Outsourcing certain aspects of an organization's security measures makes economic sense, but its core should be kept in-house. So says George Wang, Group Head of Chief Architecture Office, Asia, and Global Head of Technical Policies and Standards, for Reuters Asia.

Reuters gathers and disseminates news, financial and economic information to news organizations, banks, corporations and brokers across the globe, relying heavily on IT to do the job.

'Standardization simplification' is how Wang describes his challenging role, which has him responsible for security architecture, technical governance and policy standards.

"I define what you can and can't do in terms of policy with the aim of helping the business to reduce cost through standardization," he says. "We take a balanced approach and try to standardize our desktop operating environment so there's a common base of security."

'Not too draconian or too loose,' is how Wang describes the balance that always has to be struck between business security and practicality. He meets regularly with other CSOs, and believes that many industry players outsource security, hoping to reap the benefits of economies of scale.

"It's not economical for the organization to keep a very specific skill set such as penetration testing, because the utilization rate will not be that high," he points out. "Neither is it practical to have a team of 10 testers in-house when they don't have to do that job everyday. It would be reasonable to outsource such functions."

So what functions should or should not be outsourced?

Take a layered approach

"If you take a layered approach to security, a lot of day-to-day monitoring on the outside layer can be outsourced," says Wang. "But the core security, in terms of risk management and the monitoring of the core back-ends, is still very much internal," he continues, with emphasis on 'core'. "I think that's probably the right balanced approach; you filter a lot of noise but you look at it more seriously when it hits your next layer of defense."

According to Wang, a successful working relationship with an outsourcing vendor involves a variety of factors. "You have to look at them as a partner, not as a commodity. There's always the danger of squeezing them too much."