IT security, which encompasses the key information systems and facilities of an organisation, has a narrower and more technical focus than information security. On paper, IT security appears to be an easier set of capabilities to outsource – but, as with all security, the devil is in the detail.
Research by the Information Security Forum (ISF) has shown that the decision to outsource should be based on factors such as the changes in cost profile, risk and control; and whether outsourcing enables the organisation to tap into a deeper or wider pool of expertise or derive value from the outsourcer’s activities.
However, key to any successful outsourcing programme are the due diligence and contracting pieces. You need to understand what you are going to outsource and how you would like it to be run, managed and reported on. Without this knowledge, you will not get the service you want, you expect or are paying for.
So, what should you outsource? The obvious place to start is where capability and or expertise is lacking in the organisation – such as forensics – and where budget for creating and maintaining such a capability / expertise cannot be obtained.
Second, specialised tasks such as network monitoring, where an outsourcer has both expertise and the ability to collate and analyse data from many sources that the organisation couldn’t match, are also activities where outsourcing can add value.
Third, low-value (and manpower intensive) activities, such as patching and firewall management could be considered.
After this, the choice becomes much more difficult, as the activities may be more bespoke and may be combined with other, non-security activities, such as IT hardware or user access provisioning.
In summary, outsourcing IT security can yield benefit – but only if you understand what and why you are outsourcing.
Adrian Davis is principal research analyst at the Information Security Forum (ISF).