There is an old saying: “Keep your core business processes close.” There is clearly good reason for doing so. Only the company itself understands its core processes and values these appropriately.
But can we class IT security processes as core? That is a key question that needs answering to understand what to outsource and what to keep in-house.
There are various frameworks that cover IT security, its components and processes. Cloud Security Alliance (CSA) has created a guidance document for organisations planning to adopt cloud computing - effectively a type of outsourcing. It contains various domains grouped into two areas: governance, and operational.
The governance domains are those where outsourcing is not advised. However, within the CSA operational domains there are candidates for outsourcing such as: datacentre operations, application security, identity and access management, and virtualisation.
Another view-point is based on the Security Architecture Model where traditional network and computer stacks (such as network, host, application, data) are surrounded by specialised security technology areas, namely identity and access management, cryptography, security event and incident management, and business continuity. All of the above are overseen by governance, risk and compliance (GRC). It can be argued that all of the technology security stack can be outsourced except GRC, which is one of the key processes in IT security.
Could you outsource firewall management (network security), vulnerability scanning or anti-malware (host security) or running a database firewall (data security)? Yes you could, and frankly, I would prefer it as I have better leverage over my outsourcing partner then I have over my colleagues in IT.
Another reason to outsource these specialised areas is exactly that - it is rather specialised and that means scarce resources, which may not be fully utilised in your company.
In summary, outsourcing of IT security is not for everyone. It’s an option others are doing so you can too, but it's not for everyone so equally keep it inside if you want. However, there are elements of IT security that should not be outsourced.
Vladimir Jirasek is a member of the Cloud Security Alliance (UK)
This was first published in May 2012