Many a times when considering cost reduction, Information security outsourcing often come up for discussions. Can we outsource information security effectively? Can it be as good as outsourcing the software development or business processing? Does it introduce any weaknesses to the information protection process?

When it comes to outsourcing, I strongly believe in the theory that you cannot outsource the responsibility. The responsibility lies with you or the business. The recent SEC guidance on the cyber security incidents and its disclosures, very well indicate that the responsibility lies with the business management. So if the business decides to outsource, can it be performed effectively?

An organization shall consider outsourcing if an appropriate value can be obtained for the function to be outsourced. In addition to the value creation, it should help the organization in reducing the risks, improving the business model and provide profitability. Outsourcing of the core functions of an organization will increase the risk and can have direct impact on the existence.

When it comes to information security outsourcing, it becomes very sensitive as information security function of an organization is an integrated activity across all its business functions, at least theoretically. As mentioned earlier, the core functions of your business should be with you and not outsourced. As long as information security is a core function within business, outsourcing should be avoided.

Take for example, software development in a bank is not an integrated function within its business. However, they need to have a small team of IT professionals available as part of the bank to ensure that the applications are running as expected. Here the software development function, application support and some of the infrastructure function are outsourced.

When considering the information security outsourcing, there are certain areas which can be outsourced. Some of the functions are listed below:

• Penetration testing
• Vulnerability assessments
• IT Security helpdesk
• One time exercises like building ISMS, implementing PCI DSS
• Consultancy on defining the framework for any specific information security activity

What you should not outsource

• Operating the Information Security Management System
• A key security function where the results cannot be measured effectively
• Security information and event management, especially if some of the critical functions are already outsourced

Information Security outsourcing has a high potential of failing in conditions where:

• There is no staff to monitor and measure the performance of the service provider
• The organization only relies on third parties for the required information security intelligence
• Data / Information is managed (operationally) outside the organization
• The focus of outsourcing is only to save some money, rather than the expertise needed. In this case maximum cost reduction would be the objective and would result in potentially bad contracts and agreements

To summarize, Information security outsourcing can be done provided there is a very detailed demarcation between what can be outsourced and what should not. The objectives of the organization should also be considered before taking decisions related to outsourcing the core activities of an organization.

Share your thoughts on how effective would it be?