Outsourcing components of information security is achievable, but often there is a significant gap between the intent of an outsourcing and what it results in.
As information systems have become more technical in nature, the number of ways in which they can operate incorrectly has increased. The methods for detecting incorrect operation require more specialist knowledge and thus are less widely understood. If George writes down a request for product on a purchase order and signs it, most recognise the order is as good as the signature and so require that it be validated by a witness or prior knowledge.
(Not to mention the common law supporting correct practice) If, however, George emails a purchase order number, most will not appreciate that email can be forged unless signed using a valid asymmetric cipher and a key of appropriate length, validated by a PKI hierarchy of suitable repute. If a malicious party is controlling George's PC, there certainly isn't a courtroom that will be able to review all of George's countermeasures and decide whether he is to blame or not for the fake purchase order. (Risking inconsistencies and flawed reasoning in common law) In short the appropriateness of information security practices are harder for the masses to understand. (Adequate legislation would simply provide another authority no one understands.) As with all other domains, businesses need to decide what is their suitable level of investment in information security.
Factors that contribute to such decisions include legal obligations, cost/benefit analysis, risk analysis and less tangible benefits such as ethical obligations. Unfortunately, applying each of these factors to technology requires an understanding of the technology and the operational practices that support it. A person with this level of understanding is rarely empowered with significant delegated financial authority.
To allow delegated financial authorities to effectively fund information security without having to understand the underpinning technology, relevant factors are often translated into commonly understood currency such as risk and money. This translation is however often incomplete and always requires further interpretation. It is very difficult to place a dollar value on publishing an advisories page on your website to decrease the possibility of a phishing attack. If risk analysis is used then the likelihood of a phishing attack is largely irrelevant as the impact could be the total loss of all information assets (Impact = "Catastrophic") and thus the risk rating is "Extreme" for all but the rarest of events.
With such a hobbled method for decision making and an apparent risk to the business, it is commonplace to take the view that it is better to do something rather than nothing. Firewalls are purchased and IDS installed at great expense. A lot of the countermeasures purchased may meet an obvious requirement to the trained engineer, but the level of investment is often not balanced. In the interests of doing something an appliance may be purchased. The level of risk may warrant a significant allocation of funds, but it often isn't achievable to distribute those funds across all desirable initiatives. Initiatives can be complex in themselves or the impact of them difficult to grasp (for example the advisories page). Delivering an appliance gives the business something tangible for its money and doesn't require further explanation. The appliances demonstrates that something is being done and gives a line item on a budget demonstrating that the business is addressing security.
Sign up for Computerworld eNewsletters.