Any vendor will tell you that trust is fundamental when it comes to outsourcing security. And even as they sell you on the notion of partnership, the truth is outsourcers have virtually no liability in the event of an actual breach.
"They operate on a termite inspector's warranty," says Gartner's Pescatore. "If I inspect your house for termites and tell you there aren't any, but your house falls down a week from now, I'll refund my fee for the inspection." To engender trust, some outsourcing firms offer guarantees of up to $50,000 in the case that their customers get hit by certain viruses and attacks. But as we've seen recently, severe attacks can cost a company a much steeper price
The trust issue is not lost on Hanauer's Latalladi, whose relationship with ISS began more than nine years ago, when he worked at General Motors Acceptance Corp. Latalladi built his relationship with ISS gradually, piece by piece.
He brought ISS along when he moved to Hanauer six years ago, but he didn't hand over the keys to the kingdom right away: "I did small projects with them first, adding things slowly until I reached a trust level I was comfortable with."
Now, ISS handles device monitoring, intrusion protection, policy development and even threat response for the firm.
But trust can take you only so far. Though Latalladi is pleased with ISS, he admits that if his outsourcer failed him even once, he would take his business elsewhere.
"This isn't kids' play, and they understand that," he says. "One oversight or omission could spell disaster; I would be forced to leave them."
Pershing's Axelrod agrees: "There is an assumption that the more attacks you defend against, the better service you have. But it's actually how many you let through that's the most important. And anything other than zero is not good."
Because of this, it's imperative to have a solid service-level agreement that is reviewed often and enforced whenever necessary. Be sure your SLA clearly indicates how the outsourcer handles employee background checkssome outsourcers employ "reformed" hackers, for examplea cause for concern.
Find out how quickly they will notify you of a possible attack or respond to an intrusion (it should be no longer than 10 minutes) and how often they will perform system upgrades and install antivirus updates.
And don't forget that no matter how dependent you may become on your outsourcer, security is still ultimately your own responsibility. It's your company that would suffer from a security breach, so it should be your people who make the decisions around policies and procedures.
"Don't lose focus that this is a business relationship for the outsourcer," says Curry. "They are there to help their company succeed, not yours. In the end, you live and die by the terms you agree to up front."