Reader question: I'm the IT manager in a small business. Would it just be easiest and quickest for me to outsource IT security to a managed service provider?
Tom Scholtz, research vice president at Gartner, says:
Outsourcing operational security activities to a managed security provider is a valid strategy, as long as some basic principles are adhered to.
First, you can never outsource the accountability for protecting the organisation’s information resources. Outsourcing the operational activities does not absolve the organisation from its responsibilities toward all its stakeholders. For example, if personal financial information is compromised because the security provider failed to detect a security breach, the client organisation will be held accountable by the customer, not the security provider. Hence, it is imperative that the client organisation retains a clearly defined role for managing overall security strategy, for making important risk mitigation and breach response decisions, and for ongoing management of the relationship with the service provider.
Second, never outsource what you don’t understand. An effective outsourcing relationship is based on a clear mutual understanding on the nature of the service requirements and deliverables. Outsourcing a security function that you don’t understand is a recipe for frequent misunderstandings with your provider and paying above the going market rate.
So, yes, security outsourcing is a valid strategy for smaller organisations. Indeed, Gartner research indicates that customer satisfaction with managed security services in Europe continues to improve as service delivery matures. But, it is important to remember that it not a silver bullet for getting rid of all security responsibilities.
Do you have a business IT question to ask Gartner analysts? Simply post it as a comment on this blog, or email us at email@example.com and we will select the best questions to put to Gartner.