When making a security outsourcing decision, you not only have to trust that the company can competently do the work, but you have to trust that you can trust them. After all, you are handing them the keys to the kingdom.

A recent survey by the Computer Security Institute and the FBI, found that security functions are increasingly being outsourced. The bigger the company, the more security functions are being outsourced.

Companies with an average revenue of less than $10 million outsourced 8% of their security functions overseas this year, compared with 4% last year. Midsize companies of $100 million to $1 billion in revenue also nearly doubled the work they sent offshore, from 7% last year to 13% this year. Large corporations with more than $1 billion saw the biggest increase in outsourcing, sending 15% of their security functions offshore, up from 9% last year.

The kinds of security functions you might look to outsource include:

* Third-party infrastructure security assessments. These activities are important and include vulnerability assessments, war dialing (using a modem to dial every telephone number in a local area to find out where computers are available, then attempting to access them by guessing passwords), perimeter scanning, scanning internal network including servers and desktops, and reviewing policies and procedures. Such reviews can include certification to standards.

* Management of security devices. The management of firewalls, intrusion detection and prevention systems, especially where round-the-clock surveillance is necessary.

* Application security reviews. Focus on customer facing Web-based applications and other critical programs.

* Development and enforcement of information security policy. Outside expertise is valuable in establishing information security policy.

* Due diligence activities. Third-party assistance may be helpful when evaluating service providers or acquisitions.

Not everyone agrees with outsourcing security functions. See this anonymously written column from CSO online for a discussion of the worries and frustrations one chief security officer faced with an impending outsource of all security functions. There are also several good posts following the column. While a bit emotional and clearly anti-finance department for forcing the outsourcing decision for ROI reasons, there are significant intangible or hard to quantify issues raised. These are things to think about for anyone in the process of making a security outsourcing decision.