Considering outsourcing security management of your data vs. keeping it in-house? InformationWeek.com and DarkReading.com’s report on Finding the Right Security Outsourcing Balance sheds some light on the benefits and potential pitfalls of outsourcing, as well as the criteria your organization needs to have for any potential providers in order to keep security at a premium.
The report recommends asking potential providers questions that speak directly to their level of experience, expertise, employees and workflow:
- How long has your company been in business, and on average, how long have your current employees been employed?
- Do you perform background checks on employees, and if so, what type of checks?
- What kind of security certifications and experience do your employees have?
- Is there any type of ongoing training to keep employees updated on the latest vulnerabilities and threats, and how to mitigate them?
- Are your employees trained on how to handle sensitive data to avoid a data breach?
- Will it be easy to integrate with your company’s services?
- Can you provide sample reports and documentation of its processes?
- Who has access to my information?
- Is data stored, sent or processed offshore?
Other well-known advantages of outsourcing include no capital investments; monthly or annual fees for operational costs (vs. managing staff, training, equipment maintenance, etc.); expert knowledge resources; responsive, proactive and focused support; ease of scalability and more.
When it comes to cloud computing outsourcing concerns, 50 percent of respondents in a survey of business technology and security professionals were most concerned about the unauthorized access to or leak of customer data, slightly up from 48 percent in 2011. The next concern was about security defects in the technology itself (48 percent), and unauthorized access to or leak of proprietary information (43 percent).
The study also asks organizations if they performed their own risk assessment of cloud providers – while nearly 29 percent responded yes, they perform their own audits; 15 percent said they did not conduct any risk assessment of their cloud provider at all. Fourteen percent use the providers’ self-audit reports to conduct their assessment. An alarming 9 percent said they wanted to conduct their own audits, but reported providers as being generally uncooperative.
Outsourcing comes with a variety of advantages, including significant cost-savings, but balancing security and compliance concerns (PCI, HIPAA and SOX) at the same time can be a struggle. If you’re seeking more information about outsourcing vs. in-house security, read our HIPAA Compliant Data Centers white paper.
When To Outsource Security – And When Not To