At Least It Explains the Problem

There are a bunch of reasons to outsource information security. You can get specialists who have a broader range of experience than your own company. You can get an outside view of everything from how to read the various logs your system puts out to what anti-virus program to install. There may be a cost savings to have someone else be monitoring your systems along with several other companies at the same time.

There are a bunch of reasons that you don't want to outsource information security. When it hits the fan, you are still the one responsible (especially so now with Sarbanes-Oxley in force, the real rules of which we still do not understand and won't until it's been to court a few times). You have more control over your own people, and you can much more carefully monitor them. This is especially true if the outside company has reduced its cost by establishing the monitoring center in some place like India. You can much more easily check to see if your new employee has just come from a few years vacation in Marion, Illinois.

It would be interesting to see how outsourcing information security would be treated by upper management. It's a cinch that they wouldn't understand enough to make a valid decision. You have to make the decision yourself, and unfortunately then you have to live with it.

This book is just about the only one on this subject. The author reports on some good situations, and some that didn't turn out so well. If this is a decision you have to make, here's at least a good start.

Other Reviews

• A bit thin on the security-specific aspects of outsourcing
• OUTSOURCING INFORMATION SECURITY MAY POSE DIRE CONSEQUENCES FOR BUSINESS AND GOVERNMENT
• A Must Read!
• At Least It Explains the Problem