Security Think Tank: Three considerations to outsourcing IT security

What should and what should not be outsourced in IT security?

When considering what should and should not be outsourced in IT terms, organisations really should be driven by three main considerations: what makes economic sense (cost); what can be done securely (due diligence); and risk to the business (a risk assessment).

The starting point for the decision-making process should be a risk assessment internally. This should identify all the types of data which fall under either regulatory compliance or risk to the business: credit card data (PCI-DSS); personal data (the Data Protection Act here in the UK); and intellectual property (IP).  

Another aspect to consider in the move to outsource IT should be existing utilisation of hardware resources, and whether on-demand services would produce a cost benefit to the business, rather than a costly over-engineered solution for a limited peak-demand period.

Selecting a supplier with which to host your data, services or virtual hardware, should not be based solely on cost, but also on security – sometimes the former is over-emphasised at the expense of the latter. When deciding upon a framework for selecting your supplier in the bidding phase, you should clearly decide what you are trying to achieve for the business in terms of cost, functionality and security, and then have a scoring system that you will apply to the potential suppliers’ responses. 

As someone who has been involved in requests for pricing (RFPs) for years, both as a vendor and as a supplier, these tend to vary enormously from industry to industry, and even with the style of the individual author.

In my experience, RFPs are best fit for purpose when they have given due consideration to all the aspects mentioned above. For encryption, for example, RFPs often tend to merely ask what encryption algorithm has been used – quite often to get a chorus of Advanced Encryption Standard (AES) responses, which does little to differentiate suppliers. 

Dig a little deeper, by asking which method has been in the encryption implementation. As always, the devil is in the detail: the more thorough you are, the more likely you are to sort out the secure wheat from the insecure chaff.

Phil Stewart is director of communications ISSA-UK and director at Excelgate Consulting.


Read more on IT outsourcing