Does Outsourcing IT Security Make You Uneasy?

Outsourcing IT security has never been popular among IT professionals. The topic has always caused controversy. But according to research and analysis firm Ovum, headquartered in London, now even fewer CIOs think outsourcing IT security is a good idea.

Ovum surveyed more than 500 CIOs around the world. Of those, only 7% said they were considering outsourcing IT security over the next two years, down from 18% currently. The findings are part of a new report entitled CIO Investment and Outsourcing Priorities Have Shifted Post-Recession.

Ovum senior analyst Rhonda Ascierto, attributes the planned reduction in IT security outsourcing to a lack of confidence. “Organizations are now more subject to compliance considerations in the form of both formal external and internal policy-driven requirements, particularly in the wake of the U.S. banking controversies and other financial scandals,” she said in a prepared statement.

Ovum cites several other reasons for the unease: the difficulty in obtaining measurable security metrics from outsourcing providers, the desire for organizations to gain greater control over their own IT operations, and contractual clauses from outsourcers that often do not give the quantitative assurance organizations want.

I don’t think Ovum’s findings are terribly new, but it is interesting that there are now fewer of the small number of organizations that were willing to outsource security to begin with. I agree with all of Ovum’s assessments, particularly the new-ish concerns regarding the current regulatory climate, in which state and federal legislators are looking to hold organizations more accountable for their operations, particularly with regards to finances. And of course, most IT organizations have smaller budgets—a fact that has impacted IT outsourcing overall.

But as I said, outsourcing IT security has always been controversial and suspect. Consider a survey of about 480 security professionals conducted by the Computer Security Institute in late 2007. When asked what percentage of computer security functions were outsourced in their organizations, 61 percent of respondents answered “none.” Those surveyed represented a broad spectrum of industries, such as finance, transportation, retail, education, telecom, and government.

Just a tiny group—only 5 percent—had outsourced more than 60 percent of their computer security functions. And only 2 percent had outsourced more than 80 percent of their functions. When the annual survey was conducted that year, CSI noted that the results related to the question of outsourcing security hadn’t changed in the three years since they started asking it.

I’m interested to hear from you all. Does your organization outsource any of its IT security functions? If so, how much? Why? If no, why not?