There was a time, not so very long ago, that outsourcing security services to third-party companies was seen as risky business. But in today’s economy, outsourcing security services has become more norm than exception, with companies asking themselves, “why didn’t we do this before?”

Compliance—that’s why.

In the past, many companies were so concerned about being compliant or working with compliant companies that cost was a secondary concern. Compliance was an especially big issue for companies that wanted to work with government agencies because if they didn’t meet compliance standards, they would oftentimes lose a potential contract.

But is compliance really all it’s cracked up to be?

While there needs to be a standard for security, the problem with compliance is that after awhile, you have people thinking, “what’s the minimum amount I need to do to be compliant?” When that happens, you don’t have people trying to make themselves secure, you have them trying to meet a set of requirements.

Think of it like a test: If you have a study guide of everything that’s going to be on a test, you can study that material for days and be fairly confident about acing the test. But did you really learn the material? You may have learned parts of it, but it’s unlikely that you have a good understanding of it or you can use it in an applicable way. What use are facts if you can’t use them?

Unfortunately, compliance practices have become very similar—people are eager to meet the requirements and “ace the test,” but they have no clue what the requirements or the “answers” mean. Keeping that in mind, is it really a good idea to be outsourcing security practices, even if compliance is now taking the back seat compared to cost?

Maybe, but it depends on a company’s willingness to assess the potential risks associated with outsourcing sensitive security information.

When outsourcing, there’s a lot of risks because you’re taking your company’s data and entrusting it to outside vendors. But the information doesn’t just stop at the vendors: Oftentimes, vendors will also outsource or contract out to other companies to complete large projects. While that doesn’t need to serve as a deterrent, it should serve as a warning. 

While outsourcing definitely provides savings in these hard economic times, companies and security professionals need to take it upon themselves to learn about the third-party companies they plan on working with. Be careful about who you choose, and get an understanding of how the data sharing is handled and who the third-party company will be sharing your data with.

Read the fine print, and don’t be afraid to dig a little deeper; if something doesn’t feel right, be sure to scope it out. Because while the monetary savings might seem great, you’re not really saving anything in the end if you have to do damage control later on because the third-party company you chose to work with was untrained or untrustworthy. You can read more about outsourcing debate on DarkReading.com.

How do you feel about outsourcing? Do you think it’s worth the money you save, or is it nothing but a headache?

###

While outsourcing might save money, it’s important to keep the local security community going strong—why not become a subscriber of our site today?
You can also spread the word about NovaInfosecPortal by passing this post along to a friend.

Tags: compliance, cost, dark-reader, infosec, News, nova, outsourcing, risk-assesment, security, third-party-security

This entry was posted on March 26, 2009 at 8:07 pm and is filed under News. You can follow any responses to this entry through the RSS 2.0 feed.