IT security managers should only outsource what systems they understand says ISACA

Leek, a senior member of ISACA, the not-for-profit IT security association, says that there are two key questions he plans to discuss in his presentation - what IT security services should I outsource, and what should I not outsource.

"You should only outsource what you understand. This is crucial to your IT security defences", he said, adding that some areas of IT security also need to be monitored 24x7 , making them ideal for outsourcing - providing the IT security manager understands the technology involved.

The most important thing about outsourcing and security, he went on to tell Infosecurity, is that organisations must have a governance model in place.

"My observations suggest that as many as 1 in 5 outsourcing projects fail due to lack of an effective governance policy," he explained.

IT managers also need to be aware that, whilst you can outsource the service or technology, you always retain the risk. "You cannot outsource the risk", he says.

According to Leek, regardless of whether an outsourcing facility is available, businesses can never securely outsource a Tier 3 or Tier 4 service, as this is too dangerous.

"Tier 2? No problem. I can wrap the service level agreement around the outsourcing service and you still save money into the bargain," he said.

Finally, Leek advises IT professionals to think carefully before they outsource any major aspect of their operations.

"You need to think carefully and plan ahead. It is also important to create a test environment for all systems that may be outsourced, as you can then check what effects the test platform has on your other business IT systems", he said.

Jay Leek CISA, CISM, vice president of international security for Equifax will be giving a talk entitled `Outsourcing IT Security: Multiple Perspectives' at ISACA's EuroCACS event, which takes place on March 20/23 in Manchester.

What’s Hot on Infosecurity Magazine?