Outsourcing security tasks brings controversy

When it comes to outsourcing security functions, skepticism still rules the day for many users. The idea of handing over control of network security to an outside firm paid to maintain gear, monitor for attacks, perform scans, collect logs or update security software for employees is, to say the least, controversial.

Security managers are split on the issue, arguing it's either a boon or bane for the company. According to advocates, outsourcing security gives in-house IT staff a chance to be freed up from mundane tasks to deal with more strategic matters without having to take on additional staff. The naysayers worry that outsourcing means losing sight of security risks because outsiders will mechanically follow a contract without thinking critically enough. Whether outsourcing is cost-effective is part of the debate, too, but the central question of control stirs the greater emotion.

Those bullish on security outsourcing say it's a way to move their in-house security specialists, already in short supply, into more strategic jobs while making sure everyday tasks get done.

"We either have to bring in more internal IT people or get other people through outsourcing security services," says Andre Gold, lead, IT risk management in the North American arm of ING, the Holland-based global financial services firm.

Click to see: Survey shows most opposed to outsourcing security.

Gold says tasks such as patch and vulnerability management tasks or antivirus support are consuming a lot of staff time that might be better used in strategic risk-management operations for online business goals with partners and customers, for instance.

"I'd rather push the ING people up the ladder," Gold says, noting that next month ING expects to select at least one security outsourcing provider — it may be offshore in India or elsewhere — for large, multiyear contracts to handle a wide variety of data and network-security management remotely.

"I call it security right-sourcing," Gold says, adding that ING already outsources some IT maintenance and application development. Consequently, advocating security outsourcing was not a culture shock at the company. Gold says he expects security outsourcing to prove cost-effective over adding in-house staff, but he says in this case, it's not the primary motivator for doing it.

Paul Simmonds, chief information security officer at global chemicals manufacturer ICI, says he's more inclined to stick with in-house staff for security because "when something goes wrong, does that outsourcer really understand how it impacts your business? I'd say, no they probably wouldn't." But on the other hand, Simmonds notes that ICI has benefited from security as a service from providers Qualys, MessageLabs and ScanSafe, which have taken on tasks such from vulnerability scanning to antimalware prevention.

But security outsourcing still tends to elicit negative views.

"My bias is against it," says Jon Gossels, president of consultancy SystemExperts, which advises corporations on security strategy, with a focus on regulatory issues.