Outsourcing IT security isn't a new idea. I found an essay written by Bruce Schneier from 2002 where Schneier argues the case for outsourcing security. He wrote:
The primary argument for outsourcing is financial: a company can get the security expertise it needs much more cheaply by hiring someone else to provide it. Take monitoring, for example. The key to successful security monitoring is vigilance: attacks can happen at any time of the day, any day of the year. While it is possible for companies to build detection and response services for their own networks, it's rarely cost-effective.
Earlier this year, Kenneth Leeser echoed Scheier's point in an article at Network Security Edge:
First of all, it's a great way to get the security expertise that would be too expensive to hire and retain in-house.
The same goes for technology. A small company might not be able to afford to buy the best technology, but it can rent the use of the technology from a service provider.
Moreover, the company can get a broader range of solutions that otherwise might not be in the budget - solutions such as intrusion detection and prevention (IDP/IDS), antivirus and antispam, content filtering, encrypted email and secure VPNs.
However, a new report released by Ovum shows that CIOs appear to be rethinking the idea of outsourcing IT security. According to the survey, "CIO Investment and Outsourcing Priorities Have Shifted Post-Recession," 7 percent of the 500 companies surveyed,said they were considering outsourcing IT security over the next two years, down from 18 percent currently.
Why? It seems that while it might be less expensive to outsource security, changes in regulations and the severity of recent security breaches has left CIOs uncomfortable with letting someone else handle sensitive data. Rhonda Ascierto, senior analyst at Ovum, said:
The main reason for this shift away from IT security outsourcing is most likely a lack of confidence. Organizations are now more subject to compliance considerations in the form of both formal external and internal policy-driven requirements, particularly in the wake of the U.S .banking controversies and other financial scandals.