Security Outsourcing: How To Do It Right - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

11:05 AM

Security Outsourcing: How To Do It Right

Outsourcing your organization's information security can expose you to great risks. We show you how a well-planned strategy can realize benefits in cost, efficiency, expertise and peace of mind.

Security outsourcing is no panacea, however. Far from guaranteeing an airtight organization, outsourcing could expose your company to even greater risk. Yet if done right, it can provide tremendous benefits in terms of costs, efficiencies, expertise and peace of mind.


Although most operational tasks of security, such as updating firewall rules, monitoring event logs and updating patches, can be outsourced easily, functions such as risk management and governance should not be. The transition of sensitive company procedures and policies is touchy, and many feel they'd rather take risks themselves than trust a less interested party. Be sure to retain oversight by someone of authority within your company. Outsourcing isn't just a convenient way to get security "out of sight, out of mind."

Offshore Savings Are Not Guaranteed
Click to Enlarge

No matter how skilled the contractors or how long you've worked with them, make certain your contract is rock-solid. Remember, your customers' very security is on the line--and you could face liability if it is compromised.

Secunia Security Advisories
Click to Enlarge

The key to deciding whether outsourcing security is right for your business is to understand both the risks and the benefits. Security can be effectively outsourced if done properly and with due diligence. Knowing which questions to ask, and which security tasks should remain in-house, will require research.

To determine whether you'll see a savings, compare the bottom-line cost of a full-time skilled employee (including benefits, taxes and workers' compensation) with the cost of a yearly service contract. Some firms require a retainer fee in addition to the monthly fee. Also, take into account unexpected and after-hours support, which are often not anticipated and can eat up the potential savings.

Consider which functions the contractor should fill--for example, security-event monitoring (logs from different security devices), incident response, and the maintenance of remote access (VPN, dial-up), firewalls and IDSs/IPSs (intrusion detection/prevention systems). In addition, think about the role the contractor will play in designing, engineering and operations. Because the bulk of the work is performed at the daily operation level and is associated with the largest percentage of your budget, you might look to outsource this area first while keeping the design and engineering functions in-house.

Affordable IT Tips
Click to Enlarge

Many businesses outsource the support and maintenance of perimeter security, such as the firewalls that exist between the internal company network and the Internet. Perimeter security is most commonly outsourced, as it can require strong infosec knowledge and there's a relatively high risk to the company if it's done incorrectly. These firewalls usually don't change very often, but require an experienced handler; misconfiguration can expose internal network systems.

Outsourcing the monitoring of event logs from IDS/IPS, firewalls and other security devices may be wise. Because good security is active around the clock, having a 24-hour presence to keep vigilance and respond to attacks can be appealing, especially for small and midsize businesses that might not have the resources to find qualified security specialists willing to work holidays or the graveyard shift. For example, when the Microsoft SQL Slammer worm struck several years ago, it affected companies of all sizes--and no matter how big or small you are, if you can't work, you can't make money. Although some technologies, such as SEM (security event management) tools, provide basic alerting based on predefined rules, they are no match for the decision-making capabilities of a live person.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 3
Comment  | 
Print  | 
More Insights
The State of IT & Cybersecurity Operations 2020
The State of IT & Cybersecurity Operations 2020
Download this report from InformationWeek, in partnership with Dark Reading, to learn more about how today's IT operations teams work with cybersecurity operations, what technologies they are using, and how they communicate and share responsibility--or create risk by failing to do so. Get it now!
IT Spending Forecast: Unfortunately, It's Going to Hurt
Jessica Davis, Senior Editor, Enterprise Apps,  5/15/2020
Helping Developers and Enterprises Answer the Skills Dilemma
Joao-Pierre S. Ruth, Senior Writer,  5/19/2020
Top 10 Programming Languages in Demand Right Now
Cynthia Harvey, Freelance Journalist, InformationWeek,  4/28/2020
Register for InformationWeek Newsletters
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll