Bringing Security Back In-House

Sue Marquette Poremba

Outsourcing IT security isn't a new idea. I found an essay written by Bruce Schneier from 2002 where Schneier argues the case for outsourcing security. He wrote:

The primary argument for outsourcing is financial: a company can get the security expertise it needs much more cheaply by hiring someone else to provide it. Take monitoring, for example. The key to successful security monitoring is vigilance: attacks can happen at any time of the day, any day of the year. While it is possible for companies to build detection and response services for their own networks, it's rarely cost-effective.

Earlier this year, Kenneth Leeser echoed Scheier's point in an article at Network Security Edge:

First of all, it's a great way to get the security expertise that would be too expensive to hire and retain in-house.
The same goes for technology. A small company might not be able to afford to buy the best technology, but it can rent the use of the technology from a service provider.
Moreover, the company can get a broader range of solutions that otherwise might not be in the budget - solutions such as intrusion detection and prevention (IDP/IDS), antivirus and antispam, content filtering, encrypted email and secure VPNs.

However, a new report released by Ovum shows that CIOs appear to be rethinking the idea of outsourcing IT security. According to the survey, "CIO Investment and Outsourcing Priorities Have Shifted Post-Recession," 7 percent of the 500 companies surveyed,said they were considering outsourcing IT security over the next two years, down from 18 percent currently.


Why? It seems that while it might be less expensive to outsource security, changes in regulations and the severity of recent security breaches has left CIOs uncomfortable with letting someone else handle sensitive data. Rhonda Ascierto, senior analyst at Ovum, said:

The main reason for this shift away from IT security outsourcing is most likely a lack of confidence. Organizations are now more subject to compliance considerations in the form of both formal external and internal policy-driven requirements, particularly in the wake of the U.S .banking controversies and other financial scandals.

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Add Comment      Leave a comment on this blog post
May 28, 2010 10:20 AM John John  says:

Let me begin by saying that I'm a huge Bruce Schneier fan, and I totally agree that our organizations should not outsource their security, especially to companies in foreign countries.

I'm a security practioner and I too occasionally blog on the subject of Active Directory Security, an important part of Windows security, and in our work we come across so many organizations who end up outsourcing their security to other companies.

In so many cases, these outsourced companies aren't really that good at what they do as well, and I wonder how much of a real gain the organizations that outsource security actually end up getting?

Thanks for your thought-provoking post - nice work!

May 30, 2010 9:56 AM Compromaster1 Compromaster1  says:

I think that network security is one of the most important aspects of keeping a companies information private.  There is obviously a huge monetary benefit to outsourcing security, but in a way outsourcing defeats the purpose of security. Because there is no way to monitor what goes on daily.  Attacks could happen at any time and by keeping this industry in house or local you have a more control over how quickly and efficiently they are solved. 


Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.

Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.