Problem solve Get help with specific problems with your technologies, process and projects.

What are the risks associated with outsourcing security services?

In this expert Q&A, security management pro Mike Rothman discusses why outsourcing security services could be a bad idea.

Our company is looking to outsource services, including information security. What are the key pros and cons of relying on a service provider for information security, and are there any 'red-flag' circumstances when security shouldn't be outsourced?

I could probably write a book about the entirety of that question. But in an abbreviated nutshell, it's very important...

to tightly scope what you mean by "outsourcing information security." I've long held the opinion that nobody gets an award for doing everything themselves, so I'm a big fan of tactically outsourcing certain functions where an internal resource can't really add value. Something like email security or firewall monitoring are good candidates for that.

But I strongly believe that responsibility for the organization's information security program must reside internally. Security is a business function and thus the security program manager (let's call this person the CSO for argument's sake) needs to be on the ground internally to build credibility, be in the loop and relay the value of security to the rest of the executive staff.

It's not clear to me how an external party has the desire, capability or incentive to take full accountability for security. At the end of the day, I believe in the "fired doctrine." Meaning if something goes wrong, who is going to be fired? I doubt it's someone on the outsourcer's team, so it's pretty important to keep control of the security program internally.

Another analogy is whether you'd outsource the CIO. Even if the rest of the technology operation were moved to a service provider, you probably wouldn't -- so why would you outsource security program management?

This was last published in February 2009

Dig Deeper on Choosing security services

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.








  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...