I could probably write a book about the entirety of that question. But in an abbreviated nutshell, it's very important to tightly scope what you mean by "outsourcing information security." I've long held the opinion that nobody gets an award for doing everything themselves, so I'm a big fan of tactically outsourcing certain functions where an internal resource can't really add value. Something like
But I strongly believe that responsibility for the organization's information security program must reside internally. Security is a business function and thus the security program manager (let's call this person the CSO for argument's sake) needs to be on the ground internally to build credibility, be in the loop and relay the value of security to the rest of the executive staff.
It's not clear to me how an external party has the desire, capability or incentive to take full accountability for security. At the end of the day, I believe in the "fired doctrine." Meaning if something goes wrong, who is going to be fired? I doubt it's someone on the outsourcer's team, so it's pretty important to keep control of the security program internally.
Another analogy is whether you'd outsource the CIO. Even if the rest of the technology operation were moved to a service provider, you probably wouldn't -- so why would you outsource security program management?
This was first published in February 2009