The decision to outsource security services is doubly difficult. You must trust that a third party can competently protect the information assets of your firm but also recognize that a third party has the knowledge to do you harm. Even so, many midmarket companies don't have a choice about turning to outside help in implementing sophisticated information security functions. Such expertise can be extremely difficult to hire, and smaller companies struggle to justify the expense.
So what specific security functions should a midsized company consider for outsourcing?
While the cost of certification depends on factors such as the number and size of your IT facilities, you can expect to pay in the low six figures, with slightly lower ongoing costs to maintain certification. These certifications are reassuring for online customers, business partners and corporate customers. Employing a full-time, specialized staffer for this work is often impractical.
Application security reviews. These functions usually require outside knowledge, and it's difficult to find staff to manage them. Such reviews focus on your most critical computer programs, particularly customer-facing, Web-based ones. Midmarket companies often build proprietary applications, modifying commercial products or installing off-the-shelf software. Each must be tested thoroughly and regularly.
Due diligence activities. Third-party assistance is also advised when your company is engaged in a due diligence exercise requested by a service provider. Due diligence covers everything from the provider's financial health to the resilience of its technology infrastructure and physical security. Frequently, smaller companies don't have the internal expertise for such reviews, so bringing in a qualified consultant is worth the cost. For internal resources, consultants and travel, one can expect to spend between $10,000 for a local vendor and $50,000 for a distant vendor with several facilities.
Development and enforcement of information security policy. Outside expertise is valuable in information security policy, which is so specialized that even your internal legal counsel may not be qualified to judge it. The Web offers sample security policies, but it's important to have expert opinion on whether the policy addresses all relevant laws and regulations.
Management of security devices. Finally, the management of firewalls, intrusion detection and prevention systems is often targeted for outsourcing, especially where round-the-clock surveillance is necessary. Since these service providers guard the gates to your enterprise, check their references. And retain internal expertise to keep a watchful eye on the outsourcer. Staff your oversight function with people knowledgeable enough to respond to an outsourcer's alerts.
C. Warren Axelrod is a security officer at a midsized subsidiary of a major financial institution and the author of Outsourcing Information Security. Write to him at Podium@ciodecisions.com.
This column originally appeared in the February issue of CIO Decisions magazine.