There are many reasons to consider outsourcing IT security. The success of the engagement is dependent on matching your stakeholders’ requirements against capability. A successful provider will satisfy both the technical requirements as well as meet expectations of the stakeholders.
The broad groups into which such projects fall are:
Companies that supply security outsourcing solutions tend to be focused in the following areas:
- Assessment-oriented: These are often audit consultancies that are focused on IT security assessment as part of a compliance or risk management engagement. They fit best when senior business management is the primary stakeholder. The analysis will put IT security in the context of the broader compliance or risk environment in which the enterprise exists.
- Solution-oriented: These are usually technology providers that are best suited when the domain their security technology addresses is involved, such as SIEM for security compliance, and the stakeholders are the security or operations groups related to those domains.
Of course, there are large providers that supply every service under the IT security sun, but midsize enterprises can often ill-afford them and then also suffer from the lack of focus.
As with any IT project, the steps to success are:
1. Ask yourself, “Who are the stakeholders, and what they are looking for?”
2. Select a partner that best fits these needs.
3. Measure twice and cut once.