewall management, security monitoring, vulnerability assessment, authentication services, content checking, anti-virus, and e-discovery capabilities, among many others.
But the adage remains – just because you can do something doesn’t necessarily mean that you should.
The important point is that while you can outsource the responsibility for delivery of a security service, you cannot outsource accountability should that security service fail.
So, while an organisation may choose to outsource the management of their firewalls and intrusion detection systems to a third party, the client organisation will still suffer the consequences of regulatory fines and loss of reputation should their service be compromised.
It is unlikely that any service credits or other contractual recompense would be sufficient to completely offset the reputational damage caused by such a compromise.
Organisations looking to outsource specific security capabilities must be confident that they are aware of, and can manage, the potential fall-out should their supplier fail
Lee Newcombe, managing consultant, Capgemini
Organisations looking to outsource specific security capabilities must be confident that they are aware of, and can manage, the potential fall-out should their supplier fail. They should also look to work closely with their supplier to minimise the risk of such a failure.
Organisations need to take a fully informed, risk-managed approach to the outsourcing of security services, much like with other outsourcing decisions. For example:
- Can a third party provide a better quality of service than you can provide internally for the same, or cheaper, cost?
- Can the third party meet all of the compliance requirements that you must abide by?
- Can you verify that the service provider delivers what they claim?
- What would be the consequences for your organisation should the service provider fail to deliver their claims or otherwise fail your needs?
Read more about IT security outsourcing
If you are comfortable with the answers to such questions for a specific security service, then you should consider outsourcing that service as a viable option. If you are not comfortable with the answers, and you currently boast an adequately skilled and equipped team, then perhaps in-house delivery remains your best option.
Whether in-house or outsourced, you should always retain a capability to assure the delivery of your security services. In the words of Ronald Reagan, “Trust, but Verify” – the outsourcing of security services is certainly no time for blind faith.
Lee Newcombe is an active member (ISC)2 and managing consultant at Capgemini.
This was first published in May 2012