Best and Worst Security Functions to Outsource

Which security functions are best handled by third parties, and which should be kept in-house? Experts weigh in.
Outsource: Network monitoring
Outsource: Vulnerability management
Outsource: Application security
Outsource: Forensics
Outsource: Litigation
Outsource: Identity governance
Don't outsource: Incident response and breach remediation
Don't outsource: Security strategy, architecture, and policy
The future of outsourcing

Security teams need more advanced people than they can find or afford. For many, outsourcing has become key to bridging the skills gap and addressing tasks they lack budget or talent to do.

Dark Reading's report "Surviving the IT Security Skills Shortage" found 45% of businesses don't outsource any of their security functions. Nearly 30% outsource a few hard-to-find skills and services, and 22% outsource some security functions while relying on third-party service providers for others. Six percent outsource most of their security tasks to third parties.

It's possible to outsource just about any security function, says IP Architects president John Pironti, but just because you can outsource doesn't mean you should. The question, he says, is where do you want your team to focus its time and attention?

"You have to calibrate expectations of what a third party will provide," he explains. "They will not have the same interest or passion in your world as you will."

Some security functions are best left in-house, Pironti adds, because they require intimate knowledge of business infrastructure and processes. Organizations will continue to master this balance as security threats evolve and multiply.

Outsourcing is more involved than simply passing off responsibilities to other people, adds Ryan LaSalle, global managing director for growth and strategy at Accenture. You have to work with providers to manage the functions you're outsourcing and how they're being performed.

No matter which functions you outsource, it's critical to define expectations and processes for your partner firm, says Pat Patterson, VP of enterprise security solutions at Optiv. Most of the time, companies end up disappointed because they didn't communicate what they needed.

"The better you as a customer can define expectations and requirements, the more prepared you will be to leverage that relationship," he explains.

Which functions to outsource, and which to handle in-house? Read on to see the experts' list of the most common and beneficial security functions to outsource, as well as the tasks that should be kept in-house.

(Which functions do you outsource, or which are you considering outsourcing? Let's keep the conversation going in the comments.)  


Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Next slide
Recommended Reading: