informa
Commentary

Outsource Security Carefully, And Carry A Big Audit Plan

Are IT managers desperate if they outsource security?

That's the provocative question Larry Greenemeier asks in today's issue of InformationWeek. His conclusion? A resolute no. In fact, hiring an independent service provider might just be your best bet for staying safe in the midst of rising threats against malware, hackers, and internal saboteurs.It's a good question, though. After all, handing over the job of keeping your all-important networks, systems, and data safe can seem like an act of last resort, acknowledging-as Greenemeier points out-that the job is simply too much for you. Yet isn't it better to make such an acknowledgement and seek appropriate help rather than denying evidence that you may be putting your organization at risk?

Still, outsourcing shouldn't be done casually and without stepping exceedingly carefully through the vendor selection process. Greenemeier outlines the minimal actions you must take with this regard.

One thing he doesn't mention, however, which should be at the top of any IT professional's list: active risk management of vendors using independent third-party auditors. And a just-released study by Ernst & Young indicates that IT managers are woefully unprepared when it comes to protecting themselves against incompetent, unskilled, or generally ineffectual third-party security service providers. Only 14 percent of the 1,200 global IT professionals surveyed have formal security risk management procedures in place that are properly validated by auditors. And let's face it: independent auditing of vendor effectiveness is the single-perhaps the only-way to sleep at night when outsourcing something as important as security.

Indeed, although 60 percent of the survey participants who had outsourced information security activities already--or who were planning to do so--said they were doing it to focus valuable IT resources on other key areas, most were "overwhelmingly emphatic" about their determination not to outsource security functions because of the risks involved.

What do you think? Have you outsourced all or part of your security activities? Why or why not? Let me know what you think by responding below.

Recommended Reading: