Having recently been served a series of sharp reminders about the growing threat posed by cyber attackers, many CIOs have now turned a critical eye towards understanding their exposure to data loss.\nWhat they are finding is that much of their data actually resides, or at least flows, through a number of third party service providers that are outside of the organisation's direct control.\nAs a result, many CIOs are now asking if their data security can be successfully and reliably outsourced and to whom?\nBringing in the armed guardsBefore we can answer that, we need to look at the two different types of outsourced security.\nThe first is the use of third party suppliers to provide security services within the enterprise. Some of the most common types are malware managers, email monitoring, firewalls and virus protection software.\nFor this type of security, outsourcing to third party specialists is often a recommended option for organisations. Specialist third party suppliers tend to service multiple large clients and are therefore able to spot threats and deploy responses far faster than isolated in-house teams.\nMany of the larger outfits also invest significantly in R&D to deliver ever-increasing levels of security to their clients.\nHowever, the security services market is also highly fragmented, leaving CIOs to work with an increasing number of different services providers in order to properly defend against a growing onslaught of new and emerging threats.\nThis may not remain the case for long. HP's purchase of Fortify Software and ArcSight last year seems to indicate a move towards more consolidated security offerings in the future.\nLocking down the cloudThe second type of security outsourcing relates to that day-to-day data flow that underscores the operations of almost every organization.\nThis bit is often much more difficult to manage.\nA large percentage of organisational data now flows through third party suppliers who provide a range of services from data warehousing to customer analytics.\nThe emergence of cloud computing (or\u00a0Outsourcing 3.0) only exacerbates the complexity by shuttling data from centre to centre, creating backups and artefacts across multiple systems.\nIn fact, in a report by KPMG and the e-Crime Congress, more than two thirds of the senior security professionals surveyed said that cloud computing would increase their risk of e-crime.\u00a0nearly nine out of\u00a010\u00a0said that internet-hosted software such as webmail and enterprise social networks would pose an equal risk.\nThe answer is not to ignore the business opportunities \u2014 sometimes imperatives \u2014 surrounding outsourcing and cloud; nor is it simply to bury your head in the sand.\nOut of sight, but not out of mindThrough greater use of outsourcing, CIOs have effectively been delegating their security management to a hodgepodge of disparate vendors that may include everyone from their CRM service provider to their website hosting service.\nIT leaders would be well advised to remember that a supplier's ability to manage and store data does not necessarily reflect their ability to also protect that data.\nThat is not to say that data service providers are not secure; many successfully differentiate themselves based on their reputation for security.\nHowever, it does mean that CIOs will need to go above and beyond simply including security clauses into outsourcing contracts in order to get peace of mind.\nOften, the details agreed upon by those signing the contracts either don't represent the reality on the ground, or are not properly communicated to the individuals or teams that actually provide the service. This may\u00a0ultimately result in a mismatch between client expectations and what service providers are able to deliver.\nProtecting the Crown JewelsThe other challenge facing CIOs is one of classification. Not all data requires the same level of protection and not all information holds equal value to the organisation.\nBut to properly classify and protect the organisation's Crown Jewels, CIOs will need to develop a better understanding of the sensitivity, value and risk profile of the enterprise's various data streams.\nThey must\u00a0work across the business to develop appropriate protocols and controls to properly secure that data.\nUnfortunately, there is no silver bullet in the offing.\nJust as quickly as companies develop ways to plug the chinks in their armour, cyber attackers seem to move to develop new and more\u00a0powerful assaults.\nThere is a degree of automation that is eventually developed to respond to most security threats in the same way that spam filters automated elements of email security. But, usually these are brought to market months or even years after the threat is first detected.\nSo, for the time being, the answer is that CIOs have to recognise that data security is an executive-level risk and responsibility for that risk cannot be outsourced.\nSecurity therefore needs to be part of the organisation's overall sourcing strategy, with clear policies and oversight and assurance processes in place for service providers.\nBecause ultimately, it will be the CIO that will be called to the mat should the company's crown jewels go missing.