All organisations at one time or another need to reduce costs or at the very least review expenditure. Information security is not exempt from this (and nor should it be) so a delegated financial authority once again looks at the line item for the appliance that was purchased to "do security". Due diligence requires that cheaper alternatives such as outsourcing be considered. Often outsourcing appears a cheaper alternative to said appliance and so is selected as the path forward.
Information about what justified the appliance in the first place is incomplete and the additional controls [potentially] required to outsource its function aren't quantified. And so a cheaper, rounder peg is used to fill an ill defined square hole. It is of little surprise that information and information systems are not well protected in a lot of organisations.
Outsourcing: Two cents worth
The justification given for outsourcing is often cited as being financial. This is no surprise, as ultimately most company decisions are based on building or conserving finances. A slightly more detailed view is that an organisation will outsource a function for the following reasons:
• The outsourcer can do it better for the same cost.
• The outsourcer can do it the same for a lower cost.
• The outsourcer can't do it as well, but does it at a lower cost.
Just because you can outsource something, doesn't mean that you should. Sometimes it is better to keep certain functions in house. Examples of areas that should not be outsourced include:
• Anything deemed to be "core business" should remain in-house to ensure intellectual property is constantly growing. If a desktop services provider outsources it's desktop services, it makes sense for their customers to buy of their outsource partner rather than them.
• Anything perceived to be "core business". Perception is
reality and to ensure good standing in the marketplace an
organisation must address it.
Examples of outsourcing security
"Security as a Service" is the utopia intended to address the woes of organisations that do not want to be involved at all.
Outsourcers promise to take care of information security and often deliver it in the form of a managed firewall and antivirus. The quality of the service is often validated by references from other customers and potentially a site visit. Existing customers praise to the outsourcer for a flawless service backed up with monthly reporting -- in colour. Closer examination however demonstrates the model is flawed. In such an arrangement, the outsourcer is discouraged from reporting any issue. Why degrade your reputation when it is unlikely that your customers (who have abandoned any internal resource) will be any the wiser. With no trusted resource there is no way to validate any findings (or lack thereof) through testing or an educated review.
Sign up for Computerworld eNewsletters.