Regardless of the security function being outsourced, testing should be an ongoing assurance measure. Operational teams should be subject to social engineering attempts and mock incidents, ensuring their response is appropriate. Known vulnerabilities should be built into applications before commencing penetration testing to ensure they are reported on. Testing is of course required even when security is wholly sourced from within, but does not need to include testing the competence of the outsourcer as competence of internal staff should already be well understood.
The major issue with outsourcing aspects of information security is that while intent may remain the same, assurance is greatly reduced. This is best illustrated by considering the two extreme cases.
In an organisation with a complete internal security capability, there would be an independent security group who reports to the highest levels of management if not the board.
Among other things the group acts as a watchdog, providing assurance that the health of different areas of the business is being reported correctly and completely. The network team should highlight security issues (among others) and the security team should ensure this happens. Security staff are contractually bound as individuals and given incentive through their remuneration to perform the tasks completely and correctly.
In an organisation where information security is wholly outsourced, everything is one step further away. The contract is with a limited liability company with unknown recruitment strategies and who potentially subcontract a number of functions. There is typically limited opportunity to evaluate the individuals doing the work even if they can be identified. The incentives given to the outsourcer's staff are unknown and may contradict the intent of the function being outsourced.
The security of any business area that doesn't have controls providing assurance is low. While having good assurance controls around the integrity of an outsource agreement is possible, the controls are typically more expensive than if the function was sourced from within. This is one of the overheads of effective outsourcing.
There is one major caveat that needs to be taken into account: People need to care about security. It sounds obvious, but this is often the largest influence on the quality of security services.
Toyota does not put jacuzzis in its Hiluxs, because their customer base doesn't demand it. I am sure if you asked any Hilux owner if they wanted their truck to have a jacuzzi (with no cost or loss of function) they would welcome the feature. There is nothing like having a hot soak in the back country after a day of fencing.
End users need to demand security and not simply accept the "brochurware". They need to demand proof (assurance) that what they are getting is secure. When this happens companies will take note and react to the market demand. Company management also need to take responsibility if for no other reason than due to an ethical obligation. Management should demand more than a monthly pie chart and take an interest in the security of their organisation.
Sign up for Computerworld eNewsletters.