Outsourced Security: An Idea CIOs Loathe
Coan, like many of his colleagues, handles his own security and has no plans to change that approach.
"It's on me as the CIO to ensure that all the positive steps are taken to secure the data and our systems. While any IT endeavor must be driven by the business it supports, there is a philosophical issue here," he says.
Coan is not alone. According to this month's CIO Insight survey, only 14 percent of companies currently outsource securityand only 1 percent plan to within the next 12 months.
Furthermore, Forrester Research Inc. reports that 52 percent of companies wouldn't consider delegating even a single portion of security to an outside party.
There are many reasons why CIOs hesitate to join forces with security outsourcers, which offer everything from network management and vulnerability assessments to intrusion detection and firewall protection. Some of the fears are rational, some are not.
But perhaps the most powerful deterrent is the fear of losing control, suffering catastrophic losses, and winding up on the front page of the Wall Street Journal. "It takes a fair amount of courage to entrust your security to a third party," says C. Warren Axelrod, director of global information security at Pershing LLC, a Jersey City, N.J.based clearinghouse for financial information, and author of Outsourcing Information Security (Artech House, 2004).
Despite the fears, outsourcing at least parts of your IT security infrastructure makes sense, especially for large companies. Outsourcers have a broader handle on the most recent worms and viruses sweeping the Web, and employ teams of security experts who can track how those threats move across the globe, giving them time to protect your systems before they can be affected.
They also generate detailed reports on how your security infrastructure is performing, which can make complying with the 2002 Sarbanes-Oxley Act and the 1996 Health Insurance Portability and Accountability Act easier. Of course, the cost savings always come in handy as well.
But outsourcing security will always be a leap of faith. Though vendors claim that outsourcing security is no different from handing over any other business process, security breaches generate something transaction processing errors rarely do: loads of bad press.
And no outsourcer will accept complete financial responsibility for a security mishap. All of which means that when you tiptoe down this road, be sure to bring your lawyer along and structure an airtight service-level agreement. Remember, it's only your career at stake.