An article by Kelly Sheridan on DARKReading today examines the current picture of information security outsourcing and functions that she says companies should and should not outsource. A quote from the article on security strategy and decision making:
If you need help with architecture and design, Pironti advises consulting resources rather than outsourcing the entire job. “Decision-making around security should never be outsourced,” he adds. “Anything you source, you should be able to bring back in-house if you have to.”
I didn’t really disagree with the article’s decisions – except that I think they missed a key point in making the outsource/in-house decision.
Those who’ve worked with me before know where I’m going with this, but the first critical question to ask about a service or function has nothing to do with the items in this list. That question is, who needs this function, and why?
Is it a generic business function that anyone in any industry needs, like email? Then start with the assumption it should be outsourced.
Is it a standard business function for your industry, but not really common beyond you and your competitors? Think document production or e-discovery services. In those cases, you should be neutral on the outsourcing question – make your decision on other factors such as economic benefits.
Or, the third and final possibility, is it a unique function of your business? Something that can be used to differentiate you from your competitors? In that case, fight strongly against outsourcing it. This can be a tough call, especially in situations where the function itself is not unique but the way your team does it stands out.
This relates to the last two items from the article’s list – Incident Response and Breach Remediation, and Security Strategy, Architecture, and Policy.
You could be forgiven for thinking I’m about to say something along the lines of “you should totally outsource those, to SmoothSailingSolutions!” But no, that’s not really where I’m going with this.
The decisions around these functions are critical, they absolutely must remain in the hands of the business owners and stakeholders. That doesn’t mean you must perform all the component functions, and unless your business is in the area of security and compliance, it’s probably best if you don’t. As I’ve said many times before – outsource the execution, not the responsibility or the authority.
(Now, for outsourcing the execution, you should absolutely give us a call.)