While there is no doubt that outsourcing IT security can provide massive value for many organisations, and it is a trend that looks like it will continue, what should or should not be outsourced changes for each organisation depending on their specific needs and comes down to the following factors:
- Value Creation: Can the outsourcer fundamentally add value over and above what an equivalent internal team would cost? A good example of value creation is a forensic security service. Forensics can be easily outsourced to individuals that have the right skills and can reduce the cost of having an expensive team on the internal payroll;
- Performance: Security is extremely hardware and capital intensive. Organisations that have to handle spikes in their business processes may want to opt to outsource basic security functions such as the firewall, and let the service provider handle the spikes in performance demand, negating the need to overpay for a capacity level that is not needed 99% of the time;
- Risk & Governance: For businesses that handle sensitive data and are under strict regulations, outsourcing IT security becomes a critical concern due to the only limited level of SLAs and audit controls that the outsourcer may provide. For this reason, these types of organisations tend to keep sensitive data controls in-house;
- Accountability: Expect the worst. What happens when you have a breach and you outsourced part of your IT security? You must consider legally where the fault would lie. Following that, do you have the support and reporting tools to fully investigate a breach?
So, while there is no one-size-fits-all advice, if you consider these factors, you should be able to reap the advantages of outsourcing some of your IT security processes without increasing the risks and potential costs to the organisation.
Peter Doggart is product marketing director at Crossbeam Systems